Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

2014-10-09 Thread Michael Meskes 
 from my original report i would guesstimate from:
 + d=/tmp/.X11-unix
 ^^
 ...

Ah, sorry, I was under the impression (no idea why) that you were seeing
the problem in getXconsole.

Michael

-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
Jabber: michael.meskes at gmail dot com
VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

2014-10-07 Thread Salvatore Bonaccorso 
Hi Michael,

Not Thijs here, but I think can also comment on this:

On Sun, Oct 05, 2014 at 10:09:51PM +0200, Michael Meskes wrote:
 On Sun, Oct 05, 2014 at 08:49:46PM +0200, Thijs Kinkhorst wrote:
  On its own, I would not consider failure to lock the screen in specific
  situations a high priority issue because of the other consequences of
  having physical access to a machine. Normally I would suggest to fix the
  bug through the regular stable update channel.
 
 Ok, thanks for the clarification. I absolutely agree, but didn't want to go
 ahead without asking.
 
  However, am I correct that this is a regression in the DSA for
  acpi-support (0.140-5+deb7u3)? If so, we can fix it through stable
  security since it's a regression introduced in that channel.
 
 Nope, I don't think this is a regression. I'm pretty sure the same problem
 applies to the original stable version.

Given the above and that this was not introduced via a DSA, you can go
ahead and ask for an update trough stable-proposed-update. Keep in
mind that the window is closing this weekend IIRC.

Regards,
Salvatore


signature.asc
Description: Digital signature

Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

2014-10-05 Thread Thijs Kinkhorst 
On Mon, September 29, 2014 13:33, Michael Meskes wrote:
 @security: Is this enough of a security problem to warrant a stable
 upload?

 The fix seems easy enough, just run pinky if $user is still empty.

On its own, I would not consider failure to lock the screen in specific
situations a high priority issue because of the other consequences of
having physical access to a machine. Normally I would suggest to fix the
bug through the regular stable update channel.

However, am I correct that this is a regression in the DSA for
acpi-support (0.140-5+deb7u3)? If so, we can fix it through stable
security since it's a regression introduced in that channel.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

2014-10-05 Thread Michael Meskes 
On Sun, Oct 05, 2014 at 08:49:46PM +0200, Thijs Kinkhorst wrote:
 On its own, I would not consider failure to lock the screen in specific
 situations a high priority issue because of the other consequences of
 having physical access to a machine. Normally I would suggest to fix the
 bug through the regular stable update channel.

Ok, thanks for the clarification. I absolutely agree, but didn't want to go
ahead without asking.

 However, am I correct that this is a regression in the DSA for
 acpi-support (0.140-5+deb7u3)? If so, we can fix it through stable
 security since it's a regression introduced in that channel.

Nope, I don't think this is a regression. I'm pretty sure the same problem
applies to the original stable version.

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
Jabber: michael.meskes at gmail dot com
VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

2014-10-05 Thread waijb 
Hi!

On 14:00 Fri 03 Oct , Michael Meskes wrote:
 On Sun, Sep 28, 2014 at 05:12:45AM +0200, waijb wrote:
  just testing if /usr/bin/ck-list-sessions is executable doesn't do the
  trick.
  until just now i had consolekit installed (some dependency somewhere), but
  dbus was (and still is and will be) not running. this leads to an error in
  line 25, ultimately no $user is set. the pinky check is not executed (but
  would work just fine).
 
 Did you actually try this or only call pinky to see if it displays anything?

yes, i tried it, works fine for me now - without ck-list-sessions.

 The reason I'm asking is that the script needs to know the display number and
 calculates that by asking ck-list-sessions again. If it indeed works for you
 I'd like to know how it came up with the right display number.

i didn't debug that and don't have the machine here right now.

from my original report i would guesstimate from:
+ d=/tmp/.X11-unix
^^
+ displaynum=0
+ getXuser
+ local plist display uid user startx pid userhome IFS
+ [ 0 ]
+ display=:0

laptop, just 1 X Session with just 1 DISPLAY. being generic probably
complicates things.

greets
waijb


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

2014-10-03 Thread Michael Meskes 
On Sun, Sep 28, 2014 at 05:12:45AM +0200, waijb wrote:
 just testing if /usr/bin/ck-list-sessions is executable doesn't do the
 trick.
 until just now i had consolekit installed (some dependency somewhere), but
 dbus was (and still is and will be) not running. this leads to an error in
 line 25, ultimately no $user is set. the pinky check is not executed (but
 would work just fine).

Did you actually try this or only call pinky to see if it displays anything?

The reason I'm asking is that the script needs to know the display number and
calculates that by asking ck-list-sessions again. If it indeed works for you
I'd like to know how it came up with the right display number.

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
Jabber: michael.meskes at gmail dot com
VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

2014-09-29 Thread Michael Meskes 
@security: Is this enough of a security problem to warrant a stable upload?

The fix seems easy enough, just run pinky if $user is still empty.

Michael

On Sun, Sep 28, 2014 at 05:12:45AM +0200, waijb wrote:
 getXuser() is broken:
 
 block starting at line 24 in /usr/share/acpi-support/power-funcs:
 
  24 if [ -x /usr/bin/ck-list-sessions ]; then
  25 uid=$(ck-list-sessions | awk 'BEGIN { unix_user = ; }
   /^Session/ { unix_user = ; } /unix-user =/ { gsub(/'\''/,,$3);
   unix_user = $3; } /x11-display = '\'$display\''/ { print unix_user; exit
   (0); }')
  26 
  27 if [ $uid ]; then
  28 IFS=:
  29 set -- $(getent passwd $uid)
  30 user=$1
  31 unset IFS
  32 fi
  33 else
 
 
 just testing if /usr/bin/ck-list-sessions is executable doesn't do the
 trick.
 until just now i had consolekit installed (some dependency somewhere), but
 dbus was (and still is and will be) not running. this leads to an error in
 line 25, ultimately no $user is set. the pinky check is not executed (but
 would work just fine).
 finally XAUTHORITY and XUSER are exported as blanks.
 
 this breaks at least /usr/share/acpi-support/screenblank
 debug output:
 
 [04:00:22] root@schleppi ~ # /bin/sh -x /usr/share/acpi-support/screenblank
 -- source added by me for testing
 + . /usr/share/acpi-support/power-funcs
 --
 + umask 022
 +
 PATH=/sbin:/usr/sbin:/usr/local/sbin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
 + POWERSTATE=/var/lib/acpi-support/powerstate
 + HDPARM=/sbin/hdparm -q
 + LIDSTATE=/var/lib/acpi-support/lidstate
 + d=/tmp/.X11-unix
 + displaynum=0
 + getXuser
 + local plist display uid user startx pid userhome IFS
 + [ 0 ]
 + display=:0
 + user=
 + [ -x /usr/bin/ck-list-sessions ]
 + ck-list-sessions
 + awk BEGIN { unix_user = ; } /^Session/ { unix_user = ; } /unix-user =/ 
 { gsub(/'/,,$3); unix_user = $3; } /x11-display =
 ':0'/ { print unix_user; exit (0); }
 ** Message: Failed to connect to the D-Bus daemon: Failed to connect to 
 socket /var/run/dbus/system_bus_socket: No such file or
 directory
 + uid=
 + [  ]
 + [ -z  ]
 + pgrep -n startx
 + :
 + startx=
 + [ -z  ]
 + [ x != x ]
 + export XAUTHORITY=
 + XUSER=
 + export XUSER
 + [ x != x ]
 + [ -x = xtrue ]
 
 
 result: X not locked as expected after sleep/hibernate. free local and
 possible remote (root)shells etc...
 
 
 regards
 waijb

-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
Jabber: michael.meskes at gmail dot com
VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

2014-09-27 Thread waijb 
Package: acpi-support-base
Version: 0.140-5+deb7u3
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,
*** Please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these lines ***


-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages acpi-support-base depends on:
ii  acpid  1:2.0.16-1+deb7u1

Versions of packages acpi-support-base recommends:
pn  consolekit  none

Versions of packages acpi-support-base suggests:
ii  acpi-support  0.140-5+deb7u3

-- no debconf information

---

getXuser() is broken:

block starting at line 24 in /usr/share/acpi-support/power-funcs:

 24 if [ -x /usr/bin/ck-list-sessions ]; then
 25 uid=$(ck-list-sessions | awk 'BEGIN { unix_user = ; }
  /^Session/ { unix_user = ; } /unix-user =/ { gsub(/'\''/,,$3);
  unix_user = $3; } /x11-display = '\'$display\''/ { print unix_user; exit
  (0); }')
 26 
 27 if [ $uid ]; then
 28 IFS=:
 29 set -- $(getent passwd $uid)
 30 user=$1
 31 unset IFS
 32 fi
 33 else


just testing if /usr/bin/ck-list-sessions is executable doesn't do the
trick.
until just now i had consolekit installed (some dependency somewhere), but
dbus was (and still is and will be) not running. this leads to an error in
line 25, ultimately no $user is set. the pinky check is not executed (but
would work just fine).
finally XAUTHORITY and XUSER are exported as blanks.

this breaks at least /usr/share/acpi-support/screenblank
debug output:

[04:00:22] root@schleppi ~ # /bin/sh -x /usr/share/acpi-support/screenblank
-- source added by me for testing
+ . /usr/share/acpi-support/power-funcs
--
+ umask 022
+
PATH=/sbin:/usr/sbin:/usr/local/sbin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
+ POWERSTATE=/var/lib/acpi-support/powerstate
+ HDPARM=/sbin/hdparm -q
+ LIDSTATE=/var/lib/acpi-support/lidstate
+ d=/tmp/.X11-unix
+ displaynum=0
+ getXuser
+ local plist display uid user startx pid userhome IFS
+ [ 0 ]
+ display=:0
+ user=
+ [ -x /usr/bin/ck-list-sessions ]
+ ck-list-sessions
+ awk BEGIN { unix_user = ; } /^Session/ { unix_user = ; } /unix-user =/ { 
gsub(/'/,,$3); unix_user = $3; } /x11-display =
':0'/ { print unix_user; exit (0); }
** Message: Failed to connect to the D-Bus daemon: Failed to connect to socket 
/var/run/dbus/system_bus_socket: No such file or
directory
+ uid=
+ [  ]
+ [ -z  ]
+ pgrep -n startx
+ :
+ startx=
+ [ -z  ]
+ [ x != x ]
+ export XAUTHORITY=
+ XUSER=
+ export XUSER
+ [ x != x ]
+ [ -x = xtrue ]


result: X not locked as expected after sleep/hibernate. free local and
possible remote (root)shells etc...


regards
waijb


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org