--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi Stable release managers, hi Maximiliano
sddm in stable is affected by the following issues, which are both
fixed in unstable already and I would like to propose a fix for the
next point release.
- #898191: sddm: Does not honor PAM's ambient supplemental groups (via
e.g. pam_group.so)
In sddm setups where the sddm pam configuration is configured to use
pam_group to add additional groups on login depending on the
/etc/security/group.conf configuration does not work. This was as
well reported upstream as https://github.com/sddm/sddm/pull/834 .
Upstream fix
https://github.com/sddm/sddm/commit/1bc813d08b8130e458a6550ec47fb2bfbe6de080
As described in the bug, this might be considered sort of regression
for people coming from jessie, with kdm and updating to stretch
using sddm.
- #878956: sddm doesn't update utmp or wtmp
If someone logs in via sddm, sddm does not update utmp and wtmp and
e.g. as consequence 'w' and 'who' would not show the logged in user.
Nor will last or lastb record the logins/failed logins.
Upstream report: https://github.com/sddm/sddm/pull/933
Upstream fix
https://github.com/sddm/sddm/pull/933/commits/3f97d178a9477e7e61b76d59eca5db7ab8f6b960
I backported those two fixes for the version in stable (0.14.0-4) and
could test the resulting packages with both conditions successfully. I
would though not mind to get a further review as well by Maximiliano as
the maintainer. Note I'm not a sddm maintainer, but would not mind to
do an update.
Regards,
Salvatore
diff -Nru sddm-0.14.0/debian/changelog sddm-0.14.0/debian/changelog
--- sddm-0.14.0/debian/changelog 2017-03-14 09:50:33.000000000 +0100
+++ sddm-0.14.0/debian/changelog 2018-07-25 16:45:47.000000000 +0200
@@ -1,3 +1,11 @@
+sddm (0.14.0-4+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Honor PAM's ambient supplemental groups (Closes: #898191)
+ * Added missing utmp/wtmp/btmp handling (Closes: #878956)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Wed, 25 Jul 2018 16:45:47 +0200
+
sddm (0.14.0-4) unstable; urgency=medium
* Update documentation, add information about HiDPI
diff -Nru
sddm-0.14.0/debian/patches/Added-missing-utmp-wtmp-btmp-handling.patch
sddm-0.14.0/debian/patches/Added-missing-utmp-wtmp-btmp-handling.patch
--- sddm-0.14.0/debian/patches/Added-missing-utmp-wtmp-btmp-handling.patch
1970-01-01 01:00:00.000000000 +0100
+++ sddm-0.14.0/debian/patches/Added-missing-utmp-wtmp-btmp-handling.patch
2018-07-25 16:45:47.000000000 +0200
@@ -0,0 +1,250 @@
+From: Robert Hoffmann <externer.dl.hoffm...@muenchen.de>
+Date: Fri, 10 Nov 2017 12:58:10 +0100
+Subject: Added missing utmp/wtmp/btmp handling
+Origin:
https://github.com/sddm/sddm/commit/b06c3ab0c579b2528782df660402ae5a907724ae
+Bug: https://github.com/sddm/sddm/pull/933
+Bug-Debian: https://bugs.debian.org/878956
+
+---
+ src/helper/HelperApp.cpp | 121 +++++++++++++++++++++++++++++++++++++++++++++
+ src/helper/HelperApp.h | 18 +++++++
+ src/helper/UserSession.cpp | 9 ++++
+ src/helper/UserSession.h | 14 ++++++
+ 4 files changed, 162 insertions(+)
+
+--- a/src/helper/HelperApp.cpp
++++ b/src/helper/HelperApp.cpp
+@@ -34,6 +34,10 @@
+ #include <unistd.h>
+ #include <sys/socket.h>
+
++#include <utmp.h>
++#include <utmpx.h>
++#include <QByteArray>
++
+ namespace SDDM {
+ HelperApp::HelperApp(int& argc, char** argv)
+ : QCoreApplication(argc, argv)
+@@ -114,12 +118,26 @@ namespace SDDM {
+
+ if (!m_backend->start(m_user)) {
+ authenticated(QString());
++
++ // write failed login to btmp
++ QProcessEnvironment env = m_session->processEnvironment();
++ QString displayId = env.value(QStringLiteral("DISPLAY"));
++ QString vt = env.value(QStringLiteral("XDG_VTNR"));
++ utmpLogin(vt, displayId, m_user, 0, false);
++
+ exit(Auth::HELPER_AUTH_ERROR);
+ return;
+ }
+
+ if (!m_backend->authenticate()) {
+ authenticated(QString());
++
++ // write failed login to btmp
++ QProcessEnvironment env = m_session->processEnvironment();
++ QString displayId = env.value(QStringLiteral("DISPLAY"));
++ QString vt = env.value(QStringLiteral("XDG_VTNR"));
++ utmpLogin(vt, displayId, m_user, 0, false);
++
+ exit(Auth::HELPER_AUTH_ERROR);
+ return;
+ }
+@@ -138,6 +156,16 @@ namespace SDDM {
+ }
+
+ sessionOpened(true);
++
++ // write successful login to utmp/wtmp
++ QProcessEnvironment env = m_session->processEnvironment();
++ QString displayId = env.value(QStringLiteral("DISPLAY"));
++ QString vt = env.value(QStringLiteral("XDG_VTNR"));
++ if (env.value(QStringLiteral("XDG_SESSION_CLASS")) !=
QLatin1String("greeter")) {
++ // cache pid for session end
++ m_session->setCachedProcessId(m_session->processId());
++ utmpLogin(vt, displayId, m_user, m_session->processId(),
true);
++ }
+ }
+ else
+ exit(Auth::HELPER_SUCCESS);
+@@ -146,6 +174,16 @@ namespace SDDM {
+
+ void HelperApp::sessionFinished(int status) {
+ m_backend->closeSession();
++
++ // write logout to utmp/wtmp
++ qint64 pid = m_session->cachedProcessId();
++ QProcessEnvironment env = m_session->processEnvironment();
++ if (env.value(QStringLiteral("XDG_SESSION_CLASS")) !=
QLatin1String("greeter")) {
++ QString vt = env.value(QStringLiteral("XDG_VTNR"));
++ QString displayId = env.value(QStringLiteral("DISPLAY"));
++ utmpLogout(vt, displayId, pid);
++ }
++
+ exit(status);
+ }
+
+@@ -223,6 +261,90 @@ namespace SDDM {
+ HelperApp::~HelperApp() {
+
+ }
++
++ void HelperApp::utmpLogin(const QString &vt, const QString &displayName,
const QString &user, qint64 pid, bool authSuccessful) {
++ struct utmpx entry;
++ struct timeval tv;
++
++ entry = { 0 };
++ entry.ut_type = USER_PROCESS;
++ entry.ut_pid = pid;
++
++ // ut_line: vt
++ if (!vt.isEmpty()) {
++ QString tty = QStringLiteral("tty");
++ tty.append(vt);
++ QByteArray ttyBa = tty.toLocal8Bit();
++ const char* ttyChar = ttyBa.constData();
++ strncpy(entry.ut_line, ttyChar, sizeof(entry.ut_line));
++ }
++
++ // ut_host: displayName
++ QByteArray displayBa = displayName.toLocal8Bit();
++ const char* displayChar = displayBa.constData();
++ strncpy(entry.ut_host, displayChar, sizeof(entry.ut_host));
++
++ // ut_user: user
++ QByteArray userBa = user.toLocal8Bit();
++ const char* userChar = userBa.constData();
++ strncpy(entry.ut_user, userChar, sizeof(entry.ut_user));
++
++ gettimeofday(&tv, NULL);
++ entry.ut_tv.tv_sec = tv.tv_sec;
++ entry.ut_tv.tv_usec = tv.tv_usec;
++
++ // write to utmp
++ setutxent();
++ if (!pututxline (&entry))
++ qWarning() << "Failed to write utmpx: " << strerror(errno);
++ endutxent();
++
++ // append to failed login database btmp
++ if (!authSuccessful) {
++ updwtmpx("/var/log/btmp", &entry);
++ }
++
++ // append to wtmp
++ else {
++ updwtmpx("/var/log/wtmp", &entry);
++ }
++ }
++
++ void HelperApp::utmpLogout(const QString &vt, const QString &displayName,
qint64 pid) {
++ struct utmpx entry;
++ struct timeval tv;
++
++ entry = { 0 };
++ entry.ut_type = DEAD_PROCESS;
++ entry.ut_pid = pid;
++
++ // ut_line: vt
++ if (!vt.isEmpty()) {
++ QString tty = QStringLiteral("tty");
++ tty.append(vt);
++ QByteArray ttyBa = tty.toLocal8Bit();
++ const char* ttyChar = ttyBa.constData();
++ strncpy(entry.ut_line, ttyChar, sizeof(entry.ut_line));
++ }
++
++ // ut_host: displayName
++ QByteArray displayBa = displayName.toLocal8Bit();
++ const char* displayChar = displayBa.constData();
++ strncpy(entry.ut_host, displayChar, sizeof(entry.ut_host));
++
++ gettimeofday(&tv, NULL);
++ entry.ut_tv.tv_sec = tv.tv_sec;
++ entry.ut_tv.tv_usec = tv.tv_usec;
++
++ // write to utmp
++ setutxent();
++ if (!pututxline (&entry))
++ qWarning() << "Failed to write utmpx: " << strerror(errno);
++ endutxent();
++
++ // append to wtmp
++ updwtmpx("/var/log/wtmp", &entry);
++ }
+ }
+
+ int main(int argc, char** argv) {
+--- a/src/helper/HelperApp.h
++++ b/src/helper/HelperApp.h
+@@ -63,6 +63,24 @@ namespace SDDM {
+ QString m_user { };
+ // TODO: get rid of this in a nice clean way along the way with
moving to user session X server
+ QString m_cookie { };
++
++ /*!
++ \brief Write utmp/wtmp/btmp records when a user logs in
++ \param vt Virtual terminal (tty7, tty8,...)
++ \param displayName Display (:0, :1,...)
++ \param user User logging in
++ \param pid User process ID (e.g. PID of startkde)
++ \param authSuccessful Was authentication successful
++ */
++ void utmpLogin(const QString &vt, const QString &displayName, const
QString &user, qint64 pid, bool authSuccessful);
++
++ /*!
++ \brief Write utmp/wtmp records when a user logs out
++ \param vt Virtual terminal (tty7, tty8,...)
++ \param displayName Display (:0, :1,...)
++ \param pid User process ID (e.g. PID of startkde)
++ */
++ void utmpLogout(const QString &vt, const QString &displayName, qint64
pid);
+ };
+ }
+
+--- a/src/helper/UserSession.cpp
++++ b/src/helper/UserSession.cpp
+@@ -253,4 +253,13 @@ namespace SDDM {
+ pclose(fp);
+ }
+ }
++
++ void UserSession::setCachedProcessId(qint64 pid) {
++ m_cachedProcessId = pid;
++ }
++
++ qint64 UserSession::cachedProcessId() {
++ return m_cachedProcessId;
++ }
++
+ }
+--- a/src/helper/UserSession.h
++++ b/src/helper/UserSession.h
+@@ -40,11 +40,25 @@ namespace SDDM {
+ void setPath(const QString &path);
+ QString path() const;
+
++ /*!
++ \brief Sets m_cachedProcessId. Needed for getting the PID of a
finished UserSession
++ and calling HelperApp::utmpLogout
++ \param pid The process ID
++ */
++ void setCachedProcessId(qint64 pid);
++
++ /*!
++ \brief Gets m_cachedProcessId
++ \return The cached process ID
++ */
++ qint64 cachedProcessId();
++
+ protected:
+ void setupChildProcess();
+
+ private:
+ QString m_path { };
++ qint64 m_cachedProcessId;
+ };
+ }
+
diff -Nru
sddm-0.14.0/debian/patches/Honor-PAM-s-ambient-supplemental-groups.-834.patch
sddm-0.14.0/debian/patches/Honor-PAM-s-ambient-supplemental-groups.-834.patch
---
sddm-0.14.0/debian/patches/Honor-PAM-s-ambient-supplemental-groups.-834.patch
1970-01-01 01:00:00.000000000 +0100
+++
sddm-0.14.0/debian/patches/Honor-PAM-s-ambient-supplemental-groups.-834.patch
2018-07-25 16:45:47.000000000 +0200
@@ -0,0 +1,93 @@
+From: Konrad Tegtmeier <j...@users.noreply.github.com>
+Date: Fri, 13 Apr 2018 14:06:11 +0200
+Subject: Honor PAM's ambient supplemental groups. (#834)
+Origin:
https://github.com/sddm/sddm/commit/1bc813d08b8130e458a6550ec47fb2bfbe6de080
+Bug: https://github.com/sddm/sddm/pull/834
+Bug-Debian: https://bugs.debian.org/898191
+
+When compiled with USE_PAM, prefer a combination of
+getgroups(3) and getgrouplist(3) for ambient and user
+groups, respectively, to initgroups(3).
+
+This way, groups injected into the PAM environment
+by means of pam_groups.so aren't ignored.
+
+Signed-off-by: J. Konrad Tegtmeier-Rottach <j...@0x16.de>
+[Salvatore Bonaccorso: Backport to 0.14.0:
+ - pw.pw_gid -> pw->pw_gid
+ - no need to free buffer, code introduced in later version
+]
+---
+ src/helper/UserSession.cpp | 59 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 59 insertions(+)
+
+--- a/src/helper/UserSession.cpp
++++ b/src/helper/UserSession.cpp
+@@ -114,10 +114,67 @@ namespace SDDM {
+ qCritical() << "setgid(" << pw->pw_gid << ") failed for user: "
<< username;
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
++
++#ifdef USE_PAM
++
++ // fetch ambient groups from PAM's environment;
++ // these are set by modules such as pam_groups.so
++ int n_pam_groups = getgroups(0, NULL);
++ gid_t *pam_groups = NULL;
++ if (n_pam_groups > 0) {
++ pam_groups = new gid_t[n_pam_groups];
++ if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) {
++ qCritical() << "getgroups() failed to fetch supplemental"
++ << "PAM groups for user:" << username;
++ exit(Auth::HELPER_OTHER_ERROR);
++ }
++ } else {
++ n_pam_groups = 0;
++ }
++
++ // fetch session's user's groups
++ int n_user_groups = 0;
++ gid_t *user_groups = NULL;
++ if (-1 == getgrouplist(username.constData(), pw->pw_gid,
++ NULL, &n_user_groups)) {
++ user_groups = new gid_t[n_user_groups];
++ if ((n_user_groups = getgrouplist(username.constData(),
++ pw->pw_gid, user_groups,
++ &n_user_groups)) == -1 ) {
++ qCritical() << "getgrouplist(" << username << ", " <<
pw->pw_gid
++ << ") failed";
++ exit(Auth::HELPER_OTHER_ERROR);
++ }
++ }
++
++ // set groups to concatenation of PAM's ambient
++ // groups and the session's user's groups
++ int n_groups = n_pam_groups + n_user_groups;
++ if (n_groups > 0) {
++ gid_t *groups = new gid_t[n_groups];
++ memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t)));
++ memcpy((groups + n_pam_groups), user_groups,
++ (n_user_groups * sizeof(gid_t)));
++
++ // setgroups(2) handles duplicate groups
++ if (setgroups(n_groups, groups) != 0) {
++ qCritical() << "setgroups() failed for user: " << username;
++ exit (Auth::HELPER_OTHER_ERROR);
++ }
++ delete[] groups;
++ }
++ delete[] pam_groups;
++ delete[] user_groups;
++
++#else
++
+ if (initgroups(pw->pw_name, pw->pw_gid) != 0) {
+ qCritical() << "initgroups(" << pw->pw_name << ", " << pw->pw_gid
<< ") failed for user: " << username;
+ exit(Auth::HELPER_OTHER_ERROR);
+ }
++
++#endif /* USE_PAM */
++
+ if (setuid(pw->pw_uid) != 0) {
+ qCritical() << "setuid(" << pw->pw_uid << ") failed for user: "
<< username;
+ exit(Auth::HELPER_OTHER_ERROR);
diff -Nru sddm-0.14.0/debian/patches/series sddm-0.14.0/debian/patches/series
--- sddm-0.14.0/debian/patches/series 2017-03-14 09:50:33.000000000 +0100
+++ sddm-0.14.0/debian/patches/series 2018-07-25 16:45:47.000000000 +0200
@@ -7,3 +7,5 @@
Fix-display-of-user-avatars.-684.patch
Add-a-config-option-to-enable-high-DPI-scaling-701.patch
Regression-fix-disable-HiDPI-by-default.patch
+Honor-PAM-s-ambient-supplemental-groups.-834.patch
+Added-missing-utmp-wtmp-btmp-handling.patch
--- End Message ---
