[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password required for Calamares installer -> request for backport (Was: Does reporting bugs from inside the live CD work?)



Hello Attilla, live-config maintainers,

On 26/11/2023 07:54, dubser@grey-panther.net wrote:
I was directed to this list after my post on debian-users [1]. I would like to report two issues with the Debian LiveCD (specifically the debian-live-12.2.0-amd64-gnome.iso one):

1) if one starts the installer from the live environment, one is asked for a password, that is (as far as I can tell) not documented anywhere inside the CD: https://kdrive.infomaniak.com/app/share/545250/a4c87792-3ed2-4a70-bc1c-ae629842f9cb/preview/image/876245 <https://kdrive.infomaniak.com/app/share/545250/a4c87792-3ed2-4a70-bc1c-ae629842f9cb/preview/image/876245>

This issue has been fixed in live-config 11.0.4. The version in stable is 11.0.3-nmu1, which does not have this fix yet. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037295

I've extracted the difference between 11.0.3+nmu1 and 11.0.4 with the .dsc files and dget, attached is the diff file. It contains this specific fix in components/1080-policykit and some administrative changes in debian/control.

@live-config maintainers: Could live-config 11.0.4 be backported to stable (Bookworm) or should I prepare a patch for the live-build configuration? If we can manage before the 9th December, the fix can be present in the next liveCD for 12.3.

[snip issue 2, to be answered in a separate mail]

With kind regards,
Roland Clobus
[1] https://lists.debian.org/debian-user/2023/11/msg00733.html <https://lists.debian.org/debian-user/2023/11/msg00733.html>

diff -r -u live-config-11.0.3+nmu1/components/1080-policykit live-config-11.0.4/components/1080-policykit
--- live-config-11.0.3+nmu1/components/1080-policykit	2021-06-28 11:40:26.000000000 +0200
+++ live-config-11.0.4/components/1080-policykit	2023-07-10 20:40:01.000000000 +0200
@@ -3,7 +3,7 @@
 . /lib/live/config.sh
 
 ## live-config(7) - System Configuration Components
-## Copyright (C) 2016-2020 The Debian Live team
+## Copyright (C) 2016-2023 The Debian Live team
 ## Copyright (C) 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
 ##
 ## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
@@ -40,7 +40,8 @@
 	esac
 
 	# Checking if package is installed
-	if ! pkg_is_installed "policykit-1" || \
+	if (! pkg_is_installed "polkitd" &&
+		! pkg_is_installed "policykit-1") || \
 	   component_was_executed "policykit"
 	then
 		exit 0
@@ -51,53 +52,34 @@
 
 Config ()
 {
-	# Grant administrative PolicyKit pivilieges to default user
-
 	# Configure PolicyKit in live session
-	mkdir -p /etc/PolicyKit
-
-cat > /etc/PolicyKit/PolicyKit.conf << EOF
-<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
-
-<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
-"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd";>
-
-<!-- See the manual page PolicyKit.conf(5) for file format -->
-
-<config version="0.1">
-	<match user="root">
-		<return result="yes"/>
-	</match>
-EOF
+	mkdir -p /usr/share/polkit-1/rules.d
 
 	if [ -n "${LIVE_USERNAME}" ]
 	then
-
-cat >> /etc/PolicyKit/PolicyKit.conf << EOF
-	<!-- don't ask password for user in live session -->
-	<match user="${LIVE_USERNAME}">
-		<return result="yes"/>
-	</match>
+		cat > /usr/share/polkit-1/rules.d/sudo_on_live.rules << EOF
+// Grant the live user access without a prompt
+polkit.addRule(function(action, subject) {
+	if (subject.local &&
+		subject.active &&
+		subject.user === "${LIVE_USERNAME}" &&
+		subject.isInGroup("sudo")) {
+		return polkit.Result.YES;
+	}
+});
 EOF
-
-	fi
-
-cat >> /etc/PolicyKit/PolicyKit.conf << EOF
-	<define_admin_auth group="adm"/>
-</config>
-EOF
-
-	mkdir -p /var/lib/polkit-1/localauthority/10-vendor.d
-
-cat > /var/lib/polkit-1/localauthority/10-vendor.d/10-live-cd.pkla << EOF
-# Policy to allow the livecd user to bypass policykit
-[Live CD user permissions]
-Identity=unix-user:${LIVE_USERNAME}
-Action=*
-ResultAny=no
-ResultInactive=no
-ResultActive=yes
+	else
+		cat > /usr/share/polkit-1/rules.d/sudo_on_live.rules << EOF
+// Grant the sudo users access without a prompt
+polkit.addRule(function(action, subject) {
+	if (subject.local &&
+		subject.active &&
+		subject.isInGroup("sudo")) {
+		return polkit.Result.YES;
+	}
+});
 EOF
+	fi
 
 	# Creating state file
 	touch /var/lib/live/config/policykit
diff -r -u live-config-11.0.3+nmu1/debian/changelog live-config-11.0.4/debian/changelog
--- live-config-11.0.3+nmu1/debian/changelog	2022-10-15 12:16:02.000000000 +0200
+++ live-config-11.0.4/debian/changelog	2023-07-10 20:43:26.000000000 +0200
@@ -1,9 +1,13 @@
-live-config (11.0.3+nmu1) unstable; urgency=medium
+live-config (11.0.4) unstable; urgency=medium
 
-  * Non-maintainer upload.
-  * No source change upload to rebuild with debhelper 13.10.
+  [ Jonathan Carter ]
+  * Add changelog entries for Roland's recent changes
 
- -- Michael Biebl <biebl@debian.org>  Sat, 15 Oct 2022 12:16:02 +0200
+  [ Roland Clobus]
+  * Update the polkit configuration to polkitd (Closes: #1037295)
+  * Add lintian overrides
+
+ -- Jonathan Carter <jcc@debian.org>  Mon, 10 Jul 2023 20:43:26 +0200
 
 live-config (11.0.3) unstable; urgency=medium
 
diff -r -u live-config-11.0.3+nmu1/debian/control live-config-11.0.4/debian/control
--- live-config-11.0.3+nmu1/debian/control	2021-06-28 11:40:26.000000000 +0200
+++ live-config-11.0.4/debian/control	2023-07-10 20:40:01.000000000 +0200
@@ -4,9 +4,9 @@
            Jonathan Carter <jcc@debian.org>
 Section: misc
 Priority: optional
-Build-Depends: debhelper-compat (= 12)
+Build-Depends: debhelper-compat (= 13)
 Build-Depends-Indep: lsb-release
-Standards-Version: 4.5.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/live-team/live-config
 Vcs-Git: https://salsa.debian.org/live-team/live-config.git
 Homepage: https://salsa.debian.org/live-team/live-config
diff -r -u live-config-11.0.3+nmu1/debian/live-config-systemd.lintian-overrides live-config-11.0.4/debian/live-config-systemd.lintian-overrides
--- live-config-11.0.3+nmu1/debian/live-config-systemd.lintian-overrides	2021-06-28 11:40:26.000000000 +0200
+++ live-config-11.0.4/debian/live-config-systemd.lintian-overrides	2023-07-10 20:40:01.000000000 +0200
@@ -1,5 +1,5 @@
 # live-config is special and wants to run very early before most services
-systemd-service-file-refers-to-unusual-wantedby-target lib/systemd/system/live-config.service basic.target
+systemd-service-file-refers-to-unusual-wantedby-target basic.target [lib/systemd/system/live-config.service]
 # Yes this package is dedicated to systemd, it will not provide SysV
 # scripts
 package-supports-alternative-init-but-no-init.d-script lib/systemd/system/live-config.service
diff -r -u live-config-11.0.3+nmu1/debian/live-config-sysvinit.lintian-overrides live-config-11.0.4/debian/live-config-sysvinit.lintian-overrides
--- live-config-11.0.3+nmu1/debian/live-config-sysvinit.lintian-overrides	2021-06-28 11:40:26.000000000 +0200
+++ live-config-11.0.4/debian/live-config-sysvinit.lintian-overrides	2023-07-10 20:43:20.000000000 +0200
@@ -1,5 +1,5 @@
 # This is expected, the package is dedicated to sysvinit
-systemd-no-service-for-init-rcS-script live-config
+missing-systemd-service-for-init.d-rcS-script live-config
 init.d-script-does-not-source-init-functions etc/init.d/live-config
 # Status is not useful, it's a oneshot bootup script
 init.d-script-does-not-implement-status-option etc/init.d/live-config
diff -r -u live-config-11.0.3+nmu1/debian/rules live-config-11.0.4/debian/rules
--- live-config-11.0.3+nmu1/debian/rules	2019-05-19 10:11:26.000000000 +0200
+++ live-config-11.0.4/debian/rules	2023-07-10 20:40:01.000000000 +0200
@@ -26,8 +26,5 @@
 override_dh_compress:
 	dh_compress -Xusr/share/doc/live-config/examples
 
-override_dh_missing:
-	dh_missing --fail-missing
-
 override_dh_installinit:
 	dh_installinit -p live-config-sysvinit --no-stop-on-upgrade --no-start --update-rcd-params='start 00 S .' --name live-config --onlyscripts

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


Reply to: