[polkit] Workaround pam_systemd setting broken XDG_RUNTIME_DIR
Miloslav Trmac
mitr at fedoraproject.org
Sat Dec 7 01:37:14 UTC 2013
commit 8778af153a99c23c727b8813ea578c7f45a7f453
Author: Miloslav Trmač <mitr at redhat.com>
Date: Sat Dec 7 02:36:29 2013 +0100
Workaround pam_systemd setting broken XDG_RUNTIME_DIR
polkit-0.112-XDG_RUNTIME_DIR.patch | 78 ++++++++++++++++++++++++++++++++++++
polkit.spec | 9 ++++-
2 files changed, 86 insertions(+), 1 deletions(-)
---
diff --git a/polkit-0.112-XDG_RUNTIME_DIR.patch b/polkit-0.112-XDG_RUNTIME_DIR.patch
new file mode 100644
index 0000000..f8c2e77
--- /dev/null
+++ b/polkit-0.112-XDG_RUNTIME_DIR.patch
@@ -0,0 +1,78 @@
+From 8635ffc16aeff6a07d675f861fe0dea03ea81d7e Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters at verbum.org>
+Date: Thu, 21 Nov 2013 17:39:37 -0500
+Subject: [PATCH] pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR
+
+This workaround isn't too much code, and it's often better to fix bugs
+in two places anyways.
+
+For more information:
+
+See https://bugzilla.redhat.com/show_bug.cgi?id=753882
+See http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html
+---
+ src/programs/pkexec.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 005e1fe..a7ca8e0 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -143,8 +143,22 @@ pam_conversation_function (int n,
+ return PAM_CONV_ERR;
+ }
+
++/* A work around for:
++ * https://bugzilla.redhat.com/show_bug.cgi?id=753882
++ */
++static gboolean
++xdg_runtime_dir_is_owned_by (const char *path,
++ uid_t target_uid)
++{
++ struct stat stbuf;
++
++ return stat (path, &stbuf) == 0 &&
++ stbuf.st_uid == target_uid;
++}
++
+ static gboolean
+-open_session (const gchar *user_to_auth)
++open_session (const gchar *user_to_auth,
++ uid_t target_uid)
+ {
+ gboolean ret;
+ gint rc;
+@@ -186,7 +200,19 @@ open_session (const gchar *user_to_auth)
+ {
+ guint n;
+ for (n = 0; envlist[n]; n++)
+- putenv (envlist[n]);
++ {
++ const char *envitem = envlist[n];
++
++ if (g_str_has_prefix (envitem, "XDG_RUNTIME_DIR="))
++ {
++ const char *eq = strchr (envitem, '=');
++ g_assert (eq);
++ if (!xdg_runtime_dir_is_owned_by (eq + 1, target_uid))
++ continue;
++ }
++
++ putenv (envlist[n]);
++ }
+ free (envlist);
+ }
+
+@@ -913,7 +939,8 @@ main (int argc, char *argv[])
+ * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
+ */
+ #ifdef POLKIT_AUTHFW_PAM
+- if (!open_session (pw->pw_name))
++ if (!open_session (pw->pw_name,
++ pw->pw_uid))
+ {
+ goto out;
+ }
+--
+1.8.3.1
+
diff --git a/polkit.spec b/polkit.spec
index 4dad7d5..5d555c4 100644
--- a/polkit.spec
+++ b/polkit.spec
@@ -6,11 +6,13 @@
Summary: An authorization framework
Name: polkit
Version: 0.112
-Release: 1%{?dist}
+Release: 2%{?dist}
License: LGPLv2+
URL: http://www.freedesktop.org/wiki/Software/polkit
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign
+# https://bugs.freedesktop.org/show_bug.cgi?id=71894
+Patch0: polkit-0.112-XDG_RUNTIME_DIR.patch
Group: System Environment/Libraries
BuildRequires: glib2-devel >= 2.30.0
BuildRequires: expat-devel
@@ -77,6 +79,7 @@ Development documentation for polkit.
%prep
%setup -q
+%patch0 -p1 -b .XDG_RUNTIME_DIR
%build
%if 0%{?enable_autoreconf}
@@ -163,6 +166,10 @@ exit 0
%{_datadir}/gtk-doc
%changelog
+* Sat Dec 7 2013 Miloslav Trmač <mitr at redhat.com> - 0.112-2
+- Workaround pam_systemd setting broken XDG_RUNTIME_DIR
+ Resolves: #1033774
+
* Wed Sep 18 2013 Miloslav Trmač <mitr at redhat.com> - 0.112-1
- Update to polkit-0.112
- Resolves: #1009538, CVE-2013-4288
More information about the scm-commits
mailing list