From: "Andreas Sturmlechner" <asturm@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: x11-misc/sddm/files/, x11-misc/sddm/
Date: Sun, 23 Jun 2019 14:55:51 +0000 (UTC) [thread overview]
Message-ID: <1561301735.e54d537de46adc04d15f8279e5e96821f420609b.asturm@gentoo> (raw)
commit: e54d537de46adc04d15f8279e5e96821f420609b
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 22 20:45:51 2019 +0000
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Sun Jun 23 14:55:35 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e54d537d
x11-misc/sddm: EAPI-7 bump, PAM groups, reuse sessions, HiDPI default
Package-Manager: Portage-2.3.67, Repoman-2.3.15
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>
...m-0.18.1-honor-PAM-supplemental-groups-v2.patch | 182 +++++++++++++++++++++
.../sddm-0.18.1-only-reuse-online-sessions.patch | 27 +++
...18.1-revert-honor-PAM-supplemental-groups.patch | 87 ++++++++++
x11-misc/sddm/sddm-0.18.1-r1.ebuild | 107 ++++++++++++
4 files changed, 403 insertions(+)
diff --git a/x11-misc/sddm/files/sddm-0.18.1-honor-PAM-supplemental-groups-v2.patch b/x11-misc/sddm/files/sddm-0.18.1-honor-PAM-supplemental-groups-v2.patch
new file mode 100644
index 00000000000..f4ce7ae7ad7
--- /dev/null
+++ b/x11-misc/sddm/files/sddm-0.18.1-honor-PAM-supplemental-groups-v2.patch
@@ -0,0 +1,182 @@
+From 75e6e00d9e1ecf25e3a9c8332530a1e40d737cdb Mon Sep 17 00:00:00 2001
+From: "J. Konrad Tegtmeier-Rottach" <jktr@0x16.de>
+Date: Thu, 9 May 2019 03:06:48 +0200
+Subject: [PATCH] Honor PAM's supplemental groups (v2) (#834, #1159)
+
+This moves the supplemental group initialization step from
+UserSession.cpp to the Backend system, so that the Pam Backend can
+inject additional supplemental groups via modules like pam_group.so.
+
+pam_setcred(3) assumes that it operates on an already initialized
+supplemental group list. However, PamBackend calls
+pam_setcred(PAM_ESTABLISH_CRED) earlier, at the start
+PamBackend::openSession, so a pam_setcred(PAM_REINITIALIZE_CRED) call
+must be issued to repeat the injection of PAM's supplemental groups.
+---
+ src/helper/Backend.cpp | 5 +++++
+ src/helper/Backend.h | 3 +++
+ src/helper/HelperApp.cpp | 4 ++++
+ src/helper/HelperApp.h | 1 +
+ src/helper/UserSession.cpp | 13 ++++++++-----
+ src/helper/backend/PamBackend.cpp | 18 ++++++++++++++++++
+ src/helper/backend/PamBackend.h | 2 ++
+ 7 files changed, 41 insertions(+), 5 deletions(-)
+
+diff --git a/src/helper/Backend.cpp b/src/helper/Backend.cpp
+index d6bb4d0a..35ae2bdf 100644
+--- a/src/helper/Backend.cpp
++++ b/src/helper/Backend.cpp
+@@ -29,6 +29,7 @@
+ #include <QtCore/QProcessEnvironment>
+
+ #include <pwd.h>
++#include <grp.h>
+
+ namespace SDDM {
+ Backend::Backend(HelperApp* parent)
+@@ -79,4 +80,8 @@ namespace SDDM {
+ bool Backend::closeSession() {
+ return true;
+ }
++
++ bool Backend::setupSupplementalGroups(struct passwd *pw) {
++ return !initgroups(pw->pw_name, pw->pw_gid);
++ }
+ }
+diff --git a/src/helper/Backend.h b/src/helper/Backend.h
+index b790e001..3caf1592 100644
+--- a/src/helper/Backend.h
++++ b/src/helper/Backend.h
+@@ -22,6 +22,7 @@
+ #define BACKEND_H
+
+ #include <QtCore/QObject>
++#include <pwd.h>
+
+ namespace SDDM {
+ class HelperApp;
+@@ -38,6 +39,8 @@ namespace SDDM {
+ void setAutologin(bool on = true);
+ void setGreeter(bool on = true);
+
++ virtual bool setupSupplementalGroups(struct passwd *pw);
++
+ public slots:
+ virtual bool start(const QString &user = QString()) = 0;
+ virtual bool authenticate() = 0;
+diff --git a/src/helper/HelperApp.cpp b/src/helper/HelperApp.cpp
+index cad93bd8..d0891d75 100644
+--- a/src/helper/HelperApp.cpp
++++ b/src/helper/HelperApp.cpp
+@@ -253,6 +253,10 @@ namespace SDDM {
+ return m_session;
+ }
+
++ Backend *HelperApp::backend() {
++ return m_backend;
++ }
++
+ const QString& HelperApp::user() const {
+ return m_user;
+ }
+diff --git a/src/helper/HelperApp.h b/src/helper/HelperApp.h
+index 3742df12..cb5959a7 100644
+--- a/src/helper/HelperApp.h
++++ b/src/helper/HelperApp.h
+@@ -39,6 +39,7 @@ namespace SDDM {
+ virtual ~HelperApp();
+
+ UserSession *session();
++ Backend *backend();
+ const QString &user() const;
+ const QString &cookie() const;
+
+diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp
+index f71fd358..62fd4d70 100644
+--- a/src/helper/UserSession.cpp
++++ b/src/helper/UserSession.cpp
+@@ -19,6 +19,7 @@
+ *
+ */
+
++#include "Backend.h"
+ #include "Configuration.h"
+ #include "UserSession.h"
+ #include "HelperApp.h"
+@@ -129,7 +130,8 @@ namespace SDDM {
+ #endif
+
+ // switch user
+- const QByteArray username = qobject_cast<HelperApp*>(parent())->user().toLocal8Bit();
++ HelperApp* app = qobject_cast<HelperApp*>(parent());
++ const QByteArray username = app->user().toLocal8Bit();
+ struct passwd pw;
+ struct passwd *rpw;
+ long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+@@ -146,12 +148,13 @@ namespace SDDM {
+ qCritical() << "getpwnam_r(" << username << ") failed with error: " << strerror(err);
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
+- if (setgid(pw.pw_gid) != 0) {
+- qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username;
++
++ if (!app->backend()->setupSupplementalGroups(&pw)) {
++ qCritical() << "failed to set up supplemental groups for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
+- if (initgroups(pw.pw_name, pw.pw_gid) != 0) {
+- qCritical() << "initgroups(" << pw.pw_name << ", " << pw.pw_gid << ") failed for user: " << username;
++ if (setgid(pw.pw_gid) != 0) {
++ qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
+ if (setuid(pw.pw_uid) != 0) {
+diff --git a/src/helper/backend/PamBackend.cpp b/src/helper/backend/PamBackend.cpp
+index f86d77d6..cccfa258 100644
+--- a/src/helper/backend/PamBackend.cpp
++++ b/src/helper/backend/PamBackend.cpp
+@@ -289,6 +289,24 @@ namespace SDDM {
+ return QString::fromLocal8Bit((const char*) m_pam->getItem(PAM_USER));
+ }
+
++ bool PamBackend::setupSupplementalGroups(struct passwd *pw) {
++ if (!Backend::setupSupplementalGroups(pw))
++ return false;
++
++ // pam_setcred(3) may inject additional groups into the user's
++ // list of supplemental groups, and assumes that the user's
++ // supplemental groups have already been initialized before
++ // its invocation. Since pam_setcred was already called at the
++ // start of openSession, we need to repeat this step here as
++ // the user's groups have only just now been initialized.
++
++ if (!m_pam->setCred(PAM_REINITIALIZE_CRED)) {
++ m_app->error(m_pam->errorString(), Auth::ERROR_AUTHENTICATION);
++ return false;
++ }
++ return true;
++ }
++
+ int PamBackend::converse(int n, const struct pam_message **msg, struct pam_response **resp) {
+ qDebug() << "[PAM] Conversation with" << n << "messages";
+
+diff --git a/src/helper/backend/PamBackend.h b/src/helper/backend/PamBackend.h
+index 4c8b4b35..5b079099 100644
+--- a/src/helper/backend/PamBackend.h
++++ b/src/helper/backend/PamBackend.h
+@@ -28,6 +28,7 @@
+ #include <QtCore/QObject>
+
+ #include <security/pam_appl.h>
++#include <pwd.h>
+
+ namespace SDDM {
+ class PamHandle;
+@@ -61,6 +62,7 @@ namespace SDDM {
+ explicit PamBackend(HelperApp *parent);
+ virtual ~PamBackend();
+ int converse(int n, const struct pam_message **msg, struct pam_response **resp);
++ virtual bool setupSupplementalGroups(struct passwd *pw);
+
+ public slots:
+ virtual bool start(const QString &user = QString());
diff --git a/x11-misc/sddm/files/sddm-0.18.1-only-reuse-online-sessions.patch b/x11-misc/sddm/files/sddm-0.18.1-only-reuse-online-sessions.patch
new file mode 100644
index 00000000000..b3ea90ff768
--- /dev/null
+++ b/x11-misc/sddm/files/sddm-0.18.1-only-reuse-online-sessions.patch
@@ -0,0 +1,27 @@
+From f131270ff3ae6e6b4e2dc965cd05b46e194b48c1 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Tue, 31 Jul 2018 16:51:13 +0200
+Subject: [PATCH] Session reuse: Only consider "online" sessions
+
+Otherwise it might switch to already dead sessions ("closing" or "lingering").
+---
+ src/daemon/Display.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp
+index 86e597e..ec442b0 100644
+--- a/src/daemon/Display.cpp
++++ b/src/daemon/Display.cpp
+@@ -290,8 +290,8 @@ namespace SDDM {
+ foreach(const SessionInfo &s, reply.value()) {
+ if (s.userName == user) {
+ OrgFreedesktopLogin1SessionInterface session(Logind::serviceName(), s.sessionPath.path(), QDBusConnection::systemBus());
+- if (session.service() == QLatin1String("sddm")) {
+- m_reuseSessionId = s.sessionId;
++ if (session.service() == QLatin1String("sddm") && session.state() == QLatin1String("online")) {
++ m_reuseSessionId = s.sessionId;
+ break;
+ }
+ }
+--
+2.18.0
diff --git a/x11-misc/sddm/files/sddm-0.18.1-revert-honor-PAM-supplemental-groups.patch b/x11-misc/sddm/files/sddm-0.18.1-revert-honor-PAM-supplemental-groups.patch
new file mode 100644
index 00000000000..f14ff7670c8
--- /dev/null
+++ b/x11-misc/sddm/files/sddm-0.18.1-revert-honor-PAM-supplemental-groups.patch
@@ -0,0 +1,87 @@
+From d3953e88a94ec25a87d3c5136517b3d1009cb1fd Mon Sep 17 00:00:00 2001
+From: "J. Konrad Tegtmeier-Rottach" <jktr@0x16.de>
+Date: Wed, 8 May 2019 18:58:53 +0200
+Subject: [PATCH] Revert "Honor PAM's ambient supplemental groups. (#834)"
+
+This reverts commit 1bc813d08b8130e458a6550ec47fb2bfbe6de080, which
+misuses PAM and leads to pulling in all of root's supplemental groups
+during session initialization instead of only adding PAM's extra
+groups. The problem was masked due to the root user not having any
+supplemental groups in some common contexts, like running sddm from a
+systemd unit.
+---
+ src/helper/UserSession.cpp | 57 --------------------------------------
+ 1 file changed, 57 deletions(-)
+
+diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp
+index b3aec356..f71fd358 100644
+--- a/src/helper/UserSession.cpp
++++ b/src/helper/UserSession.cpp
+@@ -150,67 +150,10 @@ namespace SDDM {
+ qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
+-
+-#ifdef USE_PAM
+-
+- // fetch ambient groups from PAM's environment;
+- // these are set by modules such as pam_groups.so
+- int n_pam_groups = getgroups(0, NULL);
+- gid_t *pam_groups = NULL;
+- if (n_pam_groups > 0) {
+- pam_groups = new gid_t[n_pam_groups];
+- if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) {
+- qCritical() << "getgroups() failed to fetch supplemental"
+- << "PAM groups for user:" << username;
+- exit(Auth::HELPER_OTHER_ERROR);
+- }
+- } else {
+- n_pam_groups = 0;
+- }
+-
+- // fetch session's user's groups
+- int n_user_groups = 0;
+- gid_t *user_groups = NULL;
+- if (-1 == getgrouplist(username.constData(), pw.pw_gid,
+- NULL, &n_user_groups)) {
+- user_groups = new gid_t[n_user_groups];
+- if ((n_user_groups = getgrouplist(username.constData(),
+- pw.pw_gid, user_groups,
+- &n_user_groups)) == -1 ) {
+- qCritical() << "getgrouplist(" << username << ", " << pw.pw_gid
+- << ") failed";
+- exit(Auth::HELPER_OTHER_ERROR);
+- }
+- }
+-
+- // set groups to concatenation of PAM's ambient
+- // groups and the session's user's groups
+- int n_groups = n_pam_groups + n_user_groups;
+- if (n_groups > 0) {
+- gid_t *groups = new gid_t[n_groups];
+- memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t)));
+- memcpy((groups + n_pam_groups), user_groups,
+- (n_user_groups * sizeof(gid_t)));
+-
+- // setgroups(2) handles duplicate groups
+- if (setgroups(n_groups, groups) != 0) {
+- qCritical() << "setgroups() failed for user: " << username;
+- exit (Auth::HELPER_OTHER_ERROR);
+- }
+- delete[] groups;
+- }
+- delete[] pam_groups;
+- delete[] user_groups;
+-
+-#else
+-
+ if (initgroups(pw.pw_name, pw.pw_gid) != 0) {
+ qCritical() << "initgroups(" << pw.pw_name << ", " << pw.pw_gid << ") failed for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
+-
+-#endif /* USE_PAM */
+-
+ if (setuid(pw.pw_uid) != 0) {
+ qCritical() << "setuid(" << pw.pw_uid << ") failed for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
diff --git a/x11-misc/sddm/sddm-0.18.1-r1.ebuild b/x11-misc/sddm/sddm-0.18.1-r1.ebuild
new file mode 100644
index 00000000000..f0955a4b7f7
--- /dev/null
+++ b/x11-misc/sddm/sddm-0.18.1-r1.ebuild
@@ -0,0 +1,107 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PLOCALES="ar bn ca cs da de es et fi fr hi_IN hu is it ja kk ko lt lv nb nl nn pl pt_BR pt_PT ro ru sk sr sr@ijekavian sr@ijekavianlatin sr@latin sv tr uk zh_CN zh_TW"
+inherit cmake-utils l10n systemd user
+
+DESCRIPTION="Simple Desktop Display Manager"
+HOMEPAGE="https://github.com/sddm/sddm"
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/v${PV}/${P}.tar.xz"
+
+LICENSE="GPL-2+ MIT CC-BY-3.0 CC-BY-SA-3.0 public-domain"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+IUSE="consolekit elogind +pam systemd test"
+
+REQUIRED_USE="?? ( elogind systemd )"
+
+BDEPEND="
+ dev-python/docutils
+ >=dev-qt/linguist-tools-5.9.4:5
+ kde-frameworks/extra-cmake-modules:5
+ virtual/pkgconfig
+"
+RDEPEND="
+ >=dev-qt/qtcore-5.9.4:5
+ >=dev-qt/qtdbus-5.9.4:5
+ >=dev-qt/qtdeclarative-5.9.4:5
+ >=dev-qt/qtgui-5.9.4:5
+ >=dev-qt/qtnetwork-5.9.4:5
+ >=x11-base/xorg-server-1.15.1
+ x11-libs/libxcb[xkb]
+ consolekit? ( >=sys-auth/consolekit-0.9.4 )
+ elogind? ( sys-auth/elogind )
+ pam? ( sys-libs/pam )
+ systemd? ( sys-apps/systemd:= )
+ !systemd? ( sys-power/upower )
+"
+DEPEND="${RDEPEND}
+ test? ( >=dev-qt/qttest-5.9.4:5 )
+"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-0.12.0-respect-user-flags.patch"
+ "${FILESDIR}/${PN}-0.18.0-Xsession.patch" # bug 611210
+ "${FILESDIR}/${PN}-0.18.0-sddmconfdir.patch"
+ # fix for groups: https://github.com/sddm/sddm/issues/1159
+ "${FILESDIR}/${P}-revert-honor-PAM-supplemental-groups.patch"
+ "${FILESDIR}/${P}-honor-PAM-supplemental-groups-v2.patch"
+ # fix for ReuseSession=true
+ "${FILESDIR}/${P}-only-reuse-online-sessions.patch"
+ # TODO: fix properly
+ "${FILESDIR}/${PN}-0.16.0-ck2-revert.patch" # bug 633920
+)
+
+src_prepare() {
+ cmake-utils_src_prepare
+
+ disable_locale() {
+ sed -e "/${1}\.ts/d" -i data/translations/CMakeLists.txt || die
+ }
+ l10n_find_plocales_changes "data/translations" "" ".ts"
+ l10n_for_each_disabled_locale_do disable_locale
+
+ if ! use test; then
+ sed -e "/^find_package/s/ Test//" -i CMakeLists.txt || die
+ cmake_comment_add_subdirectory test
+ fi
+}
+
+src_configure() {
+ local mycmakeargs=(
+ -DENABLE_PAM=$(usex pam)
+ -DNO_SYSTEMD=$(usex '!systemd')
+ -DUSE_ELOGIND=$(usex 'elogind')
+ -DBUILD_MAN_PAGES=ON
+ -DDBUS_CONFIG_FILENAME="org.freedesktop.sddm.conf"
+ )
+ cmake-utils_src_configure
+}
+
+src_install() {
+ cmake-utils_src_install
+
+ # Create a default.conf as upstream dropped /etc/sddm.conf w/o replacement
+ local confd="/usr/share/sddm/sddm.conf.d"
+ dodir ${confd}
+ "${D}"/usr/bin/sddm --example-config > "${D}/${confd}"/00default.conf \
+ || die "Failed to create 00default.conf"
+
+ sed -e "/^InputMethod/s/qtvirtualkeyboard//" \
+ -e "/^ReuseSession/s/false/true/" \
+ -e "/^EnableHiDPI/s/false/true/" \
+ -i "${D}/${confd}"/00default.conf || die
+}
+
+pkg_postinst() {
+ elog "Starting with 0.18.0, SDDM no longer installs /etc/sddm.conf"
+ elog "Use it to override specific options. SDDM defaults are now"
+ elog "found in: /usr/share/sddm/sddm.conf.d/00default.conf"
+
+ enewgroup ${PN}
+ enewuser ${PN} -1 -1 /var/lib/${PN} ${PN},video
+
+ systemd_reenable sddm.service
+}
next reply other threads:[~2019-06-23 14:55 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-23 14:55 Andreas Sturmlechner [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-03-09 0:16 [gentoo-commits] repo/gentoo:master commit in: x11-misc/sddm/files/, x11-misc/sddm/ Andreas Sturmlechner
2023-06-18 18:53 Andreas Sturmlechner
2021-08-25 14:36 Andreas Sturmlechner
2018-11-13 21:30 Andreas Sturmlechner
2018-07-22 11:21 Andreas Sturmlechner
2017-03-25 2:49 Michael Palimaka
2016-12-23 16:42 Johannes Huber
2016-08-28 12:58 Manuel Rüger
2016-05-05 17:07 Michael Palimaka
2016-03-02 19:23 Michael Palimaka
2015-10-17 10:08 Jauhien Piatlicki
2015-10-16 20:08 Jauhien Piatlicki
2015-09-09 20:39 Jauhien Piatlicki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1561301735.e54d537de46adc04d15f8279e5e96821f420609b.asturm@gentoo \
--to=asturm@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox