[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#696449: marked as done (unblock: policykit-1/0.105-3)



Your message dated Sat, 22 Dec 2012 12:34:48 +0000
with message-id <e08d212fb144f9c4b86085709092400e@mail.adsl.funky-badger.org>
and subject line Re: Bug#696449: unblock: policykit-1/0.105-3
has caused the Debian Bug report #696449,
regarding unblock: policykit-1/0.105-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
696449: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696449
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package policykit-1

It contains two, targetted important bug fixes:

1/ Fixes wrong permissions for /etc/polkit-1/localauthority
2/ Fixes starting of graphical applications via pkexec (e.g. gparted)
from desktop environments like KDE. (Bug#671497). Patch is cherry-picked
from upstream git.

The full changelog reads:

policykit-1 (0.105-3) unstable; urgency=low

  * 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY
    environment variable to its default value $HOME/.Xauthority if unset.
    Some display managers, like KDM, do not set the XAUTHORITY variable, so
    starting graphical applications via pkexec was broken in those
    environments. (Closes: #671497)

 -- Michael Biebl <biebl@debian.org>  Thu, 20 Dec 2012 18:55:14 +0100

policykit-1 (0.105-2) unstable; urgency=low

  * Change the permissions of /etc/polkit-1/localauthority to 700, this
    directory is not supposed to be readable by everyone.

 -- Michael Biebl <biebl@debian.org>  Mon, 17 Dec 2012 17:02:06 +0100

The complete debdiff is attached.

Cheers,
Michael

unblock policykit-1/0.105-3

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog
index a2dc7e4..c3ab45b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+policykit-1 (0.105-3) unstable; urgency=low
+
+  * 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY
+    environment variable to its default value $HOME/.Xauthority if unset.
+    Some display managers, like KDM, do not set the XAUTHORITY variable, so
+    starting graphical applications via pkexec was broken in those
+    environments. (Closes: #671497)
+
+ -- Michael Biebl <biebl@debian.org>  Thu, 20 Dec 2012 18:55:14 +0100
+
+policykit-1 (0.105-2) unstable; urgency=low
+
+  * Change the permissions of /etc/polkit-1/localauthority to 700, this
+    directory is not supposed to be readable by everyone.
+
+ -- Michael Biebl <biebl@debian.org>  Mon, 17 Dec 2012 17:02:06 +0100
+
 policykit-1 (0.105-1) unstable; urgency=low
 
   * New upstream release.
diff --git a/debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch b/debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch
new file mode 100644
index 0000000..f98295f
--- /dev/null
+++ b/debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch
@@ -0,0 +1,59 @@
+From d6acecdd0ebb42e28ff28e04e0207cb01fa20910 Mon Sep 17 00:00:00 2001
+From: David Zeuthen <zeuthen@gmail.com>
+Date: Wed, 19 Dec 2012 14:28:29 -0500
+Subject: [PATCH] Set XAUTHORITY environment variable if is unset
+
+The way it works is that if XAUTHORITY is unset, then its default
+value is $HOME/.Xauthority. But since we're changing user identity
+this will not work since $HOME will now change. Therefore, if
+XAUTHORITY is unset, just set its default value before changing
+identity. This bug only affected login managers using X Window
+Authorization but not explicitly setting the XAUTHORITY variable.
+
+You can argue that XAUTHORITY is broken since it forces uid-changing
+apps like pkexec(1) to do more work - and get involved in intimate
+details of how X works and so on - but that doesn't change how things
+work.
+
+Based on a patch from Peter Wu <lekensteyn@gmail.com>.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=51623
+
+Signed-off-by: David Zeuthen <zeuthen@gmail.com>
+---
+ src/programs/pkexec.c |   22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+Index: policykit-1/src/programs/pkexec.c
+===================================================================
+--- policykit-1.orig/src/programs/pkexec.c	2012-12-20 18:41:37.714807215 +0100
++++ policykit-1/src/programs/pkexec.c	2012-12-20 18:41:37.790805274 +0100
+@@ -597,6 +597,28 @@
+       g_ptr_array_add (saved_env, g_strdup (value));
+     }
+ 
++  /* $XAUTHORITY is "special" - if unset, we need to set it to ~/.Xauthority. Yes,
++   * this is broken but it's unfortunately how things work (see fdo #51623 for
++   * details)
++   */
++  if (g_getenv ("XAUTHORITY") == NULL)
++    {
++      const gchar *home;
++
++      /* pre-2.36 GLib does not examine $HOME (it always looks in /etc/passwd) and
++       * this is not what we want
++       */
++      home = g_getenv ("HOME");
++      if (home == NULL)
++        home = g_get_home_dir ();
++
++      if (home != NULL)
++        {
++          g_ptr_array_add (saved_env, g_strdup ("XAUTHORITY"));
++          g_ptr_array_add (saved_env, g_build_filename (home, ".Xauthority", NULL));
++        }
++    }
++
+   /* Nuke the environment to get a well-known and sanitized environment to avoid attacks
+    * via e.g. the DBUS_SYSTEM_BUS_ADDRESS environment variable and similar.
+    */
diff --git a/debian/patches/series b/debian/patches/series
index ef423c4..2d3a3f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 04_get_cwd.patch
 05_revert-admin-identities-unix-group-wheel.patch
 06_systemd-service.patch
+07_set-XAUTHORITY-environment-variable-if-unset.patch
diff --git a/debian/policykit-1.postinst b/debian/policykit-1.postinst
index b6f751c..c6a39de 100644
--- a/debian/policykit-1.postinst
+++ b/debian/policykit-1.postinst
@@ -40,6 +40,7 @@ get_pid() {
 case "$1" in
     configure)
 	set_perms root root 700 /var/lib/polkit-1
+	set_perms root root 700 /etc/polkit-1/localauthority
 	set_perms root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1
 	set_perms root root 4755 /usr/bin/pkexec
 

--- End Message ---
--- Begin Message ---
On 20.12.2012 21:50, Michael Biebl wrote:
policykit-1 (0.105-3) unstable; urgency=low

* 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY environment variable to its default value $HOME/.Xauthority if unset. Some display managers, like KDM, do not set the XAUTHORITY variable, so
    starting graphical applications via pkexec was broken in those
    environments. (Closes: #671497)

 -- Michael Biebl <biebl@debian.org>  Thu, 20 Dec 2012 18:55:14 +0100

policykit-1 (0.105-2) unstable; urgency=low

* Change the permissions of /etc/polkit-1/localauthority to 700, this
    directory is not supposed to be readable by everyone.

Unblocked; thanks.

Regards,

Adam

--- End Message ---

Reply to: