[gentoo-commits] proj/kde:master commit in: kde-apps/kate/files/, kde-apps/kate/ - gentoo-commits

From:	Andreas Sturmlechner <asturm@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/kde:master commit in: kde-apps/kate/files/, kde-apps/kate/
Date:	Sun, 08 Jul 2018 15:48:34
Message-Id:	`1531064878.a16ef3874678c775f2fb5e5b6ef1fdb2184034be.asturm@gentoo`

1

commit:     a16ef3874678c775f2fb5e5b6ef1fdb2184034be

2

Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>

3

AuthorDate: Sun Jul  8 15:47:58 2018 +0000

4

Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>

5

CommitDate: Sun Jul  8 15:47:58 2018 +0000

6

URL:        https://gitweb.gentoo.org/proj/kde.git/commit/?id=a16ef387

7

8

kde-apps/kate: Backport start-as-root

9

10

Package-Manager: Portage-2.3.41, Repoman-2.3.9

11

12

 kde-apps/kate/files/kate-18.04.3-root-user.patch | 62 ++++++++++++++++++++++++

13

 kde-apps/kate/kate-18.04.49.9999.ebuild          |  2 +

14

 2 files changed, 64 insertions(+)

15

16

diff --git a/kde-apps/kate/files/kate-18.04.3-root-user.patch b/kde-apps/kate/files/kate-18.04.3-root-user.patch

17

new file mode 100644

18

index 0000000000..320c174035

19

--- /dev/null

20

+++ b/kde-apps/kate/files/kate-18.04.3-root-user.patch

21

@@ -0,0 +1,62 @@

22

+From bf6d5b7532968763bdc629aa90426c53500af13f Mon Sep 17 00:00:00 2001

23

+From: Nathaniel Graham <nate@×××.org>

24

+Date: Sat, 26 May 2018 14:50:24 -0600

25

+Subject: Re-allow running Kate and KWrite as the actual root user (but still

26

+ not using sudo)

27

+

28

+Summary:

29

+The original change (9adcebd3c2e476c8a32e9b455cc99f46b0e12a7e) to prevent sudo usage broke the use case of running KWrite or Kate while logged in as the actual `root` user with a GUI session. This is how the Kali distro is set up by default, so the original change amounted to making Kate and KWrite not launch at all on this KDE distro.

30

+

31

+This patch re-enables running as the actual root user, but keeps blocking usage via `sudo` or `kdesu`. There are no negative security implications associated with re-allowing usage via the root user, since if you're running a GUI session, you were already exposed to the original security threat and Kate and KWrite do not increase the attack surface.

32

+

33

+I have submitted a similar change for Dolphin that has been accepted (D12795), but @elvisangelaccio wants that to go in at the same time as this, to keep them in sync.

34

+

35

+BUG: 387973

36

+FIXED-IN: 18.08.0

37

+

38

+Test Plan:

39

+- Log in as normal user and run `sudo kate` or `sudo kwrite`: you get an error message.

40

+- Log in as normal user and run `kdesu kate` or `kdesu kwrite`: you get an error message.

41

+- Log in as the root user and run Kate or KWrite normally: it works.

42

+

43

+Reviewers: #kate, dhaumann, cullmann, #ktexteditor

44

+

45

+Reviewed By: #kate, dhaumann, #ktexteditor

46

+

47

+Subscribers: kwrite-devel, elvisangelaccio

48

+

49

+Tags: #kate

50

+

51

+Differential Revision: https://phabricator.kde.org/D13138

52

+---

53

+ kate/main.cpp   | 14 ++++++++------

54

+ 2 files changed, 16 insertions(+), 12 deletions(-)

55

+

56

+diff --git a/kate/main.cpp b/kate/main.cpp

57

+index e20fcff..19f7a99 100644

58

+--- a/kate/main.cpp

59

++++ b/kate/main.cpp

60

+@@ -61,13 +61,15 @@

61

+ int main(int argc, char **argv)

62

+ {

63

+ #ifndef Q_OS_WIN

64

+-    /**

65

+-     * Check whether we are running as root

66

+-     **/

67

++    // Prohibit using sudo or kdesu (but allow using the root user directly)

68

+     if (getuid() == 0) {

69

+-        std::cout << "Executing Kate as root is not possible. To edit files as root use:" << std::endl;

70

+-        std::cout << "SUDO_EDITOR=kate sudoedit <file>" << std::endl;

71

+-        return 0;

72

++        if (!qEnvironmentVariableIsEmpty("SUDO_USER")) {

73

++            std::cout << "Executing Kate with sudo is not possible due to unfixable security vulnerabilities." << std::endl;

74

++            return EXIT_FAILURE;

75

++        } else if (!qEnvironmentVariableIsEmpty("KDESU_USER")) {

76

++            std::cout << "Executing Kate with kdesu is not possible due to unfixable security vulnerabilities." << std::endl;

77

++            return EXIT_FAILURE;

78

++        }

79

+     }

80

+ #endif

81

+     /**

82

+--

83

+cgit v0.11.2

84

85

diff --git a/kde-apps/kate/kate-18.04.49.9999.ebuild b/kde-apps/kate/kate-18.04.49.9999.ebuild

86

index ce8e6b9061..5998918660 100644

87

--- a/kde-apps/kate/kate-18.04.49.9999.ebuild

88

+++ b/kde-apps/kate/kate-18.04.49.9999.ebuild

89

@@ -53,6 +53,8 @@ RDEPEND="${DEPEND}

90

 	!kde-misc/ktexteditorpreviewplugin

91

"

92

93

+PATCHES=( "${FILESDIR}/${PN}-18.04.3-root-user.patch" )

94

+

95

 src_prepare() {

96

 	kde5_src_prepare

97

 	# test hangs

1	commit: a16ef3874678c775f2fb5e5b6ef1fdb2184034be
2	Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
3	AuthorDate: Sun Jul 8 15:47:58 2018 +0000
4	Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
5	CommitDate: Sun Jul 8 15:47:58 2018 +0000
6	URL: https://gitweb.gentoo.org/proj/kde.git/commit/?id=a16ef387
7
8	kde-apps/kate: Backport start-as-root
9
10	Package-Manager: Portage-2.3.41, Repoman-2.3.9
11
12	kde-apps/kate/files/kate-18.04.3-root-user.patch \| 62 ++++++++++++++++++++++++
13	kde-apps/kate/kate-18.04.49.9999.ebuild \| 2 +
14	2 files changed, 64 insertions(+)
15
16	diff --git a/kde-apps/kate/files/kate-18.04.3-root-user.patch b/kde-apps/kate/files/kate-18.04.3-root-user.patch
17	new file mode 100644
18	index 0000000000..320c174035
19	--- /dev/null
20	+++ b/kde-apps/kate/files/kate-18.04.3-root-user.patch
21	@@ -0,0 +1,62 @@
22	+From bf6d5b7532968763bdc629aa90426c53500af13f Mon Sep 17 00:00:00 2001
23	+From: Nathaniel Graham <nate@×××.org>
24	+Date: Sat, 26 May 2018 14:50:24 -0600
25	+Subject: Re-allow running Kate and KWrite as the actual root user (but still
26	+ not using sudo)
27	+
28	+Summary:
29	+The original change (9adcebd3c2e476c8a32e9b455cc99f46b0e12a7e) to prevent sudo usage broke the use case of running KWrite or Kate while logged in as the actual `root` user with a GUI session. This is how the Kali distro is set up by default, so the original change amounted to making Kate and KWrite not launch at all on this KDE distro.
30	+
31	+This patch re-enables running as the actual root user, but keeps blocking usage via `sudo` or `kdesu`. There are no negative security implications associated with re-allowing usage via the root user, since if you're running a GUI session, you were already exposed to the original security threat and Kate and KWrite do not increase the attack surface.
32	+
33	+I have submitted a similar change for Dolphin that has been accepted (D12795), but @elvisangelaccio wants that to go in at the same time as this, to keep them in sync.
34	+
35	+BUG: 387973
36	+FIXED-IN: 18.08.0
37	+
38	+Test Plan:
39	+- Log in as normal user and run `sudo kate` or `sudo kwrite`: you get an error message.
40	+- Log in as normal user and run `kdesu kate` or `kdesu kwrite`: you get an error message.
41	+- Log in as the root user and run Kate or KWrite normally: it works.
42	+
43	+Reviewers: #kate, dhaumann, cullmann, #ktexteditor
44	+
45	+Reviewed By: #kate, dhaumann, #ktexteditor
46	+
47	+Subscribers: kwrite-devel, elvisangelaccio
48	+
49	+Tags: #kate
50	+
51	+Differential Revision: https://phabricator.kde.org/D13138
52	+---
53	+ kate/main.cpp \| 14 ++++++++------
54	+ 2 files changed, 16 insertions(+), 12 deletions(-)
55	+
56	+diff --git a/kate/main.cpp b/kate/main.cpp
57	+index e20fcff..19f7a99 100644
58	+--- a/kate/main.cpp
59	++++ b/kate/main.cpp
60	+@@ -61,13 +61,15 @@
61	+ int main(int argc, char **argv)
62	+ {
63	+ #ifndef Q_OS_WIN
64	+- /**
65	+- * Check whether we are running as root
66	+- **/
67	++ // Prohibit using sudo or kdesu (but allow using the root user directly)
68	+ if (getuid() == 0) {
69	+- std::cout << "Executing Kate as root is not possible. To edit files as root use:" << std::endl;
70	+- std::cout << "SUDO_EDITOR=kate sudoedit <file>" << std::endl;
71	+- return 0;
72	++ if (!qEnvironmentVariableIsEmpty("SUDO_USER")) {
73	++ std::cout << "Executing Kate with sudo is not possible due to unfixable security vulnerabilities." << std::endl;
74	++ return EXIT_FAILURE;
75	++ } else if (!qEnvironmentVariableIsEmpty("KDESU_USER")) {
76	++ std::cout << "Executing Kate with kdesu is not possible due to unfixable security vulnerabilities." << std::endl;
77	++ return EXIT_FAILURE;
78	++ }
79	+ }
80	+ #endif
81	+ /**
82	+--
83	+cgit v0.11.2
84
85	diff --git a/kde-apps/kate/kate-18.04.49.9999.ebuild b/kde-apps/kate/kate-18.04.49.9999.ebuild
86	index ce8e6b9061..5998918660 100644
87	--- a/kde-apps/kate/kate-18.04.49.9999.ebuild
88	+++ b/kde-apps/kate/kate-18.04.49.9999.ebuild
89	@@ -53,6 +53,8 @@ RDEPEND="${DEPEND}
90	!kde-misc/ktexteditorpreviewplugin
91	"
92
93	+PATCHES=( "${FILESDIR}/${PN}-18.04.3-root-user.patch" )
94	+
95	src_prepare() {
96	kde5_src_prepare
97	# test hangs

Gentoo Archives: gentoo-commits