diff options
4 files changed, 403 insertions, 0 deletions
diff --git a/x11-misc/sddm/files/sddm-0.18.1-honor-PAM-supplemental-groups-v2.patch b/x11-misc/sddm/files/sddm-0.18.1-honor-PAM-supplemental-groups-v2.patch new file mode 100644 index 000000000000..f4ce7ae7ad73 --- /dev/null +++ b/x11-misc/sddm/files/sddm-0.18.1-honor-PAM-supplemental-groups-v2.patch @@ -0,0 +1,182 @@ +From 75e6e00d9e1ecf25e3a9c8332530a1e40d737cdb Mon Sep 17 00:00:00 2001 +From: "J. Konrad Tegtmeier-Rottach" <jktr@0x16.de> +Date: Thu, 9 May 2019 03:06:48 +0200 +Subject: [PATCH] Honor PAM's supplemental groups (v2) (#834, #1159) + +This moves the supplemental group initialization step from +UserSession.cpp to the Backend system, so that the Pam Backend can +inject additional supplemental groups via modules like pam_group.so. + +pam_setcred(3) assumes that it operates on an already initialized +supplemental group list. However, PamBackend calls +pam_setcred(PAM_ESTABLISH_CRED) earlier, at the start +PamBackend::openSession, so a pam_setcred(PAM_REINITIALIZE_CRED) call +must be issued to repeat the injection of PAM's supplemental groups. +--- + src/helper/Backend.cpp | 5 +++++ + src/helper/Backend.h | 3 +++ + src/helper/HelperApp.cpp | 4 ++++ + src/helper/HelperApp.h | 1 + + src/helper/UserSession.cpp | 13 ++++++++----- + src/helper/backend/PamBackend.cpp | 18 ++++++++++++++++++ + src/helper/backend/PamBackend.h | 2 ++ + 7 files changed, 41 insertions(+), 5 deletions(-) + +diff --git a/src/helper/Backend.cpp b/src/helper/Backend.cpp +index d6bb4d0a..35ae2bdf 100644 +--- a/src/helper/Backend.cpp ++++ b/src/helper/Backend.cpp +@@ -29,6 +29,7 @@ + #include <QtCore/QProcessEnvironment> + + #include <pwd.h> ++#include <grp.h> + + namespace SDDM { + Backend::Backend(HelperApp* parent) +@@ -79,4 +80,8 @@ namespace SDDM { + bool Backend::closeSession() { + return true; + } ++ ++ bool Backend::setupSupplementalGroups(struct passwd *pw) { ++ return !initgroups(pw->pw_name, pw->pw_gid); ++ } + } +diff --git a/src/helper/Backend.h b/src/helper/Backend.h +index b790e001..3caf1592 100644 +--- a/src/helper/Backend.h ++++ b/src/helper/Backend.h +@@ -22,6 +22,7 @@ + #define BACKEND_H + + #include <QtCore/QObject> ++#include <pwd.h> + + namespace SDDM { + class HelperApp; +@@ -38,6 +39,8 @@ namespace SDDM { + void setAutologin(bool on = true); + void setGreeter(bool on = true); + ++ virtual bool setupSupplementalGroups(struct passwd *pw); ++ + public slots: + virtual bool start(const QString &user = QString()) = 0; + virtual bool authenticate() = 0; +diff --git a/src/helper/HelperApp.cpp b/src/helper/HelperApp.cpp +index cad93bd8..d0891d75 100644 +--- a/src/helper/HelperApp.cpp ++++ b/src/helper/HelperApp.cpp +@@ -253,6 +253,10 @@ namespace SDDM { + return m_session; + } + ++ Backend *HelperApp::backend() { ++ return m_backend; ++ } ++ + const QString& HelperApp::user() const { + return m_user; + } +diff --git a/src/helper/HelperApp.h b/src/helper/HelperApp.h +index 3742df12..cb5959a7 100644 +--- a/src/helper/HelperApp.h ++++ b/src/helper/HelperApp.h +@@ -39,6 +39,7 @@ namespace SDDM { + virtual ~HelperApp(); + + UserSession *session(); ++ Backend *backend(); + const QString &user() const; + const QString &cookie() const; + +diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp +index f71fd358..62fd4d70 100644 +--- a/src/helper/UserSession.cpp ++++ b/src/helper/UserSession.cpp +@@ -19,6 +19,7 @@ + * + */ + ++#include "Backend.h" + #include "Configuration.h" + #include "UserSession.h" + #include "HelperApp.h" +@@ -129,7 +130,8 @@ namespace SDDM { + #endif + + // switch user +- const QByteArray username = qobject_cast<HelperApp*>(parent())->user().toLocal8Bit(); ++ HelperApp* app = qobject_cast<HelperApp*>(parent()); ++ const QByteArray username = app->user().toLocal8Bit(); + struct passwd pw; + struct passwd *rpw; + long bufsize = sysconf(_SC_GETPW_R_SIZE_MAX); +@@ -146,12 +148,13 @@ namespace SDDM { + qCritical() << "getpwnam_r(" << username << ") failed with error: " << strerror(err); + exit(Auth::HELPER_OTHER_ERROR); + } +- if (setgid(pw.pw_gid) != 0) { +- qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username; ++ ++ if (!app->backend()->setupSupplementalGroups(&pw)) { ++ qCritical() << "failed to set up supplemental groups for user: " << username; + exit(Auth::HELPER_OTHER_ERROR); + } +- if (initgroups(pw.pw_name, pw.pw_gid) != 0) { +- qCritical() << "initgroups(" << pw.pw_name << ", " << pw.pw_gid << ") failed for user: " << username; ++ if (setgid(pw.pw_gid) != 0) { ++ qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username; + exit(Auth::HELPER_OTHER_ERROR); + } + if (setuid(pw.pw_uid) != 0) { +diff --git a/src/helper/backend/PamBackend.cpp b/src/helper/backend/PamBackend.cpp +index f86d77d6..cccfa258 100644 +--- a/src/helper/backend/PamBackend.cpp ++++ b/src/helper/backend/PamBackend.cpp +@@ -289,6 +289,24 @@ namespace SDDM { + return QString::fromLocal8Bit((const char*) m_pam->getItem(PAM_USER)); + } + ++ bool PamBackend::setupSupplementalGroups(struct passwd *pw) { ++ if (!Backend::setupSupplementalGroups(pw)) ++ return false; ++ ++ // pam_setcred(3) may inject additional groups into the user's ++ // list of supplemental groups, and assumes that the user's ++ // supplemental groups have already been initialized before ++ // its invocation. Since pam_setcred was already called at the ++ // start of openSession, we need to repeat this step here as ++ // the user's groups have only just now been initialized. ++ ++ if (!m_pam->setCred(PAM_REINITIALIZE_CRED)) { ++ m_app->error(m_pam->errorString(), Auth::ERROR_AUTHENTICATION); ++ return false; ++ } ++ return true; ++ } ++ + int PamBackend::converse(int n, const struct pam_message **msg, struct pam_response **resp) { + qDebug() << "[PAM] Conversation with" << n << "messages"; + +diff --git a/src/helper/backend/PamBackend.h b/src/helper/backend/PamBackend.h +index 4c8b4b35..5b079099 100644 +--- a/src/helper/backend/PamBackend.h ++++ b/src/helper/backend/PamBackend.h +@@ -28,6 +28,7 @@ + #include <QtCore/QObject> + + #include <security/pam_appl.h> ++#include <pwd.h> + + namespace SDDM { + class PamHandle; +@@ -61,6 +62,7 @@ namespace SDDM { + explicit PamBackend(HelperApp *parent); + virtual ~PamBackend(); + int converse(int n, const struct pam_message **msg, struct pam_response **resp); ++ virtual bool setupSupplementalGroups(struct passwd *pw); + + public slots: + virtual bool start(const QString &user = QString()); diff --git a/x11-misc/sddm/files/sddm-0.18.1-only-reuse-online-sessions.patch b/x11-misc/sddm/files/sddm-0.18.1-only-reuse-online-sessions.patch new file mode 100644 index 000000000000..b3ea90ff768c --- /dev/null +++ b/x11-misc/sddm/files/sddm-0.18.1-only-reuse-online-sessions.patch @@ -0,0 +1,27 @@ +From f131270ff3ae6e6b4e2dc965cd05b46e194b48c1 Mon Sep 17 00:00:00 2001 +From: Fabian Vogt <fabian@ritter-vogt.de> +Date: Tue, 31 Jul 2018 16:51:13 +0200 +Subject: [PATCH] Session reuse: Only consider "online" sessions + +Otherwise it might switch to already dead sessions ("closing" or "lingering"). +--- + src/daemon/Display.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/daemon/Display.cpp b/src/daemon/Display.cpp +index 86e597e..ec442b0 100644 +--- a/src/daemon/Display.cpp ++++ b/src/daemon/Display.cpp +@@ -290,8 +290,8 @@ namespace SDDM { + foreach(const SessionInfo &s, reply.value()) { + if (s.userName == user) { + OrgFreedesktopLogin1SessionInterface session(Logind::serviceName(), s.sessionPath.path(), QDBusConnection::systemBus()); +- if (session.service() == QLatin1String("sddm")) { +- m_reuseSessionId = s.sessionId; ++ if (session.service() == QLatin1String("sddm") && session.state() == QLatin1String("online")) { ++ m_reuseSessionId = s.sessionId; + break; + } + } +-- +2.18.0 diff --git a/x11-misc/sddm/files/sddm-0.18.1-revert-honor-PAM-supplemental-groups.patch b/x11-misc/sddm/files/sddm-0.18.1-revert-honor-PAM-supplemental-groups.patch new file mode 100644 index 000000000000..f14ff7670c88 --- /dev/null +++ b/x11-misc/sddm/files/sddm-0.18.1-revert-honor-PAM-supplemental-groups.patch @@ -0,0 +1,87 @@ +From d3953e88a94ec25a87d3c5136517b3d1009cb1fd Mon Sep 17 00:00:00 2001 +From: "J. Konrad Tegtmeier-Rottach" <jktr@0x16.de> +Date: Wed, 8 May 2019 18:58:53 +0200 +Subject: [PATCH] Revert "Honor PAM's ambient supplemental groups. (#834)" + +This reverts commit 1bc813d08b8130e458a6550ec47fb2bfbe6de080, which +misuses PAM and leads to pulling in all of root's supplemental groups +during session initialization instead of only adding PAM's extra +groups. The problem was masked due to the root user not having any +supplemental groups in some common contexts, like running sddm from a +systemd unit. +--- + src/helper/UserSession.cpp | 57 -------------------------------------- + 1 file changed, 57 deletions(-) + +diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp +index b3aec356..f71fd358 100644 +--- a/src/helper/UserSession.cpp ++++ b/src/helper/UserSession.cpp +@@ -150,67 +150,10 @@ namespace SDDM { + qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username; + exit(Auth::HELPER_OTHER_ERROR); + } +- +-#ifdef USE_PAM +- +- // fetch ambient groups from PAM's environment; +- // these are set by modules such as pam_groups.so +- int n_pam_groups = getgroups(0, NULL); +- gid_t *pam_groups = NULL; +- if (n_pam_groups > 0) { +- pam_groups = new gid_t[n_pam_groups]; +- if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) { +- qCritical() << "getgroups() failed to fetch supplemental" +- << "PAM groups for user:" << username; +- exit(Auth::HELPER_OTHER_ERROR); +- } +- } else { +- n_pam_groups = 0; +- } +- +- // fetch session's user's groups +- int n_user_groups = 0; +- gid_t *user_groups = NULL; +- if (-1 == getgrouplist(username.constData(), pw.pw_gid, +- NULL, &n_user_groups)) { +- user_groups = new gid_t[n_user_groups]; +- if ((n_user_groups = getgrouplist(username.constData(), +- pw.pw_gid, user_groups, +- &n_user_groups)) == -1 ) { +- qCritical() << "getgrouplist(" << username << ", " << pw.pw_gid +- << ") failed"; +- exit(Auth::HELPER_OTHER_ERROR); +- } +- } +- +- // set groups to concatenation of PAM's ambient +- // groups and the session's user's groups +- int n_groups = n_pam_groups + n_user_groups; +- if (n_groups > 0) { +- gid_t *groups = new gid_t[n_groups]; +- memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t))); +- memcpy((groups + n_pam_groups), user_groups, +- (n_user_groups * sizeof(gid_t))); +- +- // setgroups(2) handles duplicate groups +- if (setgroups(n_groups, groups) != 0) { +- qCritical() << "setgroups() failed for user: " << username; +- exit (Auth::HELPER_OTHER_ERROR); +- } +- delete[] groups; +- } +- delete[] pam_groups; +- delete[] user_groups; +- +-#else +- + if (initgroups(pw.pw_name, pw.pw_gid) != 0) { + qCritical() << "initgroups(" << pw.pw_name << ", " << pw.pw_gid << ") failed for user: " << username; + exit(Auth::HELPER_OTHER_ERROR); + } +- +-#endif /* USE_PAM */ +- + if (setuid(pw.pw_uid) != 0) { + qCritical() << "setuid(" << pw.pw_uid << ") failed for user: " << username; + exit(Auth::HELPER_OTHER_ERROR); diff --git a/x11-misc/sddm/sddm-0.18.1-r1.ebuild b/x11-misc/sddm/sddm-0.18.1-r1.ebuild new file mode 100644 index 000000000000..f0955a4b7f7f --- /dev/null +++ b/x11-misc/sddm/sddm-0.18.1-r1.ebuild @@ -0,0 +1,107 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PLOCALES="ar bn ca cs da de es et fi fr hi_IN hu is it ja kk ko lt lv nb nl nn pl pt_BR pt_PT ro ru sk sr sr@ijekavian sr@ijekavianlatin sr@latin sv tr uk zh_CN zh_TW" +inherit cmake-utils l10n systemd user + +DESCRIPTION="Simple Desktop Display Manager" +HOMEPAGE="https://github.com/sddm/sddm" +SRC_URI="https://github.com/${PN}/${PN}/releases/download/v${PV}/${P}.tar.xz" + +LICENSE="GPL-2+ MIT CC-BY-3.0 CC-BY-SA-3.0 public-domain" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~x86" +IUSE="consolekit elogind +pam systemd test" + +REQUIRED_USE="?? ( elogind systemd )" + +BDEPEND=" + dev-python/docutils + >=dev-qt/linguist-tools-5.9.4:5 + kde-frameworks/extra-cmake-modules:5 + virtual/pkgconfig +" +RDEPEND=" + >=dev-qt/qtcore-5.9.4:5 + >=dev-qt/qtdbus-5.9.4:5 + >=dev-qt/qtdeclarative-5.9.4:5 + >=dev-qt/qtgui-5.9.4:5 + >=dev-qt/qtnetwork-5.9.4:5 + >=x11-base/xorg-server-1.15.1 + x11-libs/libxcb[xkb] + consolekit? ( >=sys-auth/consolekit-0.9.4 ) + elogind? ( sys-auth/elogind ) + pam? ( sys-libs/pam ) + systemd? ( sys-apps/systemd:= ) + !systemd? ( sys-power/upower ) +" +DEPEND="${RDEPEND} + test? ( >=dev-qt/qttest-5.9.4:5 ) +" + +PATCHES=( + "${FILESDIR}/${PN}-0.12.0-respect-user-flags.patch" + "${FILESDIR}/${PN}-0.18.0-Xsession.patch" # bug 611210 + "${FILESDIR}/${PN}-0.18.0-sddmconfdir.patch" + # fix for groups: https://github.com/sddm/sddm/issues/1159 + "${FILESDIR}/${P}-revert-honor-PAM-supplemental-groups.patch" + "${FILESDIR}/${P}-honor-PAM-supplemental-groups-v2.patch" + # fix for ReuseSession=true + "${FILESDIR}/${P}-only-reuse-online-sessions.patch" + # TODO: fix properly + "${FILESDIR}/${PN}-0.16.0-ck2-revert.patch" # bug 633920 +) + +src_prepare() { + cmake-utils_src_prepare + + disable_locale() { + sed -e "/${1}\.ts/d" -i data/translations/CMakeLists.txt || die + } + l10n_find_plocales_changes "data/translations" "" ".ts" + l10n_for_each_disabled_locale_do disable_locale + + if ! use test; then + sed -e "/^find_package/s/ Test//" -i CMakeLists.txt || die + cmake_comment_add_subdirectory test + fi +} + +src_configure() { + local mycmakeargs=( + -DENABLE_PAM=$(usex pam) + -DNO_SYSTEMD=$(usex '!systemd') + -DUSE_ELOGIND=$(usex 'elogind') + -DBUILD_MAN_PAGES=ON + -DDBUS_CONFIG_FILENAME="org.freedesktop.sddm.conf" + ) + cmake-utils_src_configure +} + +src_install() { + cmake-utils_src_install + + # Create a default.conf as upstream dropped /etc/sddm.conf w/o replacement + local confd="/usr/share/sddm/sddm.conf.d" + dodir ${confd} + "${D}"/usr/bin/sddm --example-config > "${D}/${confd}"/00default.conf \ + || die "Failed to create 00default.conf" + + sed -e "/^InputMethod/s/qtvirtualkeyboard//" \ + -e "/^ReuseSession/s/false/true/" \ + -e "/^EnableHiDPI/s/false/true/" \ + -i "${D}/${confd}"/00default.conf || die +} + +pkg_postinst() { + elog "Starting with 0.18.0, SDDM no longer installs /etc/sddm.conf" + elog "Use it to override specific options. SDDM defaults are now" + elog "found in: /usr/share/sddm/sddm.conf.d/00default.conf" + + enewgroup ${PN} + enewuser ${PN} -1 -1 /var/lib/${PN} ${PN},video + + systemd_reenable sddm.service +} |