Bug#696449: unblock: policykit-1/0.105-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package policykit-1
It contains two, targetted important bug fixes:
1/ Fixes wrong permissions for /etc/polkit-1/localauthority
2/ Fixes starting of graphical applications via pkexec (e.g. gparted)
from desktop environments like KDE. (Bug#671497). Patch is cherry-picked
from upstream git.
The full changelog reads:
policykit-1 (0.105-3) unstable; urgency=low
* 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY
environment variable to its default value $HOME/.Xauthority if unset.
Some display managers, like KDM, do not set the XAUTHORITY variable, so
starting graphical applications via pkexec was broken in those
environments. (Closes: #671497)
-- Michael Biebl <biebl@debian.org> Thu, 20 Dec 2012 18:55:14 +0100
policykit-1 (0.105-2) unstable; urgency=low
* Change the permissions of /etc/polkit-1/localauthority to 700, this
directory is not supposed to be readable by everyone.
-- Michael Biebl <biebl@debian.org> Mon, 17 Dec 2012 17:02:06 +0100
The complete debdiff is attached.
Cheers,
Michael
unblock policykit-1/0.105-3
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog
index a2dc7e4..c3ab45b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+policykit-1 (0.105-3) unstable; urgency=low
+
+ * 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY
+ environment variable to its default value $HOME/.Xauthority if unset.
+ Some display managers, like KDM, do not set the XAUTHORITY variable, so
+ starting graphical applications via pkexec was broken in those
+ environments. (Closes: #671497)
+
+ -- Michael Biebl <biebl@debian.org> Thu, 20 Dec 2012 18:55:14 +0100
+
+policykit-1 (0.105-2) unstable; urgency=low
+
+ * Change the permissions of /etc/polkit-1/localauthority to 700, this
+ directory is not supposed to be readable by everyone.
+
+ -- Michael Biebl <biebl@debian.org> Mon, 17 Dec 2012 17:02:06 +0100
+
policykit-1 (0.105-1) unstable; urgency=low
* New upstream release.
diff --git a/debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch b/debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch
new file mode 100644
index 0000000..f98295f
--- /dev/null
+++ b/debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch
@@ -0,0 +1,59 @@
+From d6acecdd0ebb42e28ff28e04e0207cb01fa20910 Mon Sep 17 00:00:00 2001
+From: David Zeuthen <zeuthen@gmail.com>
+Date: Wed, 19 Dec 2012 14:28:29 -0500
+Subject: [PATCH] Set XAUTHORITY environment variable if is unset
+
+The way it works is that if XAUTHORITY is unset, then its default
+value is $HOME/.Xauthority. But since we're changing user identity
+this will not work since $HOME will now change. Therefore, if
+XAUTHORITY is unset, just set its default value before changing
+identity. This bug only affected login managers using X Window
+Authorization but not explicitly setting the XAUTHORITY variable.
+
+You can argue that XAUTHORITY is broken since it forces uid-changing
+apps like pkexec(1) to do more work - and get involved in intimate
+details of how X works and so on - but that doesn't change how things
+work.
+
+Based on a patch from Peter Wu <lekensteyn@gmail.com>.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=51623
+
+Signed-off-by: David Zeuthen <zeuthen@gmail.com>
+---
+ src/programs/pkexec.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+Index: policykit-1/src/programs/pkexec.c
+===================================================================
+--- policykit-1.orig/src/programs/pkexec.c 2012-12-20 18:41:37.714807215 +0100
++++ policykit-1/src/programs/pkexec.c 2012-12-20 18:41:37.790805274 +0100
+@@ -597,6 +597,28 @@
+ g_ptr_array_add (saved_env, g_strdup (value));
+ }
+
++ /* $XAUTHORITY is "special" - if unset, we need to set it to ~/.Xauthority. Yes,
++ * this is broken but it's unfortunately how things work (see fdo #51623 for
++ * details)
++ */
++ if (g_getenv ("XAUTHORITY") == NULL)
++ {
++ const gchar *home;
++
++ /* pre-2.36 GLib does not examine $HOME (it always looks in /etc/passwd) and
++ * this is not what we want
++ */
++ home = g_getenv ("HOME");
++ if (home == NULL)
++ home = g_get_home_dir ();
++
++ if (home != NULL)
++ {
++ g_ptr_array_add (saved_env, g_strdup ("XAUTHORITY"));
++ g_ptr_array_add (saved_env, g_build_filename (home, ".Xauthority", NULL));
++ }
++ }
++
+ /* Nuke the environment to get a well-known and sanitized environment to avoid attacks
+ * via e.g. the DBUS_SYSTEM_BUS_ADDRESS environment variable and similar.
+ */
diff --git a/debian/patches/series b/debian/patches/series
index ef423c4..2d3a3f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
04_get_cwd.patch
05_revert-admin-identities-unix-group-wheel.patch
06_systemd-service.patch
+07_set-XAUTHORITY-environment-variable-if-unset.patch
diff --git a/debian/policykit-1.postinst b/debian/policykit-1.postinst
index b6f751c..c6a39de 100644
--- a/debian/policykit-1.postinst
+++ b/debian/policykit-1.postinst
@@ -40,6 +40,7 @@ get_pid() {
case "$1" in
configure)
set_perms root root 700 /var/lib/polkit-1
+ set_perms root root 700 /etc/polkit-1/localauthority
set_perms root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1
set_perms root root 4755 /usr/bin/pkexec
Reply to: