From 463e5acd9c205f53c07515ddd5de2fb3385e17b7 Mon Sep 17 00:00:00 2001
From: Mihai Fufezan <mihai@fufexan.net>
Date: Sun, 3 Nov 2024 21:20:32 +0200
Subject: [PATCH] howdy: add waitpid patch

---
 pkgs/by-name/ho/howdy/package.nix   |  5 +++++
 pkgs/by-name/ho/howdy/waitpid.patch | 13 +++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 pkgs/by-name/ho/howdy/waitpid.patch

diff --git a/pkgs/by-name/ho/howdy/package.nix b/pkgs/by-name/ho/howdy/package.nix
index 4b0ef3f9b22dd..c0b583c2a0e23 100644
--- a/pkgs/by-name/ho/howdy/package.nix
+++ b/pkgs/by-name/ho/howdy/package.nix
@@ -83,6 +83,11 @@ stdenv.mkDerivation {
   patches = [
     # Don't install the config file. We handle it in the module.
     ./dont-install-config.patch
+
+    # Wait for the direct child process (auth client), and not ANY child
+    # process, which may allow authentication when it shouldn't
+    # https://github.com/boltgolt/howdy/issues/969
+    ./waitpid.patch
   ];
 
   mesonFlags = [
diff --git a/pkgs/by-name/ho/howdy/waitpid.patch b/pkgs/by-name/ho/howdy/waitpid.patch
new file mode 100644
index 0000000000000..84ed3ac76e521
--- /dev/null
+++ b/pkgs/by-name/ho/howdy/waitpid.patch
@@ -0,0 +1,13 @@
+diff --git a/howdy/src/pam/main.cc b/howdy/src/pam/main.cc
+index d1b8e34..8498655 100644
+--- a/howdy/src/pam/main.cc
++++ b/howdy/src/pam/main.cc
+@@ -290,7 +290,7 @@ auto identify(pam_handle_t *pamh, int flags, int argc, const char **argv,
+   // zombie process)
+   optional_task<int> child_task([&] {
+     int status;
+-    wait(&status);
++    waitpid(child_pid, &status, 0);
+     {
+       std::unique_lock<std::mutex> lock(mutx);
+       if (confirmation_type == ConfirmationType::Unset) {