kde-frameworks/kinit: Fix bug with USE=-caps, Gentoo bug 560640

Added upstream patch from git master to fix longstanding bug.

Package-Manager: portage-2.2.20.1

2 files changed, 98 insertions, 0 deletions

diff --git a/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch b/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch
new file mode 100644
index 000000000000..74272705bd63
--- /dev/null
+++ b/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch
@@ -0,0 +1,56 @@
+From: Nicolás Alvarez <nicolas.alvarez@gmail.com>
+Date: Wed, 11 Nov 2015 05:52:37 +0000
+Subject: Revert "Call setgroups(0,0) before calling setgid()"
+X-Git-Url: http://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=1086e110ae4c05af6704af0d56f93e8bb023eeff
+---
+Revert "Call setgroups(0,0) before calling setgid()"
+
+The reasoning for adding setgroups(0,0) was that when you drop privileges
+from root to regular user, there might be some extra groups left that, if
+not cleared, might grant the process privileges to do superuser things.
+
+However, this only happens if the process calls setgroups to alter its own
+supplementary groups while it's still running as root, and then drops
+privileges to a regular user. In that case there may be a security issue
+where the process ends up running as a regular user, but with supplemental
+groups the user doesn't normally belong to.
+
+Since start_kdeinit doesn't call setgroups to give itself superuser groups,
+there is no such security issue, and it doesn't need to clear the group
+list before dropping to a normal user.
+
+*In addition*, this was completely emptying the list of supplemental groups
+instead of setting them to what the user's groups actually are (eg. from
+getgrouplist), which means he would end up without 'plugdev', 'vboxusers',
+'wireshark', 'cdrom', and whatever other groups they may need for their
+software to work.
+
+CCMAIL:dvratil@redhat.com
+
+Daniel: if the latest version of rpmlint still complains about this use of
+setgid without setgroups, please file a bug against rpmlint.
+
+This reverts commit ff5ea1ab8568893c7d7b3a4518997080d3533308 from
+review 119011.
+---
+
+
+--- a/src/start_kdeinit/start_kdeinit.c
++++ b/src/start_kdeinit/start_kdeinit.c
+@@ -27,7 +27,6 @@
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+-#include <grp.h>
+ #if HAVE_CAPABILITIES
+ #include <sys/capability.h>
+ #endif
+@@ -126,7 +125,6 @@
+         }
+         cap_free(caps);
+ #endif
+-	setgroups(0, 0); /* Remove any extraneous groups*/
+         if (setgid(getgid())) {
+             perror("setgid()");
+             return 1;
+
diff --git a/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild b/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild
new file mode 100644
index 000000000000..e225d7b328ad
--- /dev/null
+++ b/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild
@@ -0,0 +1,42 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+KDE_TEST="false"
+inherit kde5
+
+DESCRIPTION="Helper library to speed up start of applications on KDE work spaces"
+LICENSE="LGPL-2+"
+KEYWORDS=" ~amd64 ~x86"
+IUSE="+caps +man"
+
+RDEPEND="
+	$(add_frameworks_dep kconfig)
+	$(add_frameworks_dep kcoreaddons)
+	$(add_frameworks_dep kcrash)
+	$(add_frameworks_dep ki18n)
+	$(add_frameworks_dep kio)
+	$(add_frameworks_dep kservice)
+	$(add_frameworks_dep kwindowsystem)
+	dev-qt/qtdbus:5
+	dev-qt/qtgui:5
+	x11-libs/libX11
+	caps? ( sys-libs/libcap )
+"
+DEPEND="${RDEPEND}
+	man? ( $(add_frameworks_dep kdoctools) )
+	x11-proto/xproto
+"
+
+PATCHES=( "${FILESDIR}/${P}-dont-wipe-groups.patch" )
+
+src_configure() {
+	local mycmakeargs=(
+		$(cmake-utils_use_find_package caps Libcap)
+		$(cmake-utils_use_find_package man KF5DocTools)
+	)
+
+	kde5_src_configure
+}