Hello community,
here is the log from the commit of package ConsoleKit for openSUSE:11.3
checked in at Tue Jun 7 14:11:05 CEST 2011.
--------
--- old-versions/11.3/all/ConsoleKit/ConsoleKit.changes 2010-05-04
11:32:43.000000000 +0200
+++ 11.3/ConsoleKit/ConsoleKit.changes 2011-05-24 12:52:54.000000000 +0200
@@ -1,0 +2,7 @@
+Tue May 24 12:53:08 CEST 2011 - hma...@suse.de
+
+- add ConsoleKit-fix-is-local-set-for-remote-sessions.patch:
+ Prevent remote users to open a ConsoleKit session considered
+ local (bnc#686150)
+
+-------------------------------------------------------------------
ConsoleKit-doc.changes: same change
Package does not exist at destination yet. Using Fallback
old-versions/11.3/all/ConsoleKit
Destination is old-versions/11.3/UPDATES/all/ConsoleKit
calling whatdependson for 11.3-i586
New:
----
ConsoleKit-fix-is-local-set-for-remote-sessions.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ConsoleKit-doc.spec ++++++
--- /var/tmp/diff_new_pack.yxsqN0/_old 2011-06-07 14:10:17.000000000 +0200
+++ /var/tmp/diff_new_pack.yxsqN0/_new 2011-06-07 14:10:17.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package ConsoleKit-doc (Version 0.4.1)
+# spec file for package ConsoleKit-doc
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -37,7 +37,7 @@
%endif
Summary: System daemon for tracking users, sessions and seats
Version: 0.4.1
-Release: 4
+Release: 7.<RELEASE2>
License: GPLv2+
Group: System/Daemons
AutoReqProv: on
@@ -47,6 +47,7 @@
Patch1: 0009-Don-t-take-bus-name-until-ready.patch
Patch2: 0010-Don-t-segfault-if-the-seats-file-is-invalid.patch
Patch3: 0012-format-not-a-string-literal-and-no-format-arguments.patch
+Patch4: ConsoleKit-fix-is-local-set-for-remote-sessions.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if %build_doc == 0
PreReq: pwdutils login
@@ -90,6 +91,7 @@
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
%build
autoreconf -fi
ConsoleKit.spec: same change
++++++ ConsoleKit-fix-is-local-set-for-remote-sessions.patch ++++++
commit 4f88228f31a63c026c424a92827f26ad7535275c
Author: William Jon McCann <jmcc...@redhat.com>
Date: Thu Jun 3 20:02:35 2010 -0400
Only set sessions to be is-local=true if set by a trusted party
https://bugs.freedesktop.org/show_bug.cgi?id=28377
Index: ConsoleKit-0.4.1/src/ck-manager.c
===================================================================
--- ConsoleKit-0.4.1.orig/src/ck-manager.c
+++ ConsoleKit-0.4.1/src/ck-manager.c
@@ -1641,13 +1641,175 @@ open_session_for_leader (CkManager
dbus_g_method_return (context, cookie);
}
+enum {
+ PROP_STRING,
+ PROP_BOOLEAN,
+};
+
+#define CK_TYPE_PARAMETER_STRUCT (dbus_g_type_get_struct ("GValueArray", \
+ G_TYPE_STRING, \
+ G_TYPE_VALUE, \
+ G_TYPE_INVALID))
+
+static gboolean
+_get_parameter (GPtrArray *parameters,
+ const char *name,
+ int prop_type,
+ gpointer *value)
+{
+ gboolean ret;
+ int i;
+
+ if (parameters == NULL) {
+ return FALSE;
+ }
+
+ ret = FALSE;
+
+ for (i = 0; i < parameters->len && ret == FALSE; i++) {
+ gboolean res;
+ GValue val_struct = { 0, };
+ char *prop_name;
+ GValue *prop_val;
+
+ g_value_init (&val_struct, CK_TYPE_PARAMETER_STRUCT);
+ g_value_set_static_boxed (&val_struct, g_ptr_array_index
(parameters, i));
+
+ res = dbus_g_type_struct_get (&val_struct,
+ 0, &prop_name,
+ 1, &prop_val,
+ G_MAXUINT);
+ if (! res) {
+ g_debug ("Unable to extract parameter input");
+ goto cont;
+ }
+
+ if (prop_name == NULL) {
+ g_debug ("Skipping NULL parameter");
+ goto cont;
+ }
+
+ if (strcmp (prop_name, name) != 0) {
+ goto cont;
+ }
+
+ switch (prop_type) {
+ case PROP_STRING:
+ if (value != NULL) {
+ *value = g_value_dup_string (prop_val);
+ }
+ break;
+ case PROP_BOOLEAN:
+ if (value != NULL) {
+ *(gboolean *)value = g_value_get_boolean
(prop_val);
+ }
+ break;
+ default:
+ g_assert_not_reached ();
+ break;
+ }
+
+ ret = TRUE;
+
+ cont:
+ g_free (prop_name);
+ if (prop_val != NULL) {
+ g_value_unset (prop_val);
+ g_free (prop_val);
+ }
+ }
+
+ return ret;
+}
+
+static gboolean
+_verify_login_session_id_is_local (CkManager *manager,
+ const char *login_session_id)
+{
+ GHashTableIter iter;
+ const char *id;
+ CkSession *session;
+
+ g_return_val_if_fail (CK_IS_MANAGER (manager), FALSE);
+
+ /* If any local session exists for the given login session id
+ then that means a trusted party has vouched for the
+ original login */
+
+ g_debug ("Looking for local sessions for login-session-id=%s",
login_session_id);
+
+ session = NULL;
+ g_hash_table_iter_init (&iter, manager->priv->sessions);
+ while (g_hash_table_iter_next (&iter, (gpointer *)&id, (gpointer
*)&session)) {
+ if (session != NULL) {
+ gboolean is_local;
+ char *sessid;
+
+ sessid = NULL;
+ g_object_get (session,
+ "login-session-id", &sessid,
+ "is-local", &is_local,
+ NULL);
+ if (g_strcmp0 (sessid, login_session_id) == 0 &&
is_local) {
+ g_debug ("CkManager: found is-local=true on
%s", id);
+ return TRUE;
+ }
+ }
+ }
+
+ return FALSE;
+}
+
+static void
+add_param_boolean (GPtrArray *parameters,
+ const char *key,
+ gboolean value)
+{
+ GValue val = { 0, };
+ GValue param_val = { 0, };
+
+ g_value_init (&val, G_TYPE_BOOLEAN);
+ g_value_set_boolean (&val, value);
+ g_value_init (¶m_val, CK_TYPE_PARAMETER_STRUCT);
+ g_value_take_boxed (¶m_val,
+ dbus_g_type_specialized_construct
(CK_TYPE_PARAMETER_STRUCT));
+ dbus_g_type_struct_set (¶m_val,
+ 0, key,
+ 1, &val,
+ G_MAXUINT);
+ g_value_unset (&val);
+
+ g_ptr_array_add (parameters, g_value_get_boxed (¶m_val));
+}
+
static void
verify_and_open_session_for_leader (CkManager *manager,
CkSessionLeader *leader,
- const GPtrArray *parameters,
+ GPtrArray *parameters,
DBusGMethodInvocation *context)
{
- /* for now don't bother verifying since we protect
OpenSessionWithParameters */
+ /* Only allow a local session if originating from an existing
+ local session. Effectively this means that only trusted
+ parties can create local sessions. */
+
+ g_debug ("CkManager: verifying session for leader");
+
+ if (parameters != NULL && ! _get_parameter (parameters, "is-local",
PROP_BOOLEAN, NULL)) {
+ gboolean is_local;
+ char *login_session_id;
+
+ g_debug ("CkManager: is-local has not been set, will inherit
from existing login-session-id if available");
+
+ is_local = FALSE;
+
+ if (_get_parameter (parameters, "login-session-id",
PROP_STRING, (gpointer *) &login_session_id)) {
+ is_local = _verify_login_session_id_is_local (manager,
login_session_id);
+ g_debug ("CkManager: found is-local=%s", is_local ?
"true" : "false");
+ }
+
+ add_param_boolean (parameters, "is-local", is_local);
+ }
+
open_session_for_leader (manager,
leader,
parameters,
Index: ConsoleKit-0.4.1/tools/ck-collect-session-info.c
===================================================================
--- ConsoleKit-0.4.1.orig/tools/ck-collect-session-info.c
+++ ConsoleKit-0.4.1/tools/ck-collect-session-info.c
@@ -274,8 +274,7 @@ fill_x11_info (SessionInfo *si)
si->x11_display_device = ck_process_stat_get_tty (xorg_stat);
ck_process_stat_free (xorg_stat);
- si->is_local = TRUE;
- si->is_local_is_set = TRUE;
+ /* don't set is-local here - let the daemon do that */
g_free (si->remote_host_name);
si->remote_host_name = NULL;
@@ -304,13 +303,6 @@ fill_session_info (SessionInfo *si)
fill_x11_info (si);
- if (! si->is_local_is_set) {
- /* FIXME: how should we set this? */
- /* non x11 sessions must be local I guess */
- si->is_local = TRUE;
- si->is_local_is_set = TRUE;
- }
-
res = ck_unix_pid_get_login_session_id (si->pid,
&si->login_session_id);
if (! res) {
si->login_session_id = NULL;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
