From 86df0445c797540c4523b8e9580a2ad3a5f66e6f Mon Sep 17 00:00:00 2001 From: Andreas Sturmlechner Date: Sun, 15 Nov 2015 22:29:43 +0100 Subject: kde-frameworks/kinit: Fix bug with USE=-caps, Gentoo bug 560640 Added upstream patch from git master to fix longstanding bug. Package-Manager: portage-2.2.20.1 --- .../files/kinit-5.16.0-dont-wipe-groups.patch | 56 ++++++++++++++++++++++ kde-frameworks/kinit/kinit-5.16.0-r1.ebuild | 42 ++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch create mode 100644 kde-frameworks/kinit/kinit-5.16.0-r1.ebuild (limited to 'kde-frameworks') diff --git a/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch b/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch new file mode 100644 index 000000000000..74272705bd63 --- /dev/null +++ b/kde-frameworks/kinit/files/kinit-5.16.0-dont-wipe-groups.patch @@ -0,0 +1,56 @@ +From: Nicolás Alvarez +Date: Wed, 11 Nov 2015 05:52:37 +0000 +Subject: Revert "Call setgroups(0,0) before calling setgid()" +X-Git-Url: http://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=1086e110ae4c05af6704af0d56f93e8bb023eeff +--- +Revert "Call setgroups(0,0) before calling setgid()" + +The reasoning for adding setgroups(0,0) was that when you drop privileges +from root to regular user, there might be some extra groups left that, if +not cleared, might grant the process privileges to do superuser things. + +However, this only happens if the process calls setgroups to alter its own +supplementary groups while it's still running as root, and then drops +privileges to a regular user. In that case there may be a security issue +where the process ends up running as a regular user, but with supplemental +groups the user doesn't normally belong to. + +Since start_kdeinit doesn't call setgroups to give itself superuser groups, +there is no such security issue, and it doesn't need to clear the group +list before dropping to a normal user. + +*In addition*, this was completely emptying the list of supplemental groups +instead of setting them to what the user's groups actually are (eg. from +getgrouplist), which means he would end up without 'plugdev', 'vboxusers', +'wireshark', 'cdrom', and whatever other groups they may need for their +software to work. + +CCMAIL:dvratil@redhat.com + +Daniel: if the latest version of rpmlint still complains about this use of +setgid without setgroups, please file a bug against rpmlint. + +This reverts commit ff5ea1ab8568893c7d7b3a4518997080d3533308 from +review 119011. +--- + + +--- a/src/start_kdeinit/start_kdeinit.c ++++ b/src/start_kdeinit/start_kdeinit.c +@@ -27,7 +27,6 @@ + #include + #include + #include +-#include + #if HAVE_CAPABILITIES + #include + #endif +@@ -126,7 +125,6 @@ + } + cap_free(caps); + #endif +- setgroups(0, 0); /* Remove any extraneous groups*/ + if (setgid(getgid())) { + perror("setgid()"); + return 1; + diff --git a/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild b/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild new file mode 100644 index 000000000000..e225d7b328ad --- /dev/null +++ b/kde-frameworks/kinit/kinit-5.16.0-r1.ebuild @@ -0,0 +1,42 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +KDE_TEST="false" +inherit kde5 + +DESCRIPTION="Helper library to speed up start of applications on KDE work spaces" +LICENSE="LGPL-2+" +KEYWORDS=" ~amd64 ~x86" +IUSE="+caps +man" + +RDEPEND=" + $(add_frameworks_dep kconfig) + $(add_frameworks_dep kcoreaddons) + $(add_frameworks_dep kcrash) + $(add_frameworks_dep ki18n) + $(add_frameworks_dep kio) + $(add_frameworks_dep kservice) + $(add_frameworks_dep kwindowsystem) + dev-qt/qtdbus:5 + dev-qt/qtgui:5 + x11-libs/libX11 + caps? ( sys-libs/libcap ) +" +DEPEND="${RDEPEND} + man? ( $(add_frameworks_dep kdoctools) ) + x11-proto/xproto +" + +PATCHES=( "${FILESDIR}/${P}-dont-wipe-groups.patch" ) + +src_configure() { + local mycmakeargs=( + $(cmake-utils_use_find_package caps Libcap) + $(cmake-utils_use_find_package man KF5DocTools) + ) + + kde5_src_configure +} -- cgit v1.2.3-65-gdbad