sysutils/gksu and sysutils/libgksu: Fix gksudo not running command

This fixes an issue where gksudo would successfully authenticate
the user, but fail to run the requested command. This was caused by
gksudo forking a new PTY, meaning that different TTY was used for the
"sudo -v" command and subsequent "sudo -n ..." command. Whilst this used
to work, newer versions of sudo used per TTY authentication caching.
Patch taken from Arch Linux: https://aur.archlinux.org/packages/libgksu/

Also fixed:
- Made Nautilus plugin optional, so gksu can be installed without GNOME
- Added license details, pet portlint
- Tidied patches: move path fixes into port Makefile
This commit is contained in:
Ben Woods 2018-07-01 15:15:34 +00:00
parent 9b65a2f688
commit 1747513894
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=473672
7 changed files with 400 additions and 67 deletions

View file

@ -3,25 +3,38 @@
PORTNAME= gksu
PORTVERSION= 2.0.2
PORTREVISION= 6
PORTREVISION= 7
CATEGORIES= sysutils
MASTER_SITES= http://people.debian.org/~kov/gksu/
MAINTAINER= ports@FreeBSD.org
COMMENT= Graphical frontend to su
LIB_DEPENDS= libgksu2.so:sysutils/libgksu \
libnautilus-extension.so:x11-fm/nautilus \
libgnome-keyring.so:security/libgnome-keyring
LICENSE= GPLv2+
LICENSE_FILE= ${WRKSRC}/COPYING
LIB_DEPENDS= libfontconfig.so:x11-fonts/fontconfig \
libfreetype.so:print/freetype2 \
libgksu2.so:sysutils/libgksu \
libgnome-keyring.so:security/libgnome-keyring \
libstartup-notification-1.so:x11/startup-notification
USES= gettext-tools gmake libtool pathfix pkgconfig
USE_GNOME= gconf2 gnomeprefix gtk20 intlhack
USE_GNOME= cairo gconf2 gdkpixbuf2 gnomeprefix gtk20 intlhack
GNU_CONFIGURE= yes
USE_LDCONFIG= yes
CPPFLAGS+= -I${LOCALBASE}/include
LDFLAGS+= -L${LOCALBASE}/lib
INSTALL_TARGET= install-strip
OPTIONS_DEFINE= NAUTILUS
OPTIONS_DEFAULT=NAUTILUS
OPTIONS_SUB= yes
NAUTILUS_DESC= Build extension for GNOME file manager
NAUTILUS_CONFIGURE_ENABLE= nautilus-extension
NAUTILUS_LIB_DEPENDS= libnautilus-extension.so:x11-fm/nautilus
post-patch:
@${REINPLACE_CMD} -e 's|glib/gkeyfile.h|glib.h|g' \
${WRKSRC}/nautilus-gksu/libnautilus-gksu.c

View file

@ -1,7 +1,7 @@
bin/gksu
bin/gksudo
lib/nautilus/extensions-2.0/libnautilus-gksu.so
lib/nautilus/extensions-2.0/libnautilus-gksu.a
%%NAUTILUS%%lib/nautilus/extensions-2.0/libnautilus-gksu.so
%%NAUTILUS%%lib/nautilus/extensions-2.0/libnautilus-gksu.a
man/man1/gksu.1.gz
man/man1/gksudo.1.gz
share/applications/gksu.desktop

View file

@ -3,13 +3,16 @@
PORTNAME= libgksu
PORTVERSION= 2.0.12
PORTREVISION= 3
PORTREVISION= 4
CATEGORIES= sysutils
MASTER_SITES= http://people.debian.org/~kov/gksu/
MAINTAINER= ports@FreeBSD.org
COMMENT= Library providing su and sudo functionality
LICENSE= LGPL20+
LICENSE_FILE= ${WRKSRC}/COPYING
LIB_DEPENDS= libgtop-2.0.so:devel/libgtop \
libglade-2.0.so:devel/libglade2 \
libgnome-keyring.so:security/libgnome-keyring \
@ -35,5 +38,15 @@ post-patch:
${WRKSRC}/libgksu/Makefile.in
@${REINPLACE_CMD} '/^libgksuui1_0_la_LIBADD =/s/$$/ -lX11/' \
${WRKSRC}/libgksuui/Makefile.in
@${REINPLACE_CMD} -E \
-e 's|([" ])/bin/su|\1/usr/bin/su|g' \
-e 's|/usr/bin/sudo|${LOCALBASE}/bin/sudo|g' \
-e 's|/usr/bin/xauth|${LOCALBASE}/bin/xauth|g' \
-e 's|/usr/bin/xgettext|${LOCALBASE}/bin/xgettext|g' \
-e 's|/usr/bin/xterm|${LOCALBASE}/bin/xterm|g' \
${WRKSRC}/libgksu/gksu-run-helper.c \
${WRKSRC}/libgksu/libgksu.c \
${WRKSRC}/libgksu/test-gksu.c \
${WRKSRC}/po/*.po
.include <bsd.port.mk>

View file

@ -1,6 +1,6 @@
--- Makefile.in.o 2011-04-13 15:10:53.221097086 +0000
+++ Makefile.in 2011-04-13 15:11:33.181096740 +0000
@@ -747,11 +747,11 @@
@@ -731,11 +731,11 @@
@INTLTOOL_SCHEMAS_RULE@
@GCONF_SCHEMAS_INSTALL_TRUE@install-data-local:

View file

@ -8,14 +8,3 @@
fprintf (stderr, "gksu: waiting\n");
xauth_file = g_strdup_printf ("%s/.Xauthority",
@@ -159,8 +160,8 @@
/* find out where the xauth binary is located */
if (g_file_test ("/usr/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
xauth_bin = "/usr/bin/xauth";
- else if (g_file_test ("/usr/X11R6/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
- xauth_bin = "/usr/X11R6/bin/xauth";
+ else if (g_file_test ("/usr/local/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
+ xauth_bin = "/usr/local/bin/xauth";
else
{
fprintf (stderr,

View file

@ -17,35 +17,6 @@
#include <glibtop.h>
#include <glibtop/procstate.h>
@@ -1089,8 +1091,8 @@
gchar *xauth = g_new0 (gchar, 256);
/* find out where the xauth binary is located */
- if (g_file_test ("/usr/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
- xauth_bin = "/usr/bin/xauth";
+ if (g_file_test ("/usr/local/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
+ xauth_bin = "/usr/local/bin/xauth";
else if (g_file_test ("/usr/X11R6/bin/xauth", G_FILE_TEST_IS_EXECUTABLE))
xauth_bin = "/usr/X11R6/bin/xauth";
else
@@ -1976,7 +1978,7 @@
gchar **cmd = g_malloc (sizeof(gchar*)*7);
setsid(); // make us session leader
- cmd[i] = g_strdup ("/bin/su"); i++;
+ cmd[i] = g_strdup ("/usr/bin/su"); i++;
if (context->login_shell)
{
cmd[i] = g_strdup ("-"); i++;
@@ -1998,7 +2000,7 @@
if (execv (cmd[0], cmd) == -1)
{
fprintf (stderr,
- "Unable to run /bin/su: %s",
+ "Unable to run /usr/bin/su: %s",
strerror(errno));
}
@@ -2190,8 +2192,6 @@
write (fdpty, line, strlen(line));
g_free (line);
@ -55,21 +26,3 @@
bzero (buf, 256);
read (fdpty, buf, 255);
@@ -2503,7 +2503,7 @@
if (context->always_ask_password)
{
gint exit_status;
- g_spawn_command_line_sync("/usr/bin/sudo -K", NULL, NULL, &exit_status, NULL);
+ g_spawn_command_line_sync("/usr/local/bin/sudo -K", NULL, NULL, &exit_status, NULL);
}
@@ -2533,7 +2533,7 @@
argcount = 0;
/* sudo binary */
- cmd[argcount] = g_strdup("/usr/bin/sudo");
+ cmd[argcount] = g_strdup("/usr/local/bin/sudo");
argcount++;
if (!context->keep_env)

View file

@ -0,0 +1,365 @@
This patch fixes an issue where gksudo would successfully authenticate
the user, but fail to run the requested command. This was caused by
gksudo forking a new PTY, meaning that different TTY was used for the
"sudo -v" command and subsequent "sudo -n ..." command. Whilst this used
to work, newer versions of sudo used per TTY authentication caching.
Patch taken from Arch Linux: https://aur.archlinux.org/packages/libgksu/
--- libgksu/libgksu.c.orig 2009-06-29 13:48:24.000000000 -0400
+++ libgksu/libgksu.c 2010-01-12 07:32:10.450657456 -0500
@@ -1,7 +1,6 @@
/*
* Gksu -- a library providing access to su functionality
* Copyright (C) 2004-2009 Gustavo Noronha Silva
- * Portions Copyright (C) 2009 VMware, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -56,9 +55,6 @@
static void
gksu_context_launch_complete (GksuContext *context);
-static void
-read_line (int fd, gchar *buffer, int n);
-
GType
gksu_error_get_type (void)
{
@@ -2009,8 +2005,6 @@ gksu_su_fuller (GksuContext *context,
for (i = 0 ; cmd[i] != NULL ; i++)
g_free (cmd[i]);
g_free(cmd);
-
- _exit(1);
}
else if (pid == -1)
{
@@ -2125,10 +2119,10 @@ gksu_su_fuller (GksuContext *context,
/* drop the \n echoed on password entry if su did request
a password */
if (password_needed)
- read_line (fdpty, buf, 255);
+ read (fdpty, buf, 255);
if (context->debug)
fprintf (stderr, "DEBUG (run:post-after-pass) buf: -%s-\n", buf);
- read_line (fdpty, buf, 255);
+ read (fdpty, buf, 255);
if (context->debug)
fprintf (stderr, "DEBUG (run:post-after-pass) buf: -%s-\n", buf);
}
@@ -2142,9 +2136,7 @@ gksu_su_fuller (GksuContext *context,
{
int retval = 0;
- /* Red Hat's su shows the full path to su in its error messages. */
- if (!strncmp (buf, "su:", 3) ||
- !strncmp (buf, "/bin/su:", 7))
+ if (!strncmp (buf, "su", 2))
{
gchar **strings;
@@ -2155,11 +2147,7 @@ gksu_su_fuller (GksuContext *context,
}
strings = g_strsplit (buf, ":", 2);
-
- /* Red Hat and Fedora use 'incorrect password'. */
- if (strings[1] &&
- (g_str_has_prefix(strings[1], " Authentication failure") ||
- g_str_has_prefix(strings[1], " incorrect password")))
+ if (strings[1] && !strncmp (strings[1], " Authentication failure", 23))
{
if (used_gnome_keyring)
g_set_error (error, gksu_quark,
@@ -2473,12 +2461,6 @@ gksu_sudo_fuller (GksuContext *context,
{
char **cmd;
char buffer[256] = {0};
- char *child_stderr = NULL;
- /* This command is used to gain a token */
- char *const verifycmd[] =
- {
- "/usr/bin/sudo", "-p", "GNOME_SUDO_PASS", "-v", NULL
- };
int argcount = 8;
int i, j;
@@ -2489,8 +2471,9 @@ gksu_sudo_fuller (GksuContext *context,
pid_t pid;
int status;
- FILE *fdfile = NULL;
- int fdpty = -1;
+ FILE *infile, *outfile;
+ int parent_pipe[2]; /* For talking to the parent */
+ int child_pipe[2]; /* For talking to the child */
context->sudo_mode = TRUE;
@@ -2565,10 +2548,6 @@ gksu_sudo_fuller (GksuContext *context,
cmd[argcount] = g_strdup("-S");
argcount++;
- /* Make sudo noninteractive (we should already have a token) */
- cmd[argcount] = g_strdup("-n");
- argcount++;
-
/* Make sudo use next arg as prompt */
cmd[argcount] = g_strdup("-p");
argcount++;
@@ -2647,21 +2626,26 @@ gksu_sudo_fuller (GksuContext *context,
fprintf (stderr, "cmd[%d]: %s\n", i, cmd[i]);
}
- pid = forkpty(&fdpty, NULL, NULL, NULL);
- if (pid == 0)
+ if ((pipe(parent_pipe)) == -1)
{
- // Child
- setsid(); // make us session leader
-
- execv(verifycmd[0], verifycmd);
+ g_set_error (error, gksu_quark, GKSU_ERROR_PIPE,
+ _("Error creating pipe: %s"),
+ strerror(errno));
+ sudo_reset_xauth (context, xauth, xauth_env);
+ return FALSE;
+ }
- g_set_error (error, gksu_quark, GKSU_ERROR_EXEC,
- _("Failed to exec new process: %s"),
+ if ((pipe(child_pipe)) == -1)
+ {
+ g_set_error (error, gksu_quark, GKSU_ERROR_PIPE,
+ _("Error creating pipe: %s"),
strerror(errno));
sudo_reset_xauth (context, xauth, xauth_env);
return FALSE;
}
- else if (pid == -1)
+
+ pid = fork();
+ if (pid == -1)
{
g_set_error (error, gksu_quark, GKSU_ERROR_FORK,
_("Failed to fork new process: %s"),
@@ -2669,26 +2653,56 @@ gksu_sudo_fuller (GksuContext *context,
sudo_reset_xauth (context, xauth, xauth_env);
return FALSE;
}
+ else if (pid == 0)
+ {
+ // Child
+ setsid(); // make us session leader
+ close(child_pipe[1]);
+ dup2(child_pipe[0], STDIN_FILENO);
+ dup2(parent_pipe[1], STDERR_FILENO);
+ execv(cmd[0], cmd);
+
+ g_set_error (error, gksu_quark, GKSU_ERROR_EXEC,
+ _("Failed to exec new process: %s"),
+ strerror(errno));
+ sudo_reset_xauth (context, xauth, xauth_env);
+ return FALSE;
+ }
else
{
gint counter = 0;
gchar *cmdline = NULL;
- struct termios tio;
// Parent
- fdfile = fdopen(fdpty, "w+");
+ close(parent_pipe[1]);
- /* make sure we notice that ECHO is turned off, if it gets
- turned off */
- tcgetattr (fdpty, &tio);
- for (counter = 0; (tio.c_lflag & ECHO) && counter < 15; counter++)
- {
- usleep (1000);
- tcgetattr (fdpty, &tio);
- }
+ infile = fdopen(parent_pipe[0], "r");
+ if (!infile)
+ {
+ g_set_error (error, gksu_quark, GKSU_ERROR_PIPE,
+ _("Error opening pipe: %s"),
+ strerror(errno));
+ sudo_reset_xauth (context, xauth, xauth_env);
+ return FALSE;
+ }
- fcntl (fdpty, F_SETFL, O_NONBLOCK);
+ outfile = fdopen(child_pipe[1], "w");
+ if (!outfile)
+ {
+ g_set_error (error, gksu_quark, GKSU_ERROR_PIPE,
+ _("Error opening pipe: %s"),
+ strerror(errno));
+ sudo_reset_xauth (context, xauth, xauth_env);
+ return FALSE;
+ }
+
+ /*
+ we are expecting to receive a GNOME_SUDO_PASS
+ if we don't there are two possibilities: an error
+ or a password is not needed
+ */
+ fcntl (parent_pipe[0], F_SETFL, O_NONBLOCK);
{ /* no matter if we can read, since we're using
O_NONBLOCK; this is just to avoid the prompt
@@ -2697,11 +2711,11 @@ gksu_sudo_fuller (GksuContext *context,
struct timeval tv;
FD_ZERO(&rfds);
- FD_SET(fdpty, &rfds);
+ FD_SET(parent_pipe[0], &rfds);
tv.tv_sec = 1;
tv.tv_usec = 0;
- select (fdpty + 1, &rfds, NULL, NULL, &tv);
+ select (parent_pipe[0] + 1, &rfds, NULL, NULL, &tv);
}
/* Try hard to find the prompt; it may happen that we're
@@ -2713,7 +2727,7 @@ gksu_sudo_fuller (GksuContext *context,
if (strncmp (buffer, "GNOME_SUDO_PASS", 15) == 0)
break;
- read_line (fdpty, buffer, 256);
+ read_line (parent_pipe[0], buffer, 256);
if (context->debug)
fprintf (stderr, "buffer: -%s-\n", buffer);
@@ -2747,17 +2761,18 @@ gksu_sudo_fuller (GksuContext *context,
usleep (1000);
- write (fdpty, password, strlen(password) + 1);
- write (fdpty, "\n", 1);
+ fprintf (outfile, "%s\n", password);
+ fclose (outfile);
nullify_password (password);
- fcntl(fdpty, F_SETFL, fcntl(fdpty, F_GETFL) & ~O_NONBLOCK);
+ /* turn NONBLOCK off */
+ fcntl(parent_pipe[0], F_SETFL, fcntl(parent_pipe[0], F_GETFL) & ~O_NONBLOCK);
/* ignore the first newline that comes right after sudo receives
the password */
- fgets (buffer, 255, fdfile);
- /* this is the status we are interested in */
- fgets (buffer, 255, fdfile);
+ fgets (buffer, 255, infile);
+ /* this is the status we are interessted in */
+ fgets (buffer, 255, infile);
}
else
{
@@ -2766,7 +2781,7 @@ gksu_sudo_fuller (GksuContext *context,
fprintf (stderr, "No password prompt found; we'll assume we don't need a password.\n");
/* turn NONBLOCK off, also if have no prompt */
- fcntl(fdpty, F_SETFL, fcntl(fdpty, F_GETFL) & ~O_NONBLOCK);
+ fcntl(parent_pipe[0], F_SETFL, fcntl(parent_pipe[0], F_GETFL) & ~O_NONBLOCK);
should_display = gconf_client_get_bool (context->gconf_client,
BASE_PATH "display-no-pass-info", NULL);
@@ -2785,9 +2800,14 @@ gksu_sudo_fuller (GksuContext *context,
fprintf (stderr, "%s", buffer);
}
- if (g_str_has_prefix (buffer, "Sorry, try again."))
+ if (!strcmp (buffer, "Sorry, try again.\n"))
g_set_error (error, gksu_quark, GKSU_ERROR_WRONGPASS,
_("Wrong password."));
+ else if (!strncmp (buffer, "Sorry, user ", 12))
+ g_set_error (error, gksu_quark, GKSU_ERROR_NOT_ALLOWED,
+ _("The underlying authorization mechanism (sudo) "
+ "does not allow you to run this program. Contact "
+ "the system administrator."));
else
{
gchar *haystack = buffer;
@@ -2805,10 +2825,6 @@ gksu_sudo_fuller (GksuContext *context,
}
}
- /* If we have an error, let's just stop sudo right there. */
- if (error)
- close(fdpty);
-
cmdline = g_strdup("sudo");
/* wait for the child process to end or become something other
than sudo */
@@ -2825,23 +2841,17 @@ gksu_sudo_fuller (GksuContext *context,
if (context->sn_context)
gksu_context_launch_complete (context);
+ while (read (parent_pipe[0], buffer, 255) > 0)
+ {
+ fprintf (stderr, "%s", buffer);
+ bzero(buffer, 256);
+ }
+
/* if the process is still active waitpid() on it */
if (pid_exited != pid)
waitpid(pid, &status, 0);
sudo_reset_xauth (context, xauth, xauth_env);
- /*
- * Did token acquisition succeed? If so, spawn sudo in
- * non-interactive mode. It should either succeed or die
- * immediately if you're not allowed to run the command.
- */
- if (WEXITSTATUS(status) == 0)
- {
- g_spawn_sync(NULL, cmd, NULL, 0, NULL, NULL,
- NULL, &child_stderr, &status,
- error);
- }
-
if (exit_status)
{
if (WIFEXITED(status)) {
@@ -2853,13 +2863,6 @@ gksu_sudo_fuller (GksuContext *context,
if (WEXITSTATUS(status))
{
- if (g_str_has_prefix(child_stderr, "Sorry, user "))
- {
- g_set_error (error, gksu_quark, GKSU_ERROR_NOT_ALLOWED,
- _("The underlying authorization mechanism (sudo) "
- "does not allow you to run this program. Contact "
- "the system administrator."));
- }
if(cmdline)
{
/* sudo already exec()ed something else, don't report
@@ -2868,7 +2871,6 @@ gksu_sudo_fuller (GksuContext *context,
if (!g_str_has_suffix (cmdline, "sudo"))
{
g_free (cmdline);
- g_free (child_stderr);
return FALSE;
}
g_free (cmdline);
@@ -2881,11 +2883,11 @@ gksu_sudo_fuller (GksuContext *context,
}
}
- fprintf(stderr, child_stderr);
- g_free(child_stderr);
-
/* if error is set we have found an error condition */
- return (error == NULL);
+ if (error)
+ return FALSE;
+
+ return TRUE;
}
/**