From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5501B1384B4 for ; Wed, 18 Nov 2015 18:39:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 79F2921C023; Wed, 18 Nov 2015 18:39:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 11ADB21C023 for ; Wed, 18 Nov 2015 18:39:10 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 13D4934096F for ; Wed, 18 Nov 2015 18:39:09 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2A4D51A8 for ; Wed, 18 Nov 2015 18:39:06 +0000 (UTC) From: "Michael Palimaka" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Michael Palimaka" Message-ID: <1447871905.86df0445c797540c4523b8e9580a2ad3a5f66e6f.kensington@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: kde-frameworks/kinit/, kde-frameworks/kinit/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch kde-frameworks/kinit/kinit-5.16.0-r1.ebuild X-VCS-Directories: kde-frameworks/kinit/files/ kde-frameworks/kinit/ X-VCS-Committer: kensington X-VCS-Committer-Name: Michael Palimaka X-VCS-Revision: 86df0445c797540c4523b8e9580a2ad3a5f66e6f X-VCS-Branch: master Date: Wed, 18 Nov 2015 18:39:06 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 8b9017d9-2a87-4f77-9075-10e8c49ae914 X-Archives-Hash: 0d61ddf3058ae3729ba8a01a7a548dec commit: 86df0445c797540c4523b8e9580a2ad3a5f66e6f Author: Andreas Sturmlechner gmail com> AuthorDate: Sun Nov 15 21:29:43 2015 +0000 Commit: Michael Palimaka gentoo org> CommitDate: Wed Nov 18 18:38:25 2015 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86df0445 kde-frameworks/kinit: Fix bug with USE=-caps, Gentoo bug 560640 Added upstream patch from git master to fix longstanding bug. Package-Manager: portage-2.2.20.1 .../files/kinit-5.16.0-dont-wipe-groups.patch | 56 ++++++++++++++++++++++ kde-frameworks/kinit/kinit-5.16.0-r1.ebuild | 42 ++++++++++++++++ 2 files changed, 98 insertions(+) diff --git a/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch b/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch new file mode 100644 index 0000000..7427270 --- /dev/null +++ b/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch @@ -0,0 +1,56 @@ +From: Nicolás Alvarez +Date: Wed, 11 Nov 2015 05:52:37 +0000 +Subject: Revert "Call setgroups(0,0) before calling setgid()" +X-Git-Url: http://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=1086e110ae4c05af6704af0d56f93e8bb023eeff +--- +Revert "Call setgroups(0,0) before calling setgid()" + +The reasoning for adding setgroups(0,0) was that when you drop privileges +from root to regular user, there might be some extra groups left that, if +not cleared, might grant the process privileges to do superuser things. + +However, this only happens if the process calls setgroups to alter its own +supplementary groups while it's still running as root, and then drops +privileges to a regular user. In that case there may be a security issue +where the process ends up running as a regular user, but with supplemental +groups the user doesn't normally belong to. + +Since start_kdeinit doesn't call setgroups to give itself superuser groups, +there is no such security issue, and it doesn't need to clear the group +list before dropping to a normal user. + +*In addition*, this was completely emptying the list of supplemental groups +instead of setting them to what the user's groups actually are (eg. from +getgrouplist), which means he would end up without 'plugdev', 'vboxusers', +'wireshark', 'cdrom', and whatever other groups they may need for their +software to work. + +CCMAIL:dvratil@redhat.com + +Daniel: if the latest version of rpmlint still complains about this use of +setgid without setgroups, please file a bug against rpmlint. + +This reverts commit ff5ea1ab8568893c7d7b3a4518997080d3533308 from +review 119011. +--- + + +--- a/src/start_kdeinit/start_kdeinit.c ++++ b/src/start_kdeinit/start_kdeinit.c +@@ -27,7 +27,6 @@ + #include + #include + #include +-#include + #if HAVE_CAPABILITIES + #include + #endif +@@ -126,7 +125,6 @@ + } + cap_free(caps); + #endif +- setgroups(0, 0); /* Remove any extraneous groups*/ + if (setgid(getgid())) { + perror("setgid()"); + return 1; + diff --git a/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild b/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild new file mode 100644 index 0000000..e225d7b --- /dev/null +++ b/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild @@ -0,0 +1,42 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +KDE_TEST="false" +inherit kde5 + +DESCRIPTION="Helper library to speed up start of applications on KDE work spaces" +LICENSE="LGPL-2+" +KEYWORDS=" ~amd64 ~x86" +IUSE="+caps +man" + +RDEPEND=" + $(add_frameworks_dep kconfig) + $(add_frameworks_dep kcoreaddons) + $(add_frameworks_dep kcrash) + $(add_frameworks_dep ki18n) + $(add_frameworks_dep kio) + $(add_frameworks_dep kservice) + $(add_frameworks_dep kwindowsystem) + dev-qt/qtdbus:5 + dev-qt/qtgui:5 + x11-libs/libX11 + caps? ( sys-libs/libcap ) +" +DEPEND="${RDEPEND} + man? ( $(add_frameworks_dep kdoctools) ) + x11-proto/xproto +" + +PATCHES=( "${FILESDIR}/${P}-dont-wipe-groups.patch" ) + +src_configure() { + local mycmakeargs=( + $(cmake-utils_use_find_package caps Libcap) + $(cmake-utils_use_find_package man KF5DocTools) + ) + + kde5_src_configure +}