summaryrefslogtreecommitdiff
path: root/testing/source/vtown/kde/patch/sddm/sddm_revert-honor-PAM-supplemental-groups.patch
diff options
context:
space:
mode:
Diffstat (limited to 'testing/source/vtown/kde/patch/sddm/sddm_revert-honor-PAM-supplemental-groups.patch')
-rw-r--r--testing/source/vtown/kde/patch/sddm/sddm_revert-honor-PAM-supplemental-groups.patch88
1 files changed, 88 insertions, 0 deletions
diff --git a/testing/source/vtown/kde/patch/sddm/sddm_revert-honor-PAM-supplemental-groups.patch b/testing/source/vtown/kde/patch/sddm/sddm_revert-honor-PAM-supplemental-groups.patch
new file mode 100644
index 00000000..2391c80c
--- /dev/null
+++ b/testing/source/vtown/kde/patch/sddm/sddm_revert-honor-PAM-supplemental-groups.patch
@@ -0,0 +1,88 @@
+From d3953e88a94ec25a87d3c5136517b3d1009cb1fd Mon Sep 17 00:00:00 2001
+From: "J. Konrad Tegtmeier-Rottach" <jktr@0x16.de>
+Date: Wed, 8 May 2019 18:58:53 +0200
+Subject: [PATCH] Revert "Honor PAM's ambient supplemental groups. (#834)"
+
+This reverts commit 1bc813d08b8130e458a6550ec47fb2bfbe6de080, which
+misuses PAM and leads to pulling in all of root's supplemental groups
+during session initialization instead of only adding PAM's extra
+groups. The problem was masked due to the root user not having any
+supplemental groups in some common contexts, like running sddm from a
+systemd unit.
+---
+ src/helper/UserSession.cpp | 57 --------------------------------------
+ 1 file changed, 57 deletions(-)
+
+diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp
+index b3aec356..f71fd358 100644
+--- a/src/helper/UserSession.cpp
++++ b/src/helper/UserSession.cpp
+@@ -150,67 +150,10 @@ namespace SDDM {
+ qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
+-
+-#ifdef USE_PAM
+-
+- // fetch ambient groups from PAM's environment;
+- // these are set by modules such as pam_groups.so
+- int n_pam_groups = getgroups(0, NULL);
+- gid_t *pam_groups = NULL;
+- if (n_pam_groups > 0) {
+- pam_groups = new gid_t[n_pam_groups];
+- if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) {
+- qCritical() << "getgroups() failed to fetch supplemental"
+- << "PAM groups for user:" << username;
+- exit(Auth::HELPER_OTHER_ERROR);
+- }
+- } else {
+- n_pam_groups = 0;
+- }
+-
+- // fetch session's user's groups
+- int n_user_groups = 0;
+- gid_t *user_groups = NULL;
+- if (-1 == getgrouplist(username.constData(), pw.pw_gid,
+- NULL, &n_user_groups)) {
+- user_groups = new gid_t[n_user_groups];
+- if ((n_user_groups = getgrouplist(username.constData(),
+- pw.pw_gid, user_groups,
+- &n_user_groups)) == -1 ) {
+- qCritical() << "getgrouplist(" << username << ", " << pw.pw_gid
+- << ") failed";
+- exit(Auth::HELPER_OTHER_ERROR);
+- }
+- }
+-
+- // set groups to concatenation of PAM's ambient
+- // groups and the session's user's groups
+- int n_groups = n_pam_groups + n_user_groups;
+- if (n_groups > 0) {
+- gid_t *groups = new gid_t[n_groups];
+- memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t)));
+- memcpy((groups + n_pam_groups), user_groups,
+- (n_user_groups * sizeof(gid_t)));
+-
+- // setgroups(2) handles duplicate groups
+- if (setgroups(n_groups, groups) != 0) {
+- qCritical() << "setgroups() failed for user: " << username;
+- exit (Auth::HELPER_OTHER_ERROR);
+- }
+- delete[] groups;
+- }
+- delete[] pam_groups;
+- delete[] user_groups;
+-
+-#else
+-
+ if (initgroups(pw.pw_name, pw.pw_gid) != 0) {
+ qCritical() << "initgroups(" << pw.pw_name << ", " << pw.pw_gid << ") failed for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
+-
+-#endif /* USE_PAM */
+-
+ if (setuid(pw.pw_uid) != 0) {
+ qCritical() << "setuid(" << pw.pw_uid << ") failed for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
+