thanks for doing all the fixes.
As feature freeze is nearing I have uploaded it to the archive. We can still
fix potential reggressions after that.
Unfortunatly I don't know much about pkexec.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
This bug was fixed in the package wakeup - 1.2-0ubuntu1
---
wakeup (1.2-0ubuntu1) precise; urgency=low
* New upstream release (LP: #909189).
- Moved from using gksudo to using pkexec. Added policy file.
- Changed weather source to google using python-pywapi
- Added
Thanks for all the help
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/909189
Title:
Request for new upstream version 1.2 upgrade.
To manage notifications about this bug go to:
You can more or less ignore the last post. I'm attaching the debdiff.
Note that I have moved from gksudo to pkexec. Let me know if there are
any errors there.
** Patch added: wakeup_1.2.debdiff
I believe I have fixed these - the only temporary files still used in
/tmp are never used as executables (made by voice_list.sh). For the
sketchy creation of the root playfile, I now have a separate script to
create and write to the file which is run as root so that the file is
created with root
** Changed in: wakeup (Ubuntu)
Status: Fix Committed = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/909189
Title:
Request for new upstream version 1.2 upgrade.
To manage
this part looks sketchy, if it is not executed as root in total:
+if self.wakecomputer and not isTmpFile:
+f = tempfile.NamedTemporaryFile()
+f.write(final_text)
+f.seek(0)
+#subprocess.call(['gksudo', '--message', 'testing', 'echo'])
+
I still don't like it, there are race conditions between opening files and
making them root only all over the place.
also you create tempfiles with user permissions but which are then used by root.
sudo mktemp will create files with proper permissions.
For the crontab updating I would not go to
just to illustrate why creating a file and then chmod'ing it is wrong.
I by accident start a script with my normal user permissions which contains
this:
file = inotifywait -e create /path/to/wakup/tmpdir | grep CREATE | awk '{$3}'
echo ... do-bad-stuff file
this can now win the race condition
Okay, I can remove as many temporary files as possible. I'm not sure
which temporary files you're still worried about, though. I thought that
the way I have it temp files are only used by root if they are created
by root. For instance, setnextalarm.py is only ever called by root.
--
You received
** Changed in: wakeup (Ubuntu)
Status: New = Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/909189
Title:
Request for new upstream version 1.2 upgrade.
To manage notifications
Okay, the temporary files I believe are now secure. Any files created in
/tmp are made using mktemp (in bash scripts) or tempfile (in python
scripts). The playable_text file is created (owned) by root and chmod
700 prior to writing if it will be run from root's cron.
I've made a new release on
thanks for incorporating my suggestions. (note subprocess.check_ouput
only works with python2.7 which is fine in ubuntu but maybe not for all
your other users)
I saw another issue with insecure temporary file use in setnextalarm.py and
alarm.py and most scripts.
please use tempfile.TemporaryFile
Thanks for looking through this all carefully, I really appreciate it.
Does this apply to temporary files kept within the user's home
directory? The temporary file created in wakeup-settings (tmpPlayFile),
for instance is contained in ~/.wakeup/ and should be accessible only by
the user and root.
tempfiles in ~ are ok if they have correct permissions. But their
content should not be used by privileged processes unverified
(especially not as roots crontab).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Okay, thanks. Just for clarification, do such temporary files need to be
generated randomly? There are 2 files I am specifically concerned about.
These are the files which play the actual alarms (ie, the alarms are
executable bash scripts called by /usr/bin/wakeup):
1. ~/.wakeup/playable_tmp:
within home the filename is not important as only the user and root should have
access to it. So 1. should be no problem
2. on the other hand can be if the script, which will be executed by root, can
be edited without root rights.
the script run by root must only be writeable by root.
--
You
Hm, okay. A sudo password is requested to create the file if it will be
executed by root. Does this mean that as long as I alter the permissions
of the file upon creation such that only root can write to it later
(chown root; chmod 700), then it should be secure?
--
You received this bug
you must create it with the right permissions to begin with.
Else you have race condition where a unprivileged user could write to the file
before the permissions are changed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Okay, so the changes now are:
wrap-and-sort debian/
converted to dep5 format
used dh_python2
removed all calls to os.system and commands.get(status)output
added some other bug fixes
The new changelog is as follows:
wakeup (1.2-0ubuntu1) precise; urgency=low
* New upstream release (LP:
thanks for your contribution to ubuntu.
I modified the debdiff a bit adding this:
* wrap-and-sort debian/
* convert copyright to dep5 format
* use dh_python2 instead of pysupport
please review the changes I made and check if the package still works
correctly. the largest change is the use
** Tags added: upgrade-software-version
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/909189
Title:
Request for new upstream version 1.2 upgrade.
To manage notifications about this bug go to:
Debdiff is attached here.
** Patch added: wakeup_1.2.debdiff
https://bugs.launchpad.net/ubuntu/+source/wakeup/+bug/909189/+attachment/2648659/+files/wakeup_1.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Most recent portion of changelog:
wakeup (1.2-0ubuntu1) precise; urgency=low
* New upstream release (LP: #909189).
- Changed weather source to google using python-pywapi
- Added location.py in wakeup directory as plugin helper
- Added plugin Commands which allows arbitrary user
** Changed in: wakeup (Ubuntu)
Assignee: (unassigned) = newbuntu (dsglass)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/909189
Title:
Request for new upstream version 1.2 upgrade.
To manage
25 matches
Mail list logo