sysutils/gksu and sysutils/libgksu: Fix gksudo not running command

This fixes an issue where gksudo would successfully authenticate the user, but fail to run the requested command. This was caused by gksudo forking a new PTY, meaning that different TTY was used for the "sudo -v" command and subsequent "sudo -n ..." command. Whilst this used to work, newer versions of sudo used per TTY authentication caching. Patch taken from Arch Linux: https://aur.archlinux.org/packages/libgksu/ Also fixed: - Made Nautilus plugin optional, so gksu can be installed without GNOME - Added license details, pet portlint - Tidied patches: move path fixes into port Makefile
svn path=/head/; revision=473672
2018-07-01 15:15:34 +00:00 · 2018-07-01 15:15:34 +00:00 · 1747513894 · 2021-03-31 03:12:20 +00:00
commit 1747513894
parent 9b65a2f688
7 changed files with 400 additions and 67 deletions
--- a/sysutils/gksu/Makefile
+++ b/sysutils/gksu/Makefile
@ -3,25 +3,38 @@

 PORTNAME=	gksu
 PORTVERSION=	2.0.2
-PORTREVISION=	6
+PORTREVISION=	7
 CATEGORIES=	sysutils
 MASTER_SITES=	http://people.debian.org/~kov/gksu/

 MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Graphical frontend to su

-LIB_DEPENDS=	libgksu2.so:sysutils/libgksu \
-		libnautilus-extension.so:x11-fm/nautilus \
-		libgnome-keyring.so:security/libgnome-keyring
+LICENSE=	GPLv2+
+LICENSE_FILE=	${WRKSRC}/COPYING
+
+LIB_DEPENDS=	libfontconfig.so:x11-fonts/fontconfig \
+		libfreetype.so:print/freetype2 \
+		libgksu2.so:sysutils/libgksu \
+		libgnome-keyring.so:security/libgnome-keyring \
+		libstartup-notification-1.so:x11/startup-notification

 USES=		gettext-tools gmake libtool pathfix pkgconfig
-USE_GNOME=	gconf2 gnomeprefix gtk20 intlhack
+USE_GNOME=	cairo gconf2 gdkpixbuf2 gnomeprefix gtk20 intlhack
 GNU_CONFIGURE=	yes
 USE_LDCONFIG=	yes
 CPPFLAGS+=	-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib
 INSTALL_TARGET=	install-strip

+OPTIONS_DEFINE=	NAUTILUS
+OPTIONS_DEFAULT=NAUTILUS
+OPTIONS_SUB=	yes
+
+NAUTILUS_DESC=			Build extension for GNOME file manager
+NAUTILUS_CONFIGURE_ENABLE=	nautilus-extension
+NAUTILUS_LIB_DEPENDS=		libnautilus-extension.so:x11-fm/nautilus
+
 post-patch:
 	@${REINPLACE_CMD} -e 's|glib/gkeyfile.h|glib.h|g' \
 		${WRKSRC}/nautilus-gksu/libnautilus-gksu.c
--- a/sysutils/gksu/pkg-plist
+++ b/sysutils/gksu/pkg-plist
@ -1,7 +1,7 @@
 bin/gksu
 bin/gksudo
-lib/nautilus/extensions-2.0/libnautilus-gksu.so
-lib/nautilus/extensions-2.0/libnautilus-gksu.a
+%%NAUTILUS%%lib/nautilus/extensions-2.0/libnautilus-gksu.so
+%%NAUTILUS%%lib/nautilus/extensions-2.0/libnautilus-gksu.a
 man/man1/gksu.1.gz
 man/man1/gksudo.1.gz
 share/applications/gksu.desktop
--- a/sysutils/libgksu/Makefile
+++ b/sysutils/libgksu/Makefile
@ -3,13 +3,16 @@

 PORTNAME=	libgksu
 PORTVERSION=	2.0.12
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	sysutils
 MASTER_SITES=	http://people.debian.org/~kov/gksu/

 MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Library providing su and sudo functionality

+LICENSE=	LGPL20+
+LICENSE_FILE=	${WRKSRC}/COPYING
+
 LIB_DEPENDS=	libgtop-2.0.so:devel/libgtop \
 		libglade-2.0.so:devel/libglade2 \
 		libgnome-keyring.so:security/libgnome-keyring \
@ -35,5 +38,15 @@ post-patch:
 		${WRKSRC}/libgksu/Makefile.in
 	@${REINPLACE_CMD} '/^libgksuui1_0_la_LIBADD =/s/$$/ -lX11/' \
 		${WRKSRC}/libgksuui/Makefile.in
+	@${REINPLACE_CMD} -E \
+		-e 's|([" ])/bin/su|\1/usr/bin/su|g' \
+		-e 's|/usr/bin/sudo|${LOCALBASE}/bin/sudo|g' \
+		-e 's|/usr/bin/xauth|${LOCALBASE}/bin/xauth|g' \
+		-e 's|/usr/bin/xgettext|${LOCALBASE}/bin/xgettext|g' \
+		-e 's|/usr/bin/xterm|${LOCALBASE}/bin/xterm|g' \
+		${WRKSRC}/libgksu/gksu-run-helper.c \
+		${WRKSRC}/libgksu/libgksu.c \
+		${WRKSRC}/libgksu/test-gksu.c \
+		${WRKSRC}/po/*.po

 .include <bsd.port.mk>
--- a/sysutils/libgksu/files/patch-Makefile.in
+++ b/sysutils/libgksu/files/patch-Makefile.in
@ -1,6 +1,6 @@
 --- Makefile.in.o	2011-04-13 15:10:53.221097086 +0000
 +++ Makefile.in	2011-04-13 15:11:33.181096740 +0000
-@@ -747,11 +747,11 @@
+@@ -731,11 +731,11 @@
 @INTLTOOL_SCHEMAS_RULE@
 
 @GCONF_SCHEMAS_INSTALL_TRUE@install-data-local:
--- a/sysutils/libgksu/files/patch-libgksu_gksu-run-helper.c
+++ b/sysutils/libgksu/files/patch-libgksu_gksu-run-helper.c
@ -8,14 +8,3 @@
   fprintf (stderr, "gksu: waiting\n");
 
   xauth_file = g_strdup_printf ("%s/.Xauthority",
-@@ -159,8 +160,8 @@
-     /* find out where the xauth binary is located */
-     if (g_file_test ("/usr/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
-       xauth_bin = "/usr/bin/xauth";
-    else if (g_file_test ("/usr/X11R6/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
-      xauth_bin = "/usr/X11R6/bin/xauth";
-+    else if (g_file_test ("/usr/local/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
-+      xauth_bin = "/usr/local/bin/xauth";
-     else
-       {
- 	fprintf (stderr,
--- a/sysutils/libgksu/files/patch-libgksu_libgksu.c
+++ b/sysutils/libgksu/files/patch-libgksu_libgksu.c
@ -17,35 +17,6 @@
 
 #include <glibtop.h>
 #include <glibtop/procstate.h>
-@@ -1089,8 +1091,8 @@
-   gchar *xauth = g_new0 (gchar, 256);
- 
-   /* find out where the xauth binary is located */
-  if (g_file_test ("/usr/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
-    xauth_bin = "/usr/bin/xauth";
-+  if (g_file_test ("/usr/local/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
-+    xauth_bin = "/usr/local/bin/xauth";
-   else if (g_file_test ("/usr/X11R6/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
-     xauth_bin = "/usr/X11R6/bin/xauth";
-   else
-@@ -1976,7 +1978,7 @@
-       gchar **cmd = g_malloc (sizeof(gchar*)*7);
- 
-       setsid();   // make us session leader
-      cmd[i] = g_strdup ("/bin/su"); i++;
-+      cmd[i] = g_strdup ("/usr/bin/su"); i++;
-       if (context->login_shell)
- 	{
- 	  cmd[i] = g_strdup ("-"); i++;
-@@ -1998,7 +2000,7 @@
-       if (execv (cmd[0], cmd) == -1)
- 	{
- 	  fprintf (stderr,
-		   "Unable to run /bin/su: %s",
-+		   "Unable to run /usr/bin/su: %s",
- 		   strerror(errno));
- 	}
- 
@@ -2190,8 +2192,6 @@
 	      write (fdpty, line, strlen(line));
 	      g_free (line);
@ -55,21 +26,3 @@
 	      bzero (buf, 256);
 	      read (fdpty, buf, 255);
 
-@@ -2503,7 +2503,7 @@
-   if (context->always_ask_password)
-     {
-        gint exit_status;
-       g_spawn_command_line_sync("/usr/bin/sudo -K", NULL, NULL, &exit_status, NULL);
-+       g_spawn_command_line_sync("/usr/local/bin/sudo -K", NULL, NULL, &exit_status, NULL);
-     }
- 
- 
-@@ -2533,7 +2533,7 @@
-   argcount = 0;
- 
-   /* sudo binary */
-  cmd[argcount] = g_strdup("/usr/bin/sudo");
-+  cmd[argcount] = g_strdup("/usr/local/bin/sudo");
-   argcount++;
- 
-   if (!context->keep_env)
--- a/sysutils/libgksu/files/patch-revert-forkpty
+++ b/sysutils/libgksu/files/patch-revert-forkpty
@ -0,0 +1,365 @@
+This patch fixes an issue where gksudo would successfully authenticate
+the user, but fail to run the requested command. This was caused by
+gksudo forking a new PTY, meaning that different TTY was used for the
+"sudo -v" command and subsequent "sudo -n ..." command. Whilst this used
+to work, newer versions of sudo used per TTY authentication caching.
+Patch taken from Arch Linux: https://aur.archlinux.org/packages/libgksu/
+
+--- libgksu/libgksu.c.orig	2009-06-29 13:48:24.000000000 -0400
+++ libgksu/libgksu.c	2010-01-12 07:32:10.450657456 -0500
+@@ -1,7 +1,6 @@
+ /*
+  * Gksu -- a library providing access to su functionality
+  * Copyright (C) 2004-2009 Gustavo Noronha Silva
+- * Portions Copyright (C) 2009 VMware, Inc.
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -56,9 +55,6 @@
+ static void
+ gksu_context_launch_complete (GksuContext *context);
+ 
+-static void
+-read_line (int fd, gchar *buffer, int n);
+-
+ GType
+ gksu_error_get_type (void)
+ {
+@@ -2009,8 +2005,6 @@ gksu_su_fuller (GksuContext *context,
+       for (i = 0 ; cmd[i] != NULL ; i++)
+ 	g_free (cmd[i]);
+       g_free(cmd);
+-
+-      _exit(1);
+     }
+   else if (pid == -1)
+     {
+@@ -2125,10 +2119,10 @@ gksu_su_fuller (GksuContext *context,
+ 	  /* drop the \n echoed on password entry if su did request
+ 	     a password */
+ 	  if (password_needed)
+-	    read_line (fdpty, buf, 255);
+	    read (fdpty, buf, 255);
+ 	  if (context->debug)
+ 	    fprintf (stderr, "DEBUG (run:post-after-pass) buf: -%s-\n", buf);
+-	  read_line (fdpty, buf, 255);
+	  read (fdpty, buf, 255);
+ 	  if (context->debug)
+ 	    fprintf (stderr, "DEBUG (run:post-after-pass) buf: -%s-\n", buf);
+ 	}
+@@ -2142,9 +2136,7 @@ gksu_su_fuller (GksuContext *context,
+ 	{
+ 	  int retval = 0;
+ 
+-	  /* Red Hat's su shows the full path to su in its error messages. */
+-	  if (!strncmp (buf, "su:", 3) ||
+-	      !strncmp (buf, "/bin/su:", 7))
+	  if (!strncmp (buf, "su", 2))
+ 	    {
+ 	      gchar **strings;
+ 
+@@ -2155,11 +2147,7 @@ gksu_su_fuller (GksuContext *context,
+ 		}
+ 
+ 	      strings = g_strsplit (buf, ":", 2);
+-
+-	      /* Red Hat and Fedora use 'incorrect password'. */
+-	      if (strings[1] &&
+-	          (g_str_has_prefix(strings[1], " Authentication failure") ||
+-	           g_str_has_prefix(strings[1], " incorrect password")))
+	      if (strings[1] && !strncmp (strings[1], " Authentication failure", 23))
+ 		{
+ 		  if (used_gnome_keyring)
+ 		    g_set_error (error, gksu_quark,
+@@ -2473,12 +2461,6 @@ gksu_sudo_fuller (GksuContext *context,
+ {
+   char **cmd;
+   char buffer[256] = {0};
+-  char *child_stderr = NULL;
+-  /* This command is used to gain a token */
+-  char *const verifycmd[] =
+-    {
+-      "/usr/bin/sudo", "-p", "GNOME_SUDO_PASS", "-v", NULL
+-    };
+   int argcount = 8;
+   int i, j;
+ 
+@@ -2489,8 +2471,9 @@ gksu_sudo_fuller (GksuContext *context,
+ 
+   pid_t pid;
+   int status;
+-  FILE *fdfile = NULL;
+-  int fdpty = -1;
+  FILE *infile, *outfile;
+  int parent_pipe[2];	/* For talking to the parent */
+  int child_pipe[2];	/* For talking to the child */
+ 
+   context->sudo_mode = TRUE;
+ 
+@@ -2565,10 +2548,6 @@ gksu_sudo_fuller (GksuContext *context,
+   cmd[argcount] = g_strdup("-S");
+   argcount++;
+ 
+-  /* Make sudo noninteractive (we should already have a token) */
+-  cmd[argcount] = g_strdup("-n");
+-  argcount++;
+-
+   /* Make sudo use next arg as prompt */
+   cmd[argcount] = g_strdup("-p");
+   argcount++;
+@@ -2647,21 +2626,26 @@ gksu_sudo_fuller (GksuContext *context,
+ 	fprintf (stderr, "cmd[%d]: %s\n", i, cmd[i]);
+     }
+ 
+-  pid = forkpty(&fdpty, NULL, NULL, NULL);
+-  if (pid == 0)
+  if ((pipe(parent_pipe)) == -1)
+     {
+-      // Child
+-      setsid();   // make us session leader
+-
+-      execv(verifycmd[0], verifycmd);
+      g_set_error (error, gksu_quark, GKSU_ERROR_PIPE,
+		   _("Error creating pipe: %s"),
+		   strerror(errno));
+      sudo_reset_xauth (context, xauth, xauth_env);
+      return FALSE;
+    }
+ 
+-      g_set_error (error, gksu_quark, GKSU_ERROR_EXEC,
+-		   _("Failed to exec new process: %s"),
+  if ((pipe(child_pipe)) == -1)
+    {
+      g_set_error (error, gksu_quark, GKSU_ERROR_PIPE,
+		   _("Error creating pipe: %s"),
+ 		   strerror(errno));
+       sudo_reset_xauth (context, xauth, xauth_env);
+       return FALSE;
+     }
+-  else if (pid == -1)
+
+  pid = fork();
+  if (pid == -1)
+     {
+       g_set_error (error, gksu_quark, GKSU_ERROR_FORK,
+ 		   _("Failed to fork new process: %s"),
+@@ -2669,26 +2653,56 @@ gksu_sudo_fuller (GksuContext *context,
+       sudo_reset_xauth (context, xauth, xauth_env);
+       return FALSE;
+     }
+  else if (pid == 0)
+    {
+      // Child
+      setsid();   // make us session leader
+      close(child_pipe[1]);
+      dup2(child_pipe[0], STDIN_FILENO);
+      dup2(parent_pipe[1], STDERR_FILENO);
+ 
+      execv(cmd[0], cmd);
+
+      g_set_error (error, gksu_quark, GKSU_ERROR_EXEC,
+		   _("Failed to exec new process: %s"),
+		   strerror(errno));
+      sudo_reset_xauth (context, xauth, xauth_env);
+      return FALSE;
+    }
+   else
+     {
+       gint counter = 0;
+       gchar *cmdline = NULL;
+-      struct termios tio;
+ 
+       // Parent
+-      fdfile = fdopen(fdpty, "w+");
+      close(parent_pipe[1]);
+ 
+-      /* make sure we notice that ECHO is turned off, if it gets
+-         turned off */
+-      tcgetattr (fdpty, &tio);
+-      for (counter = 0; (tio.c_lflag & ECHO) && counter < 15; counter++)
+-      {
+-        usleep (1000);
+-        tcgetattr (fdpty, &tio);
+-      }
+      infile = fdopen(parent_pipe[0], "r");
+      if (!infile)
+	{
+	  g_set_error (error, gksu_quark, GKSU_ERROR_PIPE,
+		       _("Error opening pipe: %s"),
+		       strerror(errno));
+	  sudo_reset_xauth (context, xauth, xauth_env);
+	  return FALSE;
+	}
+ 
+-      fcntl (fdpty, F_SETFL, O_NONBLOCK);
+      outfile = fdopen(child_pipe[1], "w");
+      if (!outfile)
+	{
+	  g_set_error (error, gksu_quark, GKSU_ERROR_PIPE,
+		       _("Error opening pipe: %s"),
+		       strerror(errno));
+	  sudo_reset_xauth (context, xauth, xauth_env);
+	  return FALSE;
+	}
+
+      /*
+	we are expecting to receive a GNOME_SUDO_PASS
+	if we don't there are two possibilities: an error
+	or a password is not needed
+      */
+      fcntl (parent_pipe[0], F_SETFL, O_NONBLOCK);
+ 
+       { /* no matter if we can read, since we're using
+ 	   O_NONBLOCK; this is just to avoid the prompt
+@@ -2697,11 +2711,11 @@ gksu_sudo_fuller (GksuContext *context,
+ 	struct timeval tv;
+ 
+ 	FD_ZERO(&rfds);
+-	FD_SET(fdpty, &rfds);
+	FD_SET(parent_pipe[0], &rfds);
+ 	tv.tv_sec = 1;
+ 	tv.tv_usec = 0;
+ 
+-	select (fdpty + 1, &rfds, NULL, NULL, &tv);
+	select (parent_pipe[0] + 1, &rfds, NULL, NULL, &tv);
+       }
+ 
+       /* Try hard to find the prompt; it may happen that we're
+@@ -2713,7 +2727,7 @@ gksu_sudo_fuller (GksuContext *context,
+ 	  if (strncmp (buffer, "GNOME_SUDO_PASS", 15) == 0)
+ 	    break;
+ 
+-	  read_line (fdpty, buffer, 256);
+	  read_line (parent_pipe[0], buffer, 256);
+ 
+ 	  if (context->debug)
+ 	    fprintf (stderr, "buffer: -%s-\n", buffer);
+@@ -2747,17 +2761,18 @@ gksu_sudo_fuller (GksuContext *context,
+ 
+ 	  usleep (1000);
+ 
+-	  write (fdpty, password, strlen(password) + 1);
+-	  write (fdpty, "\n", 1);
+	  fprintf (outfile, "%s\n", password);
+	  fclose (outfile);
+ 
+ 	  nullify_password (password);
+ 
+-	  fcntl(fdpty, F_SETFL, fcntl(fdpty, F_GETFL) & ~O_NONBLOCK);
+	  /* turn NONBLOCK off */
+	  fcntl(parent_pipe[0], F_SETFL, fcntl(parent_pipe[0], F_GETFL) & ~O_NONBLOCK);
+ 	  /* ignore the first newline that comes right after sudo receives
+ 	     the password */
+-	  fgets (buffer, 255, fdfile);
+-	  /* this is the status we are interested in */
+-	  fgets (buffer, 255, fdfile);
+	  fgets (buffer, 255, infile);
+	  /* this is the status we are interessted in */
+	  fgets (buffer, 255, infile);
+ 	}
+       else
+ 	{
+@@ -2766,7 +2781,7 @@ gksu_sudo_fuller (GksuContext *context,
+ 	    fprintf (stderr, "No password prompt found; we'll assume we don't need a password.\n");
+ 
+           /* turn NONBLOCK off, also if have no prompt */
+-          fcntl(fdpty, F_SETFL, fcntl(fdpty, F_GETFL) & ~O_NONBLOCK);
+          fcntl(parent_pipe[0], F_SETFL, fcntl(parent_pipe[0], F_GETFL) & ~O_NONBLOCK);
+ 
+ 	  should_display = gconf_client_get_bool (context->gconf_client,
+ 						  BASE_PATH "display-no-pass-info", NULL);
+@@ -2785,9 +2800,14 @@ gksu_sudo_fuller (GksuContext *context,
+ 	  fprintf (stderr, "%s", buffer);
+ 	}
+ 
+-      if (g_str_has_prefix (buffer, "Sorry, try again."))
+      if (!strcmp (buffer, "Sorry, try again.\n"))
+ 	g_set_error (error, gksu_quark, GKSU_ERROR_WRONGPASS,
+ 		     _("Wrong password."));
+      else if (!strncmp (buffer, "Sorry, user ", 12))
+	g_set_error (error, gksu_quark, GKSU_ERROR_NOT_ALLOWED,
+		     _("The underlying authorization mechanism (sudo) "
+		       "does not allow you to run this program. Contact "
+		       "the system administrator."));
+       else
+ 	{
+ 	  gchar *haystack = buffer;
+@@ -2805,10 +2825,6 @@ gksu_sudo_fuller (GksuContext *context,
+ 	    }
+ 	}
+ 
+-      /* If we have an error, let's just stop sudo right there. */
+-      if (error)
+-        close(fdpty);
+-
+       cmdline = g_strdup("sudo");
+       /* wait for the child process to end or become something other
+ 	 than sudo */
+@@ -2825,23 +2841,17 @@ gksu_sudo_fuller (GksuContext *context,
+       if (context->sn_context)
+ 	gksu_context_launch_complete (context);
+ 
+      while (read (parent_pipe[0], buffer, 255) > 0)
+	{
+	  fprintf (stderr, "%s", buffer);
+	  bzero(buffer, 256);
+	}
+
+       /* if the process is still active waitpid() on it */
+       if (pid_exited != pid)
+ 	waitpid(pid, &status, 0);
+       sudo_reset_xauth (context, xauth, xauth_env);
+ 
+-      /*
+-       * Did token acquisition succeed? If so, spawn sudo in
+-       * non-interactive mode. It should either succeed or die
+-       * immediately if you're not allowed to run the command.
+-       */
+-      if (WEXITSTATUS(status) == 0)
+-        {
+-          g_spawn_sync(NULL, cmd, NULL, 0, NULL, NULL,
+-                       NULL, &child_stderr, &status,
+-                       error);
+-        }
+-
+       if (exit_status)
+       {
+       	if (WIFEXITED(status)) {
+@@ -2853,13 +2863,6 @@ gksu_sudo_fuller (GksuContext *context,
+ 
+       if (WEXITSTATUS(status))
+ 	{
+-          if (g_str_has_prefix(child_stderr, "Sorry, user "))
+-            {
+-              g_set_error (error, gksu_quark, GKSU_ERROR_NOT_ALLOWED,
+-                           _("The underlying authorization mechanism (sudo) "
+-                             "does not allow you to run this program. Contact "
+-                             "the system administrator."));
+-            }
+ 	  if(cmdline)
+ 	    {
+ 	      /* sudo already exec()ed something else, don't report
+@@ -2868,7 +2871,6 @@ gksu_sudo_fuller (GksuContext *context,
+ 	      if (!g_str_has_suffix (cmdline, "sudo"))
+ 		{
+ 		  g_free (cmdline);
+-		  g_free (child_stderr);
+ 		  return FALSE;
+ 		}
+ 	      g_free (cmdline);
+@@ -2881,11 +2883,11 @@ gksu_sudo_fuller (GksuContext *context,
+ 	}
+     }
+ 
+-  fprintf(stderr, child_stderr);
+-  g_free(child_stderr);
+-
+   /* if error is set we have found an error condition */
+-  return (error == NULL);
+  if (error)
+    return FALSE;
+
+  return TRUE;
+ }
+ 
+ /**