From: "Andreas Sturmlechner" <asturm@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/kde:master commit in: kde-apps/kwrite/files/, kde-apps/kwrite/
Date: Sun, 8 Jul 2018 15:48:22 +0000 (UTC) [thread overview]
Message-ID: <1531064857.8bc66fb0ff303f000a34d83af5cd69587d1da26e.asturm@gentoo> (raw)
commit: 8bc66fb0ff303f000a34d83af5cd69587d1da26e
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Sun Jul 8 15:47:37 2018 +0000
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Sun Jul 8 15:47:37 2018 +0000
URL: https://gitweb.gentoo.org/proj/kde.git/commit/?id=8bc66fb0
kde-apps/kwrite: Backport start-as-root
Package-Manager: Portage-2.3.41, Repoman-2.3.9
.../kwrite/files/kwrite-18.04.3-root-user.patch | 62 ++++++++++++++++++++++
kde-apps/kwrite/kwrite-18.04.49.9999.ebuild | 2 +
2 files changed, 64 insertions(+)
diff --git a/kde-apps/kwrite/files/kwrite-18.04.3-root-user.patch b/kde-apps/kwrite/files/kwrite-18.04.3-root-user.patch
new file mode 100644
index 0000000000..5bbf2da605
--- /dev/null
+++ b/kde-apps/kwrite/files/kwrite-18.04.3-root-user.patch
@@ -0,0 +1,62 @@
+From bf6d5b7532968763bdc629aa90426c53500af13f Mon Sep 17 00:00:00 2001
+From: Nathaniel Graham <nate@kde.org>
+Date: Sat, 26 May 2018 14:50:24 -0600
+Subject: Re-allow running Kate and KWrite as the actual root user (but still
+ not using sudo)
+
+Summary:
+The original change (9adcebd3c2e476c8a32e9b455cc99f46b0e12a7e) to prevent sudo usage broke the use case of running KWrite or Kate while logged in as the actual `root` user with a GUI session. This is how the Kali distro is set up by default, so the original change amounted to making Kate and KWrite not launch at all on this KDE distro.
+
+This patch re-enables running as the actual root user, but keeps blocking usage via `sudo` or `kdesu`. There are no negative security implications associated with re-allowing usage via the root user, since if you're running a GUI session, you were already exposed to the original security threat and Kate and KWrite do not increase the attack surface.
+
+I have submitted a similar change for Dolphin that has been accepted (D12795), but @elvisangelaccio wants that to go in at the same time as this, to keep them in sync.
+
+BUG: 387973
+FIXED-IN: 18.08.0
+
+Test Plan:
+- Log in as normal user and run `sudo kate` or `sudo kwrite`: you get an error message.
+- Log in as normal user and run `kdesu kate` or `kdesu kwrite`: you get an error message.
+- Log in as the root user and run Kate or KWrite normally: it works.
+
+Reviewers: #kate, dhaumann, cullmann, #ktexteditor
+
+Reviewed By: #kate, dhaumann, #ktexteditor
+
+Subscribers: kwrite-devel, elvisangelaccio
+
+Tags: #kate
+
+Differential Revision: https://phabricator.kde.org/D13138
+---
+ kwrite/main.cpp | 14 ++++++++------
+ 2 files changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/kwrite/main.cpp b/kwrite/main.cpp
+index 62f4f2d..d3f3ca9 100644
+--- a/kwrite/main.cpp
++++ b/kwrite/main.cpp
+@@ -50,13 +50,15 @@
+ extern "C" Q_DECL_EXPORT int main(int argc, char **argv)
+ {
+ #ifndef Q_OS_WIN
+- /**
+- * Check whether we are running as root
+- **/
++ // Prohibit using sudo or kdesu (but allow using the root user directly)
+ if (getuid() == 0) {
+- std::cout << "Executing KWrite as root is not possible. To edit files as root use:" << std::endl;
+- std::cout << "SUDO_EDITOR=kwrite sudoedit <file>" << std::endl;
+- return 0;
++ if (!qEnvironmentVariableIsEmpty("SUDO_USER")) {
++ std::cout << "Executing Kate with sudo is not possible due to unfixable security vulnerabilities." << std::endl;
++ return EXIT_FAILURE;
++ } else if (!qEnvironmentVariableIsEmpty("KDESU_USER")) {
++ std::cout << "Executing Kate with kdesu is not possible due to unfixable security vulnerabilities." << std::endl;
++ return EXIT_FAILURE;
++ }
+ }
+ #endif
+ /**
+--
+cgit v0.11.2
diff --git a/kde-apps/kwrite/kwrite-18.04.49.9999.ebuild b/kde-apps/kwrite/kwrite-18.04.49.9999.ebuild
index 91aa935a67..c98171c27e 100644
--- a/kde-apps/kwrite/kwrite-18.04.49.9999.ebuild
+++ b/kde-apps/kwrite/kwrite-18.04.49.9999.ebuild
@@ -30,6 +30,8 @@ DEPEND="
"
RDEPEND="${DEPEND}"
+PATCHES=( "${FILESDIR}/${PN}-18.04.3-root-user.patch" )
+
src_prepare() {
kde5_src_prepare
# delete colliding kate translations
next reply other threads:[~2018-07-08 15:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-08 15:48 Andreas Sturmlechner [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-02-03 17:23 [gentoo-commits] proj/kde:master commit in: kde-apps/kwrite/files/, kde-apps/kwrite/ Michael Palimaka
2015-01-21 22:52 Johannes Huber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1531064857.8bc66fb0ff303f000a34d83af5cd69587d1da26e.asturm@gentoo \
--to=asturm@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox