Hello community, here is the log from the commit of package opera for openSUSE:Factory:NonFree checked in at 2016-09-25 14:45:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory:NonFree/opera (Old) and /work/SRC/openSUSE:Factory:NonFree/.opera.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "opera" Changes: -------- --- /work/SRC/openSUSE:Factory:NonFree/opera/opera.changes 2016-09-23 13:35:40.000000000 +0200 +++ /work/SRC/openSUSE:Factory:NonFree/.opera.new/opera.changes 2016-09-25 14:45:31.000000000 +0200 @@ -1,0 +2,6 @@ +Sat Sep 24 19:42:08 UTC 2016 - [email protected] + +- Change opera.sh to reflect how and when setuid sandboxing works + (it is not required at all when kernel supports CLONE_NEWUSER). + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ opera.sh.in ++++++ --- /var/tmp/diff_new_pack.hMe9zf/_old 2016-09-25 14:45:34.000000000 +0200 +++ /var/tmp/diff_new_pack.hMe9zf/_new 2016-09-25 14:45:34.000000000 +0200 @@ -6,7 +6,7 @@ PROGNAME="opera" LIBDIR="__LIBDIR__/$PROGNAME" -SANDBOX_APP="$LIBDIR/${PROGNAME}_sandbox" +SANDBOX_FILE="$LIBDIR/${PROGNAME}_sandbox" # Allow users to override command-line options. # Based on Gentoo's chromium package (and by extension, Debian's). @@ -18,24 +18,30 @@ # default OPERA_FLAGS (from /etc/default/opera). OPERA_FLAGS="${OPERA_USER_FLAGS:-$OPERA_FLAGS}" -# Check if sandbox binary has setuid. -if ( grep -qE '^.r.sr..r.. . 0 0' <<< "$(ls -n "$SANDBOX_APP")" ); then - SETUID_SANDBOX_SET=1 +# Check if CLONE_NEWUSER exists (setuid sandboxing is required). +if [ ! -f "/proc/$$/ns/user" ]; then + REQUIRE_SETUID_SANDBOX=1 else - SETUID_SANDBOX_SET= + REQUIRE_SETUID_SANDBOX= +fi +# Check if sandbox binary has a setuid flag. +if [[ "$(stat -c '%a %u:%g' "$SANDBOX_FILE")" == '4755 0:0' ]]; then + HAS_SETUID_SANDBOX=1 +else + HAS_SETUID_SANDBOX= fi -# Enable SUID sandboxing for those who wish. -if [ -n "$SETUID_SANDBOX_SET" ] || [[ "$OPERA_FLAGS" =~ '--enable-setuid-sandbox' ]]; then - OPERA_FLAGS=$(echo "$OPERA_FLAGS" | sed -e 's/--enable-setuid-sandbox//g') - if [ -z "$SETUID_SANDBOX_SET" ]; then - if ( ! xdg-su -c "chmod 4755 "$SANDBOX_APP"" &> /dev/null ); then - echo "Permission granting failed, falling back to disabled SUID sanboxing." >&2 - OPERA_FLAGS="$OPERA_FLAGS --disable-setuid-sandbox" +# SUID sandboxing is required but does not exist. Let's try and fix it. +if [ -n "$REQUIRE_SETUID_SANDBOX" ] && [ -z "$HAS_SETUID_SANDBOX" ]; then + if [[ "$OPERA_FLAGS" =~ '--sandbox' ]]; then + if ( ! which xdg-su &> /dev/null ) || \ + ( ! xdg-su -c "chmod 4755 "$SANDBOX_FILE"; chown 0:0 "$SANDBOX_FILE"" &> /dev/null ); then + echo "Permission granting failed, falling back to disabled sandboxing." >&2 + OPERA_FLAGS="$OPERA_FLAGS --no-sandbox" fi + else + OPERA_FLAGS="$OPERA_FLAGS --no-sandbox" fi -else - OPERA_FLAGS="$OPERA_FLAGS --disable-setuid-sandbox" fi exec "$LIBDIR/$PROGNAME" $SANDBOX $CHROMIUM_FLAGS $OPERA_FLAGS "$@"
