mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:33:35 +07:00
deleted /usr/bin/pkexec.security-misc
This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 * https://forums.whonix.org/t/cannot-use-pkexec/8129 This was a worthwhile effort, interesting approach but ultimately a dead-end.
This commit is contained in:
parent
ef05b1a160
commit
7c06e22c7d
@ -1,132 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
|
||||||
## See the file COPYING for copying conditions.
|
|
||||||
|
|
||||||
## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with
|
|
||||||
## hidepid.
|
|
||||||
## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
|
|
||||||
## * https://forums.whonix.org/t/cannot-use-pkexec/8129
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
my_real_path="$(realpath "$0")" || true
|
|
||||||
identifier="$my_real_path wrapper"
|
|
||||||
exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1
|
|
||||||
|
|
||||||
log_to_journal() {
|
|
||||||
echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true
|
|
||||||
}
|
|
||||||
|
|
||||||
log_to_journal "$0 $@"
|
|
||||||
log_to_journal "DISPLAY: '$DISPLAY'"
|
|
||||||
my_pstree="$(pstree -p $$)" || true
|
|
||||||
log_to_journal "my_pstree: '$my_pstree'"
|
|
||||||
|
|
||||||
## If hidepid is not in use, just use pkexec normally.
|
|
||||||
if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
|
|
||||||
pkexec.security-misc-orig "$@"
|
|
||||||
exit $?
|
|
||||||
fi
|
|
||||||
|
|
||||||
switch_user=false
|
|
||||||
|
|
||||||
original_args="$@"
|
|
||||||
|
|
||||||
## Thanks to:
|
|
||||||
## https://mywiki.wooledge.org/BashFAQ/035
|
|
||||||
|
|
||||||
while :
|
|
||||||
do
|
|
||||||
case $1 in
|
|
||||||
## Should show 'pkexec --version' or fail?
|
|
||||||
--version)
|
|
||||||
shift
|
|
||||||
pkexec.security-misc-orig "$original_args"
|
|
||||||
exit $?
|
|
||||||
;;
|
|
||||||
## Should show 'pkexec --help' or fail?
|
|
||||||
--help)
|
|
||||||
shift
|
|
||||||
pkexec.security-misc-orig "$original_args"
|
|
||||||
exit $?
|
|
||||||
;;
|
|
||||||
## Drop --disable-internal-agent as not needed and breaking both,
|
|
||||||
## lxqt-sudo and sudo.
|
|
||||||
--disable-internal-agent)
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
--user)
|
|
||||||
## lxqt-sudo does not support "--user".
|
|
||||||
## We should not make this wrapper run something as root which
|
|
||||||
## is supposed to run under a different user. Try using
|
|
||||||
## "sudo -A --user user --set-home" instead.
|
|
||||||
user_pkexec_wrapper="$2"
|
|
||||||
if [ "$user_pkexec_wrapper" = "" ]; then
|
|
||||||
shift
|
|
||||||
else
|
|
||||||
shift 2
|
|
||||||
fi
|
|
||||||
switch_user=true
|
|
||||||
maybe_switch_to_user="--user $user_pkexec_wrapper"
|
|
||||||
;;
|
|
||||||
--)
|
|
||||||
shift
|
|
||||||
break
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
break
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
## If there are input files (for example) that follow the options, they
|
|
||||||
## will remain in the "$@" positional parameters.
|
|
||||||
|
|
||||||
if [ "$PKEXEC_UID" = "" ]; then
|
|
||||||
if [ ! "$user_pkexec_wrapper" = "" ]; then
|
|
||||||
PKEXEC_UID="$user_pkexec_wrapper"
|
|
||||||
elif [ ! "$SUDO_USER" = "" ]; then
|
|
||||||
PKEXEC_UID="$SUDO_USER"
|
|
||||||
else
|
|
||||||
PKEXEC_UID="$(whoami)"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
export PKEXEC_UID
|
|
||||||
|
|
||||||
if [[ "$@" = "" ]]; then
|
|
||||||
## Call original pkexec in case there are no arguments.
|
|
||||||
pkexec.security-misc-orig $original_args
|
|
||||||
exit $?
|
|
||||||
fi
|
|
||||||
|
|
||||||
exit_code=0
|
|
||||||
|
|
||||||
## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions.
|
|
||||||
## Therefore use 'sudo -l' to see if there is any already existing sudoers exception.
|
|
||||||
## Did not work. 'sudo -l' will always exit with exit code '0'.
|
|
||||||
# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then
|
|
||||||
# log_to_journal "sudoers exception: yes"
|
|
||||||
# sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
|
|
||||||
# log_to_journal "sudo --user | exit_code: '$exit_code'"
|
|
||||||
# exit "$exit_code"
|
|
||||||
# fi
|
|
||||||
#
|
|
||||||
# log_to_journal "sudoers exception: no"
|
|
||||||
|
|
||||||
if [ "$switch_user" = "true" ]; then
|
|
||||||
## 'sudo --user user' clears environment variables such as PATH.
|
|
||||||
lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
|
|
||||||
else
|
|
||||||
## set PATH same as root
|
|
||||||
## This is required for gdebi.
|
|
||||||
## REVIEW: is it ok that users can find out the PATH setting of root?
|
|
||||||
## lxqt-sudo does not clear environment variable PATH.
|
|
||||||
PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)"
|
|
||||||
export PATH
|
|
||||||
lxqt-sudo "$@" || { exit_code=$? ; true; };
|
|
||||||
fi
|
|
||||||
|
|
||||||
log_to_journal "exit_code: '$exit_code'"
|
|
||||||
|
|
||||||
exit "$exit_code"
|
|
Loading…
Reference in New Issue
Block a user