This involves setuid'ing swaylock, which then forks and drops perms on
the parent process. The child process remains root and listens on a pipe
for requests to validate passwords against /etc/shadow.
The whole state->xcb.modifiers thing didn't work at all (always 0)
The xkb doc says "[xkb_state_serialize_mods] should not be used in
regular clients; please use the xkb_state_mod_*_is_active API instead"
so here it is
- Replace char* with static array. Any chars > 1024 will be discarded.
- mlock() password buffer so it can't be written to swap.
- Clear password buffer after auth succeeds or fails.
This is basically the same treatment I gave the 0.15 branch in https://github.com/swaywm/sway/pull/1519