slock.1: use standard wording for options

Remove the OPTIONS section and add an EXIT STATUS section.

.hgtags

@@ -1,6 +0,0 @@
-0a95c73c7374fbc2342b6040d9f35ddf597729e1 0.1
-da5cb1f0a685258d5315ea109860bacbc2871a57 0.2
-f9157b1864388ad8f1920e5fde7c5849e73d8327 0.3
-4c2cf4d6a2d0e08cbe280ec50ef76c9aecfc0fbe 0.4
-bd24ea7fcca26b161225c464df23ecbfe85280e1 0.5
-dd226a81c09adfa86db232419b3000b7e406df68 0.6

LICENSE

@@ -1,21 +1,25 @@
 MIT/X Consortium License
 
-© 2006-2007 Anselm R. Garbe <garbeam at gmail dot com>
+© 2015-2016 Markus Teich <markus.teich@stusta.mhn.de>
+© 2014 Dimitris Papastamos <sin@2f30.org>
+© 2006-2014 Anselm R Garbe <anselm@garbe.us>
+© 2014-2016 Laslo Hunhold <dev@frign.de>
+© 2016-2023 Hiltjo Posthuma <hiltjo@codemadness.org>
 
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of this software and associated documentation files (the "Software"),
 to deal in the Software without restriction, including without limitation
 the rights to use, copy, modify, merge, publish, distribute, sublicense,
-and/or sell copies of the Software, and to permit persons to whom the 
+and/or sell copies of the Software, and to permit persons to whom the
 Software is furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in 
-all copies or substantial portions of the Software. 
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL 
-THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 DEALINGS IN THE SOFTWARE.

Makefile

@@ -1,52 +1,46 @@
 # slock - simple screen locker
-# © 2006-2007 Anselm R. Garbe, Sander van Dijk
+# See LICENSE file for copyright and license details.
 
 include config.mk
 
-SRC = slock.c
+SRC = slock.c ${COMPATSRC}
 OBJ = ${SRC:.c=.o}
 
-all: options slock
-
-options:
-	@echo slock build options:
-	@echo "CFLAGS   = ${CFLAGS}"
-	@echo "LDFLAGS  = ${LDFLAGS}"
-	@echo "CC       = ${CC}"
-	@echo "LD       = ${LD}"
+all: slock
 
 .c.o:
-	@echo CC $<
-	@${CC} -c ${CFLAGS} $<
+	${CC} -c ${CFLAGS} $<
 
-${OBJ}: config.mk
+${OBJ}: config.h config.mk arg.h util.h
+
+config.h:
+	cp config.def.h $@
 
 slock: ${OBJ}
-	@echo LD $@
-	@${LD} -o $@ ${OBJ} ${LDFLAGS}
-	@strip $@
+	${CC} -o $@ ${OBJ} ${LDFLAGS}
 
 clean:
-	@echo cleaning
-	@rm -f slock ${OBJ} slock-${VERSION}.tar.gz
+	rm -f slock ${OBJ} slock-${VERSION}.tar.gz
 
 dist: clean
-	@echo creating dist tarball
-	@mkdir -p slock-${VERSION}
-	@cp -R LICENSE Makefile README config.mk ${SRC} slock-${VERSION}
-	@tar -cf slock-${VERSION}.tar slock-${VERSION}
-	@gzip slock-${VERSION}.tar
-	@rm -rf slock-${VERSION}
+	mkdir -p slock-${VERSION}
+	cp -R LICENSE Makefile README slock.1 config.mk \
+		${SRC} config.def.h arg.h util.h slock-${VERSION}
+	tar -cf slock-${VERSION}.tar slock-${VERSION}
+	gzip slock-${VERSION}.tar
+	rm -rf slock-${VERSION}
 
 install: all
-	@echo installing executable file to ${DESTDIR}${PREFIX}/bin
-	@mkdir -p ${DESTDIR}${PREFIX}/bin
-	@cp -f slock ${DESTDIR}${PREFIX}/bin
-	@chmod 755 ${DESTDIR}${PREFIX}/bin/slock
-	@chmod u+s ${DESTDIR}${PREFIX}/bin/slock
+	mkdir -p ${DESTDIR}${PREFIX}/bin
+	cp -f slock ${DESTDIR}${PREFIX}/bin
+	chmod 755 ${DESTDIR}${PREFIX}/bin/slock
+	chmod u+s ${DESTDIR}${PREFIX}/bin/slock
+	mkdir -p ${DESTDIR}${MANPREFIX}/man1
+	sed "s/VERSION/${VERSION}/g" <slock.1 >${DESTDIR}${MANPREFIX}/man1/slock.1
+	chmod 644 ${DESTDIR}${MANPREFIX}/man1/slock.1
 
 uninstall:
-	@echo removing executable file from ${DESTDIR}${PREFIX}/bin
-	@rm -f ${DESTDIR}${PREFIX}/bin/slock
+	rm -f ${DESTDIR}${PREFIX}/bin/slock
+	rm -f ${DESTDIR}${MANPREFIX}/man1/slock.1
 
-.PHONY: all options clean dist install uninstall
+.PHONY: all clean dist install uninstall

README

@@ -1,6 +1,6 @@
 slock - simple screen locker
 ============================
-simple screen locker utility for X. 
+simple screen locker utility for X.
 
 
 Requirements
@@ -13,8 +13,8 @@ Installation
 Edit config.mk to match your local setup (slock is installed into
 the /usr/local namespace by default).
 
-Afterwards enter the following command to build and install slock (if
-necessary as root):
+Afterwards enter the following command to build and install slock
+(if necessary as root):
 
     make clean install
 

arg.h

@@ -0,0 +1,65 @@
+/*
+ * Copy me if you can.
+ * by 20h
+ */
+
+#ifndef ARG_H__
+#define ARG_H__
+
+extern char *argv0;
+
+/* use main(int argc, char *argv[]) */
+#define ARGBEGIN	for (argv0 = *argv, argv++, argc--;\
+					argv[0] && argv[0][0] == '-'\
+					&& argv[0][1];\
+					argc--, argv++) {\
+				char argc_;\
+				char **argv_;\
+				int brk_;\
+				if (argv[0][1] == '-' && argv[0][2] == '\0') {\
+					argv++;\
+					argc--;\
+					break;\
+				}\
+				for (brk_ = 0, argv[0]++, argv_ = argv;\
+						argv[0][0] && !brk_;\
+						argv[0]++) {\
+					if (argv_ != argv)\
+						break;\
+					argc_ = argv[0][0];\
+					switch (argc_)
+
+/* Handles obsolete -NUM syntax */
+#define ARGNUM				case '0':\
+					case '1':\
+					case '2':\
+					case '3':\
+					case '4':\
+					case '5':\
+					case '6':\
+					case '7':\
+					case '8':\
+					case '9'
+
+#define ARGEND			}\
+			}
+
+#define ARGC()		argc_
+
+#define ARGNUMF()	(brk_ = 1, estrtonum(argv[0], 0, INT_MAX))
+
+#define EARGF(x)	((argv[0][1] == '\0' && argv[1] == NULL)?\
+				((x), abort(), (char *)0) :\
+				(brk_ = 1, (argv[0][1] != '\0')?\
+					(&argv[0][1]) :\
+					(argc--, argv++, argv[0])))
+
+#define ARGF()		((argv[0][1] == '\0' && argv[1] == NULL)?\
+				(char *)0 :\
+				(brk_ = 1, (argv[0][1] != '\0')?\
+					(&argv[0][1]) :\
+					(argc--, argv++, argv[0])))
+
+#define LNGARG()	&argv[0][0]
+
+#endif

config.def.h

@@ -0,0 +1,12 @@
+/* user and group to drop privileges to */
+static const char *user  = "nobody";
+static const char *group = "nogroup";
+
+static const char *colorname[NUMCOLS] = {
+	[INIT] =   "black",     /* after initialization */
+	[INPUT] =  "#005577",   /* during input */
+	[FAILED] = "#CC3333",   /* wrong password */
+};
+
+/* treat a cleared input like a wrong password (color) */
+static const int failonclear = 1;

config.mk

@@ -1,27 +1,29 @@
 # slock version
-VERSION = 0.7
+VERSION = 1.5
 
 # Customize below to fit your system
 
 # paths
 PREFIX = /usr/local
+MANPREFIX = ${PREFIX}/share/man
 
 X11INC = /usr/X11R6/include
 X11LIB = /usr/X11R6/lib
 
 # includes and libs
 INCS = -I. -I/usr/include -I${X11INC}
-LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11
+LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr
 
 # flags
-CFLAGS = -Os ${INCS} -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H
-LDFLAGS = ${LIBS}
-#CFLAGS = -g -Wall -O2 ${INCS} -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H
-#LDFLAGS = -g ${LIBS}
+CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H
+CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS}
+LDFLAGS = -s ${LIBS}
+COMPATSRC = explicit_bzero.c
 
-# On *BSD remove -DHAVE_SHADOW_H from CFLAGS
 # On OpenBSD and Darwin remove -lcrypt from LIBS
-
-# compiler and linker
-CC = cc
-LD = ${CC}
+#LIBS = -L/usr/lib -lc -L${X11LIB} -lX11 -lXext -lXrandr
+# On *BSD remove -DHAVE_SHADOW_H from CPPFLAGS
+# On NetBSD add -D_NETBSD_SOURCE to CPPFLAGS
+#CPPFLAGS = -DVERSION=\"${VERSION}\" -D_BSD_SOURCE -D_NETBSD_SOURCE
+# On OpenBSD set COMPATSRC to empty
+#COMPATSRC =

explicit_bzero.c

@@ -0,0 +1,19 @@
+/*	$OpenBSD: explicit_bzero.c,v 1.3 2014/06/21 02:34:26 matthew Exp $ */
+/*
+ * Public domain.
+ * Written by Matthew Dempsky.
+ */
+
+#include <string.h>
+
+__attribute__((weak)) void
+__explicit_bzero_hook(void *buf, size_t len)
+{
+}
+
+void
+explicit_bzero(void *buf, size_t len)
+{
+	memset(buf, 0, len);
+	__explicit_bzero_hook(buf, len);
+}

slock.1

@@ -0,0 +1,45 @@
+.Dd October 6, 2023
+.Dt SLOCK 1
+.Os
+.Sh NAME
+.Nm slock
+.Nd simple X screen locker
+.Sh SYNOPSIS
+.Nm
+.Op Fl v
+.Op Ar cmd Op Ar arg ...
+.Sh DESCRIPTION
+.Nm
+is a simple X screen locker.
+If provided,
+.Ar cmd
+is executed after the screen has been locked.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl v
+Print version information to stdout and exit.
+.El
+.Sh EXIT STATUS
+.Ex -std
+.Sh EXAMPLES
+$
+.Nm
+/usr/sbin/s2ram
+.Sh SECURITY CONSIDERATIONS
+To make sure a locked screen can not be bypassed by switching VTs
+or killing the X server with Ctrl+Alt+Backspace, it is recommended
+to disable both in
+.Xr xorg.conf 5
+for maximum security:
+.Bd -literal
+Section "ServerFlags"
+	Option "DontVTSwitch" "True"
+	Option "DontZap"      "True"
+EndSection
+.Ed
+.Sh CUSTOMIZATION
+.Nm
+can be customized by creating a custom config.h from config.def.h and
+(re)compiling the source code.
+This keeps it fast, secure and simple.

slock.c

@@ -1,11 +1,12 @@
-/* © 2006-2007 Anselm R. Garbe <garbeam at gmail dot com>
- * See LICENSE file for license details. */
+/* See LICENSE file for license details. */
 #define _XOPEN_SOURCE 500
 #if HAVE_SHADOW_H
 #include <shadow.h>
 #endif
 
 #include <ctype.h>
+#include <errno.h>
+#include <grp.h>
 #include <pwd.h>
 #include <stdarg.h>
 #include <stdlib.h>
@@ -13,133 +14,382 @@
 #include <string.h>
 #include <unistd.h>
 #include <sys/types.h>
+#include <X11/extensions/Xrandr.h>
 #include <X11/keysym.h>
 #include <X11/Xlib.h>
 #include <X11/Xutil.h>
 
-void
-eprint(const char *errstr, ...) {
+#include "arg.h"
+#include "util.h"
+
+char *argv0;
+
+enum {
+	INIT,
+	INPUT,
+	FAILED,
+	NUMCOLS
+};
+
+struct lock {
+	int screen;
+	Window root, win;
+	Pixmap pmap;
+	unsigned long colors[NUMCOLS];
+};
+
+struct xrandr {
+	int active;
+	int evbase;
+	int errbase;
+};
+
+#include "config.h"
+
+static void
+die(const char *errstr, ...)
+{
 	va_list ap;
 
 	va_start(ap, errstr);
 	vfprintf(stderr, errstr, ap);
 	va_end(ap);
-	exit(EXIT_FAILURE);
+	exit(1);
 }
 
-const char *
-get_password() { /* only run as root */
-	const char *rval;
+#ifdef __linux__
+#include <fcntl.h>
+#include <linux/oom.h>
+
+static void
+dontkillme(void)
+{
+	FILE *f;
+	const char oomfile[] = "/proc/self/oom_score_adj";
+
+	if (!(f = fopen(oomfile, "w"))) {
+		if (errno == ENOENT)
+			return;
+		die("slock: fopen %s: %s\n", oomfile, strerror(errno));
+	}
+	fprintf(f, "%d", OOM_SCORE_ADJ_MIN);
+	if (fclose(f)) {
+		if (errno == EACCES)
+			die("slock: unable to disable OOM killer. "
+			    "Make sure to suid or sgid slock.\n");
+		else
+			die("slock: fclose %s: %s\n", oomfile, strerror(errno));
+	}
+}
+#endif
+
+static const char *
+gethash(void)
+{
+	const char *hash;
 	struct passwd *pw;
 
-	if(geteuid() != 0)
-		eprint("slock: cannot retrieve password entry (make sure to suid slock)\n");
-	pw = getpwuid(getuid());
-	endpwent();
-	rval =  pw->pw_passwd;
+	/* Check if the current user has a password entry */
+	errno = 0;
+	if (!(pw = getpwuid(getuid()))) {
+		if (errno)
+			die("slock: getpwuid: %s\n", strerror(errno));
+		else
+			die("slock: cannot retrieve password entry\n");
+	}
+	hash = pw->pw_passwd;
 
 #if HAVE_SHADOW_H
-	{
+	if (!strcmp(hash, "x")) {
 		struct spwd *sp;
-		sp = getspnam(getenv("USER"));
-		endspent();
-		rval = sp->sp_pwdp;
+		if (!(sp = getspnam(pw->pw_name)))
+			die("slock: getspnam: cannot retrieve shadow entry. "
+			    "Make sure to suid or sgid slock.\n");
+		hash = sp->sp_pwdp;
 	}
-#endif
-	/* drop privileges */
-	if(setgid(pw->pw_gid) < 0 || setuid(pw->pw_uid) < 0)
-		eprint("slock: cannot drop privileges\n");
-	return rval;
+#else
+	if (!strcmp(hash, "*")) {
+#ifdef __OpenBSD__
+		if (!(pw = getpwuid_shadow(getuid())))
+			die("slock: getpwnam_shadow: cannot retrieve shadow entry. "
+			    "Make sure to suid or sgid slock.\n");
+		hash = pw->pw_passwd;
+#else
+		die("slock: getpwuid: cannot retrieve shadow entry. "
+		    "Make sure to suid or sgid slock.\n");
+#endif /* __OpenBSD__ */
+	}
+#endif /* HAVE_SHADOW_H */
+
+	return hash;
 }
 
-int
-main(int argc, char **argv) {
-	char curs[] = {0, 0, 0, 0, 0, 0, 0, 0};
-	char buf[32], passwd[256];
-	int num, screen;
-	const char *pws;
-	unsigned int len;
-	Bool running = True;
-	Cursor invisible;
-	Display *dpy;
+static void
+readpw(Display *dpy, struct xrandr *rr, struct lock **locks, int nscreens,
+       const char *hash)
+{
+	XRRScreenChangeNotifyEvent *rre;
+	char buf[32], passwd[256], *inputhash;
+	int num, screen, running, failure, oldc;
+	unsigned int len, color;
 	KeySym ksym;
-	Pixmap pmap;
-	Window root, w;
-	XColor black, dummy;
 	XEvent ev;
-	XSetWindowAttributes wa;
 
-	if((argc > 1) && !strncmp(argv[1], "-v", 3))
-		eprint("slock-"VERSION", © 2006-2007 Anselm R. Garbe, Sander van Dijk\n");
-	pws = get_password();
-	if(!(dpy = XOpenDisplay(0)))
-		eprint("slock: cannot open display\n");
-	screen = DefaultScreen(dpy);
-	root = RootWindow(dpy, screen);
-
-	/* init */
-	wa.override_redirect = 1;
-	wa.background_pixel = BlackPixel(dpy, screen);
-	w = XCreateWindow(dpy, root, 0, 0, DisplayWidth(dpy, screen), DisplayHeight(dpy, screen),
-			0, DefaultDepth(dpy, screen), CopyFromParent,
-			DefaultVisual(dpy, screen), CWOverrideRedirect | CWBackPixel, &wa);
-	XAllocNamedColor(dpy, DefaultColormap(dpy, screen), "black", &black, &dummy);
-	pmap = XCreateBitmapFromData(dpy, w, curs, 8, 8);
-	invisible = XCreatePixmapCursor(dpy, pmap, pmap, &black, &black, 0, 0);
-	XDefineCursor(dpy, w, invisible);
-	XMapRaised(dpy, w);
-	for(len = 1000; len; len--) {
-		if(XGrabPointer(dpy, root, False, ButtonPressMask | ButtonReleaseMask | PointerMotionMask,
-			GrabModeAsync, GrabModeAsync, None, invisible, CurrentTime) == GrabSuccess)
-			break;
-		usleep(1000);
-	}
-	if((running = running && (len > 0))) {
-		for(len = 1000; len; len--) {
-			if(XGrabKeyboard(dpy, root, True, GrabModeAsync, GrabModeAsync, CurrentTime)
-				== GrabSuccess)
-				break;
-			usleep(1000);
-		}
-		running = (len > 0);
-	}
 	len = 0;
-	XSync(dpy, False);
+	running = 1;
+	failure = 0;
+	oldc = INIT;
 
-	/* main event loop */
-	while(running && !XNextEvent(dpy, &ev))
-		if(ev.type == KeyPress) {
-			buf[0] = 0;
-			num = XLookupString(&ev.xkey, buf, sizeof buf, &ksym, 0);
-			if(IsFunctionKey(ksym) || IsKeypadKey(ksym)
-					|| IsMiscFunctionKey(ksym) || IsPFKey(ksym)
-					|| IsPrivateKeypadKey(ksym))
+	while (running && !XNextEvent(dpy, &ev)) {
+		if (ev.type == KeyPress) {
+			explicit_bzero(&buf, sizeof(buf));
+			num = XLookupString(&ev.xkey, buf, sizeof(buf), &ksym, 0);
+			if (IsKeypadKey(ksym)) {
+				if (ksym == XK_KP_Enter)
+					ksym = XK_Return;
+				else if (ksym >= XK_KP_0 && ksym <= XK_KP_9)
+					ksym = (ksym - XK_KP_0) + XK_0;
+			}
+			if (IsFunctionKey(ksym) ||
+			    IsKeypadKey(ksym) ||
+			    IsMiscFunctionKey(ksym) ||
+			    IsPFKey(ksym) ||
+			    IsPrivateKeypadKey(ksym))
 				continue;
-			switch(ksym) {
+			switch (ksym) {
 			case XK_Return:
-				passwd[len] = 0;
-				if((running = strcmp(crypt(passwd, pws), pws)) != 0)
+				passwd[len] = '\0';
+				errno = 0;
+				if (!(inputhash = crypt(passwd, hash)))
+					fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
+				else
+					running = !!strcmp(inputhash, hash);
+				if (running) {
 					XBell(dpy, 100);
+					failure = 1;
+				}
+				explicit_bzero(&passwd, sizeof(passwd));
 				len = 0;
 				break;
 			case XK_Escape:
+				explicit_bzero(&passwd, sizeof(passwd));
 				len = 0;
 				break;
 			case XK_BackSpace:
-				if(len)
-					--len;
+				if (len)
+					passwd[--len] = '\0';
 				break;
 			default:
-				if(num && !iscntrl((int) buf[0]) && (len + num < sizeof passwd)) { 
+				if (num && !iscntrl((int)buf[0]) &&
+				    (len + num < sizeof(passwd))) {
 					memcpy(passwd + len, buf, num);
 					len += num;
 				}
 				break;
 			}
+			color = len ? INPUT : ((failure || failonclear) ? FAILED : INIT);
+			if (running && oldc != color) {
+				for (screen = 0; screen < nscreens; screen++) {
+					XSetWindowBackground(dpy,
+					                     locks[screen]->win,
+					                     locks[screen]->colors[color]);
+					XClearWindow(dpy, locks[screen]->win);
+				}
+				oldc = color;
+			}
+		} else if (rr->active && ev.type == rr->evbase + RRScreenChangeNotify) {
+			rre = (XRRScreenChangeNotifyEvent*)&ev;
+			for (screen = 0; screen < nscreens; screen++) {
+				if (locks[screen]->win == rre->window) {
+					if (rre->rotation == RR_Rotate_90 ||
+					    rre->rotation == RR_Rotate_270)
+						XResizeWindow(dpy, locks[screen]->win,
+						              rre->height, rre->width);
+					else
+						XResizeWindow(dpy, locks[screen]->win,
+						              rre->width, rre->height);
+					XClearWindow(dpy, locks[screen]->win);
+					break;
+				}
+			}
+		} else {
+			for (screen = 0; screen < nscreens; screen++)
+				XRaiseWindow(dpy, locks[screen]->win);
 		}
-	XUngrabPointer(dpy, CurrentTime);
-	XFreePixmap(dpy, pmap);
-	XDestroyWindow(dpy, w);
-	XCloseDisplay(dpy);
+	}
+}
+
+static struct lock *
+lockscreen(Display *dpy, struct xrandr *rr, int screen)
+{
+	char curs[] = {0, 0, 0, 0, 0, 0, 0, 0};
+	int i, ptgrab, kbgrab;
+	struct lock *lock;
+	XColor color, dummy;
+	XSetWindowAttributes wa;
+	Cursor invisible;
+
+	if (dpy == NULL || screen < 0 || !(lock = malloc(sizeof(struct lock))))
+		return NULL;
+
+	lock->screen = screen;
+	lock->root = RootWindow(dpy, lock->screen);
+
+	for (i = 0; i < NUMCOLS; i++) {
+		XAllocNamedColor(dpy, DefaultColormap(dpy, lock->screen),
+		                 colorname[i], &color, &dummy);
+		lock->colors[i] = color.pixel;
+	}
+
+	/* init */
+	wa.override_redirect = 1;
+	wa.background_pixel = lock->colors[INIT];
+	lock->win = XCreateWindow(dpy, lock->root, 0, 0,
+	                          DisplayWidth(dpy, lock->screen),
+	                          DisplayHeight(dpy, lock->screen),
+	                          0, DefaultDepth(dpy, lock->screen),
+	                          CopyFromParent,
+	                          DefaultVisual(dpy, lock->screen),
+	                          CWOverrideRedirect | CWBackPixel, &wa);
+	lock->pmap = XCreateBitmapFromData(dpy, lock->win, curs, 8, 8);
+	invisible = XCreatePixmapCursor(dpy, lock->pmap, lock->pmap,
+	                                &color, &color, 0, 0);
+	XDefineCursor(dpy, lock->win, invisible);
+
+	/* Try to grab mouse pointer *and* keyboard for 600ms, else fail the lock */
+	for (i = 0, ptgrab = kbgrab = -1; i < 6; i++) {
+		if (ptgrab != GrabSuccess) {
+			ptgrab = XGrabPointer(dpy, lock->root, False,
+			                      ButtonPressMask | ButtonReleaseMask |
+			                      PointerMotionMask, GrabModeAsync,
+			                      GrabModeAsync, None, invisible, CurrentTime);
+		}
+		if (kbgrab != GrabSuccess) {
+			kbgrab = XGrabKeyboard(dpy, lock->root, True,
+			                       GrabModeAsync, GrabModeAsync, CurrentTime);
+		}
+
+		/* input is grabbed: we can lock the screen */
+		if (ptgrab == GrabSuccess && kbgrab == GrabSuccess) {
+			XMapRaised(dpy, lock->win);
+			if (rr->active)
+				XRRSelectInput(dpy, lock->win, RRScreenChangeNotifyMask);
+
+			XSelectInput(dpy, lock->root, SubstructureNotifyMask);
+			return lock;
+		}
+
+		/* retry on AlreadyGrabbed but fail on other errors */
+		if ((ptgrab != AlreadyGrabbed && ptgrab != GrabSuccess) ||
+		    (kbgrab != AlreadyGrabbed && kbgrab != GrabSuccess))
+			break;
+
+		usleep(100000);
+	}
+
+	/* we couldn't grab all input: fail out */
+	if (ptgrab != GrabSuccess)
+		fprintf(stderr, "slock: unable to grab mouse pointer for screen %d\n",
+		        screen);
+	if (kbgrab != GrabSuccess)
+		fprintf(stderr, "slock: unable to grab keyboard for screen %d\n",
+		        screen);
+	return NULL;
+}
+
+static void
+usage(void)
+{
+	die("usage: slock [-v] [cmd [arg ...]]\n");
+}
+
+int
+main(int argc, char **argv) {
+	struct xrandr rr;
+	struct lock **locks;
+	struct passwd *pwd;
+	struct group *grp;
+	uid_t duid;
+	gid_t dgid;
+	const char *hash;
+	Display *dpy;
+	int s, nlocks, nscreens;
+
+	ARGBEGIN {
+	case 'v':
+		puts("slock-"VERSION);
+		return 0;
+	default:
+		usage();
+	} ARGEND
+
+	/* validate drop-user and -group */
+	errno = 0;
+	if (!(pwd = getpwnam(user)))
+		die("slock: getpwnam %s: %s\n", user,
+		    errno ? strerror(errno) : "user entry not found");
+	duid = pwd->pw_uid;
+	errno = 0;
+	if (!(grp = getgrnam(group)))
+		die("slock: getgrnam %s: %s\n", group,
+		    errno ? strerror(errno) : "group entry not found");
+	dgid = grp->gr_gid;
+
+#ifdef __linux__
+	dontkillme();
+#endif
+
+	hash = gethash();
+	errno = 0;
+	if (!crypt("", hash))
+		die("slock: crypt: %s\n", strerror(errno));
+
+	if (!(dpy = XOpenDisplay(NULL)))
+		die("slock: cannot open display\n");
+
+	/* drop privileges */
+	if (setgroups(0, NULL) < 0)
+		die("slock: setgroups: %s\n", strerror(errno));
+	if (setgid(dgid) < 0)
+		die("slock: setgid: %s\n", strerror(errno));
+	if (setuid(duid) < 0)
+		die("slock: setuid: %s\n", strerror(errno));
+
+	/* check for Xrandr support */
+	rr.active = XRRQueryExtension(dpy, &rr.evbase, &rr.errbase);
+
+	/* get number of screens in display "dpy" and blank them */
+	nscreens = ScreenCount(dpy);
+	if (!(locks = calloc(nscreens, sizeof(struct lock *))))
+		die("slock: out of memory\n");
+	for (nlocks = 0, s = 0; s < nscreens; s++) {
+		if ((locks[s] = lockscreen(dpy, &rr, s)) != NULL)
+			nlocks++;
+		else
+			break;
+	}
+	XSync(dpy, 0);
+
+	/* did we manage to lock everything? */
+	if (nlocks != nscreens)
+		return 1;
+
+	/* run post-lock command */
+	if (argc > 0) {
+		switch (fork()) {
+		case -1:
+			die("slock: fork failed: %s\n", strerror(errno));
+		case 0:
+			if (close(ConnectionNumber(dpy)) < 0)
+				die("slock: close: %s\n", strerror(errno));
+			execvp(argv[0], argv);
+			fprintf(stderr, "slock: execvp %s: %s\n", argv[0], strerror(errno));
+			_exit(1);
+		}
+	}
+
+	/* everything is now blank. Wait for the correct password */
+	readpw(dpy, &rr, locks, nscreens, hash);
+
 	return 0;
 }

util.h

@@ -0,0 +1,2 @@
+#undef explicit_bzero
+void explicit_bzero(void *, size_t);