From: "Michael Palimaka" <kensington@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: kde-frameworks/kinit/, kde-frameworks/kinit/files/
Date: Wed, 18 Nov 2015 18:39:06 +0000 (UTC) [thread overview]
Message-ID: <1447871905.86df0445c797540c4523b8e9580a2ad3a5f66e6f.kensington@gentoo> (raw)
commit: 86df0445c797540c4523b8e9580a2ad3a5f66e6f
Author: Andreas Sturmlechner <andreas.sturmlechner <AT> gmail <DOT> com>
AuthorDate: Sun Nov 15 21:29:43 2015 +0000
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org>
CommitDate: Wed Nov 18 18:38:25 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86df0445
kde-frameworks/kinit: Fix bug with USE=-caps, Gentoo bug 560640
Added upstream patch from git master to fix longstanding bug.
Package-Manager: portage-2.2.20.1
.../files/kinit-5.16.0-dont-wipe-groups.patch | 56 ++++++++++++++++++++++
kde-frameworks/kinit/kinit-5.16.0-r1.ebuild | 42 ++++++++++++++++
2 files changed, 98 insertions(+)
diff --git a/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch b/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch
new file mode 100644
index 0000000..7427270
--- /dev/null
+++ b/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch
@@ -0,0 +1,56 @@
+From: Nicolás Alvarez <nicolas.alvarez@gmail.com>
+Date: Wed, 11 Nov 2015 05:52:37 +0000
+Subject: Revert "Call setgroups(0,0) before calling setgid()"
+X-Git-Url: http://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=1086e110ae4c05af6704af0d56f93e8bb023eeff
+---
+Revert "Call setgroups(0,0) before calling setgid()"
+
+The reasoning for adding setgroups(0,0) was that when you drop privileges
+from root to regular user, there might be some extra groups left that, if
+not cleared, might grant the process privileges to do superuser things.
+
+However, this only happens if the process calls setgroups to alter its own
+supplementary groups while it's still running as root, and then drops
+privileges to a regular user. In that case there may be a security issue
+where the process ends up running as a regular user, but with supplemental
+groups the user doesn't normally belong to.
+
+Since start_kdeinit doesn't call setgroups to give itself superuser groups,
+there is no such security issue, and it doesn't need to clear the group
+list before dropping to a normal user.
+
+*In addition*, this was completely emptying the list of supplemental groups
+instead of setting them to what the user's groups actually are (eg. from
+getgrouplist), which means he would end up without 'plugdev', 'vboxusers',
+'wireshark', 'cdrom', and whatever other groups they may need for their
+software to work.
+
+CCMAIL:dvratil@redhat.com
+
+Daniel: if the latest version of rpmlint still complains about this use of
+setgid without setgroups, please file a bug against rpmlint.
+
+This reverts commit ff5ea1ab8568893c7d7b3a4518997080d3533308 from
+review 119011.
+---
+
+
+--- a/src/start_kdeinit/start_kdeinit.c
++++ b/src/start_kdeinit/start_kdeinit.c
+@@ -27,7 +27,6 @@
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+-#include <grp.h>
+ #if HAVE_CAPABILITIES
+ #include <sys/capability.h>
+ #endif
+@@ -126,7 +125,6 @@
+ }
+ cap_free(caps);
+ #endif
+- setgroups(0, 0); /* Remove any extraneous groups*/
+ if (setgid(getgid())) {
+ perror("setgid()");
+ return 1;
+
diff --git a/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild b/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild
new file mode 100644
index 0000000..e225d7b
--- /dev/null
+++ b/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild
@@ -0,0 +1,42 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+KDE_TEST="false"
+inherit kde5
+
+DESCRIPTION="Helper library to speed up start of applications on KDE work spaces"
+LICENSE="LGPL-2+"
+KEYWORDS=" ~amd64 ~x86"
+IUSE="+caps +man"
+
+RDEPEND="
+ $(add_frameworks_dep kconfig)
+ $(add_frameworks_dep kcoreaddons)
+ $(add_frameworks_dep kcrash)
+ $(add_frameworks_dep ki18n)
+ $(add_frameworks_dep kio)
+ $(add_frameworks_dep kservice)
+ $(add_frameworks_dep kwindowsystem)
+ dev-qt/qtdbus:5
+ dev-qt/qtgui:5
+ x11-libs/libX11
+ caps? ( sys-libs/libcap )
+"
+DEPEND="${RDEPEND}
+ man? ( $(add_frameworks_dep kdoctools) )
+ x11-proto/xproto
+"
+
+PATCHES=( "${FILESDIR}/${P}-dont-wipe-groups.patch" )
+
+src_configure() {
+ local mycmakeargs=(
+ $(cmake-utils_use_find_package caps Libcap)
+ $(cmake-utils_use_find_package man KF5DocTools)
+ )
+
+ kde5_src_configure
+}
next reply other threads:[~2015-11-18 18:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-18 18:39 Michael Palimaka [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-12-25 21:23 [gentoo-commits] repo/gentoo:master commit in: kde-frameworks/kinit/, kde-frameworks/kinit/files/ Andreas Sturmlechner
2022-08-08 14:40 Andreas Sturmlechner
2022-11-27 11:20 Andreas Sturmlechner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1447871905.86df0445c797540c4523b8e9580a2ad3a5f66e6f.kensington@gentoo \
--to=kensington@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox