nevaforget
73c59e54c1
Update PKGBUILD version / update-pkgver (push) Successful in 3s
The PAM stack only ever had `auth include login` — no account module. auth.rs nevertheless called pam_acct_mgmt after pam_authenticate, which fell back to /etc/pam.d/other (pam_deny) and rejected every password. On the FP side, the same call was wrapped in a spawn_blocking + 2s resume_async retry path that triggered a use-after-free in gtk_window_destroy (20+ SIGSEGVs in 6 days). - auth.rs: remove pam_acct_mgmt extern + call; return pam_authenticate result directly. Lockout still works via pam_faillock in the auth stack. - auth.rs: drop check_account() and its tests (FP path no longer needs it). - lockscreen.rs::start_fingerprint: on success go straight to label.set_text + fp.stop() + cb(); no PAM acct check, no resume retry. - fingerprint.rs: remove resume_async() — no caller left. - config/moonlock-pam: keep single `auth include login` line, matching swaylock/gtklock pattern. - CLAUDE.md, DECISIONS.md updated.
Moonlock
A secure Wayland lockscreen with GTK4, PAM authentication and fingerprint support. Part of the Moonarch ecosystem.
Features
- ext-session-lock-v1 — Protocol-guaranteed screen locking (compositor keeps screen locked on crash,
exit(1)in release if unsupported) - PAM authentication — Uses system PAM stack (
/etc/pam.d/moonlock) with 30s timeout and generation counter - Fingerprint unlock — fprintd D-Bus integration with sender validation, async init (window appears instantly),
pam_acct_mgmtcheck after verify, auto-resume on transient errors - Multi-monitor + hotplug — Lockscreen on every monitor with shared blur and avatar caches; monitors added after suspend/resume get windows automatically via
connect_monitorsignal - GPU blur — Background blur via GskBlurNode (downscale to max 1920px, configurable 0–200)
- i18n — German and English (auto-detected)
- Faillock warning — Progressive UI warning after failed attempts, PAM decides lockout
- Panic safety — Panic hook logs but never unlocks (installed before logging)
- Password wiping —
Zeroizeon drop from GTK entry through PAM FFI layer - Journal logging —
journalctl -t moonlock, debug level viaMOONLOCK_DEBUGenv var
Requirements
- GTK 4
- gtk4-session-lock (ext-session-lock-v1 support)
- PAM (
/etc/pam.d/moonlock) - Optional: fprintd for fingerprint support
Building
cargo build --release
Installation
# Install binary
sudo install -Dm755 target/release/moonlock /usr/bin/moonlock
# Install PAM config
sudo install -Dm644 config/moonlock-pam /etc/pam.d/moonlock
# Optional: Install example config
sudo install -Dm644 config/moonlock.toml.example /etc/moonlock/moonlock.toml.example
Configuration
Create /etc/moonlock/moonlock.toml or ~/.config/moonlock/moonlock.toml:
background_path = "/usr/share/wallpapers/moon.jpg"
background_blur = 40.0 # 0.0–200.0, optional
fingerprint_enabled = true
Usage
Typically launched via keybind in your Wayland compositor:
# Niri keybind example
binds {
Mod+L { spawn "moonlock"; }
}
Development
cargo test
cargo build --release
LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
License
MIT