Hello community, here is the log from the commit of package sddm for openSUSE:Factory checked in at 2018-07-04 23:54:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sddm (Old) and /work/SRC/openSUSE:Factory/.sddm.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sddm" Wed Jul 4 23:54:04 2018 rev:36 rq:620401 version:0.17.0 Changes: -------- --- /work/SRC/openSUSE:Factory/sddm/sddm.changes 2018-05-16 11:23:17.432227700 +0200 +++ /work/SRC/openSUSE:Factory/.sddm.new/sddm.changes 2018-07-04 23:54:48.759913193 +0200 @@ -1,0 +2,6 @@ +Mon Jul 2 20:53:55 UTC 2018 - [email protected] + +- Backport fix for pam_group from develop branch: + * 0007-Honor-PAMs-ambient-supplemental-groups.patch + +------------------------------------------------------------------- New: ---- 0007-Honor-PAMs-ambient-supplemental-groups.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sddm.spec ++++++ --- /var/tmp/diff_new_pack.7l4B9k/_old 2018-07-04 23:54:49.663912196 +0200 +++ /var/tmp/diff_new_pack.7l4B9k/_new 2018-07-04 23:54:49.663912196 +0200 @@ -38,6 +38,8 @@ Patch8: 0004-UserModel-fix-filtering-out-duplicate-users-998.patch Patch9: 0005-UserModel-optimize-setting-of-default-user-icon-999.patch Patch10: 0001-Fix-build-with-Qt-5.11-1024.patch +# Backport: https://github.com/sddm/sddm/commit/1bc813d08b8130e458a6550ec47fb2bfbe6de080 +Patch11: 0007-Honor-PAMs-ambient-supplemental-groups.patch # Not merged yet: https://github.com/sddm/sddm/pull/997 Patch50: 0001-Remove-suffix-for-Wayland-session.patch # Not merged yet: https://github.com/sddm/sddm/pull/1017 ++++++ 0007-Honor-PAMs-ambient-supplemental-groups.patch ++++++ >From 1bc813d08b8130e458a6550ec47fb2bfbe6de080 Mon Sep 17 00:00:00 2001 From: Konrad Tegtmeier <[email protected]> Date: Fri, 13 Apr 2018 14:06:11 +0200 Subject: [PATCH] Honor PAM's ambient supplemental groups. (#834) When compiled with USE_PAM, prefer a combination of getgroups(3) and getgrouplist(3) for ambient and user groups, respectively, to initgroups(3). This way, groups injected into the PAM environment by means of pam_groups.so aren't ignored. Signed-off-by: J. Konrad Tegtmeier-Rottach <[email protected]> Backported to 0.17.0 Signed-off-by: Luiz Angelo Daros de Luca <[email protected]> --- src/helper/UserSession.cpp | 59 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp index 4221ada0..d4fd2cff 100644 --- a/src/helper/UserSession.cpp +++ b/src/helper/UserSession.cpp @@ -116,10 +116,69 @@ qCritical() << "setgid(" << pw->pw_gid << ") failed for user: " << username; exit(Auth::HELPER_OTHER_ERROR); } + +#ifdef USE_PAM + + // fetch ambient groups from PAM's environment; + // these are set by modules such as pam_groups.so + int n_pam_groups = getgroups(0, NULL); + gid_t *pam_groups = NULL; + if (n_pam_groups > 0) { + pam_groups = new gid_t[n_pam_groups]; + if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) { + qCritical() << "getgroups() failed to fetch supplemental" + << "PAM groups for user:" << username; + exit(Auth::HELPER_OTHER_ERROR); + } + } else { + n_pam_groups = 0; + } + + // fetch session's user's groups + int n_user_groups = 0; + gid_t *user_groups = NULL; + if (-1 == getgrouplist(username.constData(), pw->pw_gid, + NULL, &n_user_groups)) { + user_groups = new gid_t[n_user_groups]; + if ((n_user_groups = getgrouplist(username.constData(), + pw->pw_gid, user_groups, + &n_user_groups)) == -1 ) { + qCritical() << "getgrouplist(" << username << ", " << pw->pw_gid + << ") failed"; + //free(buffer); + exit(Auth::HELPER_OTHER_ERROR); + } + } + + // set groups to concatenation of PAM's ambient + // groups and the session's user's groups + int n_groups = n_pam_groups + n_user_groups; + if (n_groups > 0) { + gid_t *groups = new gid_t[n_groups]; + memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t))); + memcpy((groups + n_pam_groups), user_groups, + (n_user_groups * sizeof(gid_t))); + + // setgroups(2) handles duplicate groups + if (setgroups(n_groups, groups) != 0) { + qCritical() << "setgroups() failed for user: " << username; + //free(buffer); + exit (Auth::HELPER_OTHER_ERROR); + } + delete[] groups; + } + delete[] pam_groups; + delete[] user_groups; + +#else + if (initgroups(pw->pw_name, pw->pw_gid) != 0) { qCritical() << "initgroups(" << pw->pw_name << ", " << pw->pw_gid << ") failed for user: " << username; exit(Auth::HELPER_OTHER_ERROR); } + +#endif /* USE_PAM */ + if (setuid(pw->pw_uid) != 0) { qCritical() << "setuid(" << pw->pw_uid << ") failed for user: " << username; exit(Auth::HELPER_OTHER_ERROR);
