|
 |
51ea8e |
From 8635ffc16aeff6a07d675f861fe0dea03ea81d7e Mon Sep 17 00:00:00 2001
|
|
|
51ea8e |
From: Colin Walters <walters@verbum.org>
|
|
|
51ea8e |
Date: Thu, 21 Nov 2013 17:39:37 -0500
|
|
|
51ea8e |
Subject: [PATCH] pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR
|
|
|
51ea8e |
|
|
|
51ea8e |
This workaround isn't too much code, and it's often better to fix bugs
|
|
|
51ea8e |
in two places anyways.
|
|
|
51ea8e |
|
|
|
51ea8e |
For more information:
|
|
|
51ea8e |
|
|
|
51ea8e |
See https://bugzilla.redhat.com/show_bug.cgi?id=753882
|
|
|
51ea8e |
See http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html
|
|
|
51ea8e |
---
|
|
|
51ea8e |
src/programs/pkexec.c | 33 ++++++++++++++++++++++++++++++---
|
|
|
51ea8e |
1 file changed, 30 insertions(+), 3 deletions(-)
|
|
|
51ea8e |
|
|
|
51ea8e |
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
|
|
|
51ea8e |
index 005e1fe..a7ca8e0 100644
|
|
|
51ea8e |
--- a/src/programs/pkexec.c
|
|
|
51ea8e |
+++ b/src/programs/pkexec.c
|
|
|
51ea8e |
@@ -143,8 +143,22 @@ pam_conversation_function (int n,
|
|
|
51ea8e |
return PAM_CONV_ERR;
|
|
|
51ea8e |
}
|
|
|
51ea8e |
|
|
|
51ea8e |
+/* A work around for:
|
|
|
51ea8e |
+ * https://bugzilla.redhat.com/show_bug.cgi?id=753882
|
|
|
51ea8e |
+ */
|
|
|
51ea8e |
+static gboolean
|
|
|
51ea8e |
+xdg_runtime_dir_is_owned_by (const char *path,
|
|
|
51ea8e |
+ uid_t target_uid)
|
|
|
51ea8e |
+{
|
|
|
51ea8e |
+ struct stat stbuf;
|
|
|
51ea8e |
+
|
|
|
51ea8e |
+ return stat (path, &stbuf) == 0 &&
|
|
|
51ea8e |
+ stbuf.st_uid == target_uid;
|
|
|
51ea8e |
+}
|
|
|
51ea8e |
+
|
|
|
51ea8e |
static gboolean
|
|
|
51ea8e |
-open_session (const gchar *user_to_auth)
|
|
|
51ea8e |
+open_session (const gchar *user_to_auth,
|
|
|
51ea8e |
+ uid_t target_uid)
|
|
|
51ea8e |
{
|
|
|
51ea8e |
gboolean ret;
|
|
|
51ea8e |
gint rc;
|
|
|
51ea8e |
@@ -186,7 +200,19 @@ open_session (const gchar *user_to_auth)
|
|
|
51ea8e |
{
|
|
|
51ea8e |
guint n;
|
|
|
51ea8e |
for (n = 0; envlist[n]; n++)
|
|
|
51ea8e |
- putenv (envlist[n]);
|
|
|
51ea8e |
+ {
|
|
|
51ea8e |
+ const char *envitem = envlist[n];
|
|
|
51ea8e |
+
|
|
|
51ea8e |
+ if (g_str_has_prefix (envitem, "XDG_RUNTIME_DIR="))
|
|
|
51ea8e |
+ {
|
|
|
51ea8e |
+ const char *eq = strchr (envitem, '=');
|
|
|
51ea8e |
+ g_assert (eq);
|
|
|
51ea8e |
+ if (!xdg_runtime_dir_is_owned_by (eq + 1, target_uid))
|
|
|
51ea8e |
+ continue;
|
|
|
51ea8e |
+ }
|
|
|
51ea8e |
+
|
|
|
51ea8e |
+ putenv (envlist[n]);
|
|
|
51ea8e |
+ }
|
|
|
51ea8e |
free (envlist);
|
|
|
51ea8e |
}
|
|
|
51ea8e |
|
|
|
51ea8e |
@@ -913,7 +939,8 @@ main (int argc, char *argv[])
|
|
|
51ea8e |
* As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
|
|
|
51ea8e |
*/
|
|
|
51ea8e |
#ifdef POLKIT_AUTHFW_PAM
|
|
|
51ea8e |
- if (!open_session (pw->pw_name))
|
|
|
51ea8e |
+ if (!open_session (pw->pw_name,
|
|
|
51ea8e |
+ pw->pw_uid))
|
|
|
51ea8e |
{
|
|
|
51ea8e |
goto out;
|
|
|
51ea8e |
}
|
|
|
51ea8e |
--
|
|
|
51ea8e |
1.8.3.1
|
|
|
51ea8e |
|