Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running
from my original report i would guesstimate from: + d=/tmp/.X11-unix ^^ ... Ah, sorry, I was under the impression (no idea why) that you were seeing the problem in getXconsole. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running
Hi Michael, Not Thijs here, but I think can also comment on this: On Sun, Oct 05, 2014 at 10:09:51PM +0200, Michael Meskes wrote: On Sun, Oct 05, 2014 at 08:49:46PM +0200, Thijs Kinkhorst wrote: On its own, I would not consider failure to lock the screen in specific situations a high priority issue because of the other consequences of having physical access to a machine. Normally I would suggest to fix the bug through the regular stable update channel. Ok, thanks for the clarification. I absolutely agree, but didn't want to go ahead without asking. However, am I correct that this is a regression in the DSA for acpi-support (0.140-5+deb7u3)? If so, we can fix it through stable security since it's a regression introduced in that channel. Nope, I don't think this is a regression. I'm pretty sure the same problem applies to the original stable version. Given the above and that this was not introduced via a DSA, you can go ahead and ask for an update trough stable-proposed-update. Keep in mind that the window is closing this weekend IIRC. Regards, Salvatore signature.asc Description: Digital signature
Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running
On Mon, September 29, 2014 13:33, Michael Meskes wrote: @security: Is this enough of a security problem to warrant a stable upload? The fix seems easy enough, just run pinky if $user is still empty. On its own, I would not consider failure to lock the screen in specific situations a high priority issue because of the other consequences of having physical access to a machine. Normally I would suggest to fix the bug through the regular stable update channel. However, am I correct that this is a regression in the DSA for acpi-support (0.140-5+deb7u3)? If so, we can fix it through stable security since it's a regression introduced in that channel. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running
On Sun, Oct 05, 2014 at 08:49:46PM +0200, Thijs Kinkhorst wrote: On its own, I would not consider failure to lock the screen in specific situations a high priority issue because of the other consequences of having physical access to a machine. Normally I would suggest to fix the bug through the regular stable update channel. Ok, thanks for the clarification. I absolutely agree, but didn't want to go ahead without asking. However, am I correct that this is a regression in the DSA for acpi-support (0.140-5+deb7u3)? If so, we can fix it through stable security since it's a regression introduced in that channel. Nope, I don't think this is a regression. I'm pretty sure the same problem applies to the original stable version. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running
Hi! On 14:00 Fri 03 Oct , Michael Meskes wrote: On Sun, Sep 28, 2014 at 05:12:45AM +0200, waijb wrote: just testing if /usr/bin/ck-list-sessions is executable doesn't do the trick. until just now i had consolekit installed (some dependency somewhere), but dbus was (and still is and will be) not running. this leads to an error in line 25, ultimately no $user is set. the pinky check is not executed (but would work just fine). Did you actually try this or only call pinky to see if it displays anything? yes, i tried it, works fine for me now - without ck-list-sessions. The reason I'm asking is that the script needs to know the display number and calculates that by asking ck-list-sessions again. If it indeed works for you I'd like to know how it came up with the right display number. i didn't debug that and don't have the machine here right now. from my original report i would guesstimate from: + d=/tmp/.X11-unix ^^ + displaynum=0 + getXuser + local plist display uid user startx pid userhome IFS + [ 0 ] + display=:0 laptop, just 1 X Session with just 1 DISPLAY. being generic probably complicates things. greets waijb -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running
On Sun, Sep 28, 2014 at 05:12:45AM +0200, waijb wrote: just testing if /usr/bin/ck-list-sessions is executable doesn't do the trick. until just now i had consolekit installed (some dependency somewhere), but dbus was (and still is and will be) not running. this leads to an error in line 25, ultimately no $user is set. the pinky check is not executed (but would work just fine). Did you actually try this or only call pinky to see if it displays anything? The reason I'm asking is that the script needs to know the display number and calculates that by asking ck-list-sessions again. If it indeed works for you I'd like to know how it came up with the right display number. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running
@security: Is this enough of a security problem to warrant a stable upload? The fix seems easy enough, just run pinky if $user is still empty. Michael On Sun, Sep 28, 2014 at 05:12:45AM +0200, waijb wrote: getXuser() is broken: block starting at line 24 in /usr/share/acpi-support/power-funcs: 24 if [ -x /usr/bin/ck-list-sessions ]; then 25 uid=$(ck-list-sessions | awk 'BEGIN { unix_user = ; } /^Session/ { unix_user = ; } /unix-user =/ { gsub(/'\''/,,$3); unix_user = $3; } /x11-display = '\'$display\''/ { print unix_user; exit (0); }') 26 27 if [ $uid ]; then 28 IFS=: 29 set -- $(getent passwd $uid) 30 user=$1 31 unset IFS 32 fi 33 else just testing if /usr/bin/ck-list-sessions is executable doesn't do the trick. until just now i had consolekit installed (some dependency somewhere), but dbus was (and still is and will be) not running. this leads to an error in line 25, ultimately no $user is set. the pinky check is not executed (but would work just fine). finally XAUTHORITY and XUSER are exported as blanks. this breaks at least /usr/share/acpi-support/screenblank debug output: [04:00:22] root@schleppi ~ # /bin/sh -x /usr/share/acpi-support/screenblank -- source added by me for testing + . /usr/share/acpi-support/power-funcs -- + umask 022 + PATH=/sbin:/usr/sbin:/usr/local/sbin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 + POWERSTATE=/var/lib/acpi-support/powerstate + HDPARM=/sbin/hdparm -q + LIDSTATE=/var/lib/acpi-support/lidstate + d=/tmp/.X11-unix + displaynum=0 + getXuser + local plist display uid user startx pid userhome IFS + [ 0 ] + display=:0 + user= + [ -x /usr/bin/ck-list-sessions ] + ck-list-sessions + awk BEGIN { unix_user = ; } /^Session/ { unix_user = ; } /unix-user =/ { gsub(/'/,,$3); unix_user = $3; } /x11-display = ':0'/ { print unix_user; exit (0); } ** Message: Failed to connect to the D-Bus daemon: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory + uid= + [ ] + [ -z ] + pgrep -n startx + : + startx= + [ -z ] + [ x != x ] + export XAUTHORITY= + XUSER= + export XUSER + [ x != x ] + [ -x = xtrue ] result: X not locked as expected after sleep/hibernate. free local and possible remote (root)shells etc... regards waijb -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running
Package: acpi-support-base Version: 0.140-5+deb7u3 Severity: grave Tags: security Justification: user security hole Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these lines *** -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages acpi-support-base depends on: ii acpid 1:2.0.16-1+deb7u1 Versions of packages acpi-support-base recommends: pn consolekit none Versions of packages acpi-support-base suggests: ii acpi-support 0.140-5+deb7u3 -- no debconf information --- getXuser() is broken: block starting at line 24 in /usr/share/acpi-support/power-funcs: 24 if [ -x /usr/bin/ck-list-sessions ]; then 25 uid=$(ck-list-sessions | awk 'BEGIN { unix_user = ; } /^Session/ { unix_user = ; } /unix-user =/ { gsub(/'\''/,,$3); unix_user = $3; } /x11-display = '\'$display\''/ { print unix_user; exit (0); }') 26 27 if [ $uid ]; then 28 IFS=: 29 set -- $(getent passwd $uid) 30 user=$1 31 unset IFS 32 fi 33 else just testing if /usr/bin/ck-list-sessions is executable doesn't do the trick. until just now i had consolekit installed (some dependency somewhere), but dbus was (and still is and will be) not running. this leads to an error in line 25, ultimately no $user is set. the pinky check is not executed (but would work just fine). finally XAUTHORITY and XUSER are exported as blanks. this breaks at least /usr/share/acpi-support/screenblank debug output: [04:00:22] root@schleppi ~ # /bin/sh -x /usr/share/acpi-support/screenblank -- source added by me for testing + . /usr/share/acpi-support/power-funcs -- + umask 022 + PATH=/sbin:/usr/sbin:/usr/local/sbin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 + POWERSTATE=/var/lib/acpi-support/powerstate + HDPARM=/sbin/hdparm -q + LIDSTATE=/var/lib/acpi-support/lidstate + d=/tmp/.X11-unix + displaynum=0 + getXuser + local plist display uid user startx pid userhome IFS + [ 0 ] + display=:0 + user= + [ -x /usr/bin/ck-list-sessions ] + ck-list-sessions + awk BEGIN { unix_user = ; } /^Session/ { unix_user = ; } /unix-user =/ { gsub(/'/,,$3); unix_user = $3; } /x11-display = ':0'/ { print unix_user; exit (0); } ** Message: Failed to connect to the D-Bus daemon: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory + uid= + [ ] + [ -z ] + pgrep -n startx + : + startx= + [ -z ] + [ x != x ] + export XAUTHORITY= + XUSER= + export XUSER + [ x != x ] + [ -x = xtrue ] result: X not locked as expected after sleep/hibernate. free local and possible remote (root)shells etc... regards waijb -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org