[26637] in Source-Commits
/svn/athena r25671 - in trunk/debathena/config/reactivate: . debian
daemon@ATHENA.MIT.EDU (Jonathan D Reed)
Mon Jul 30 14:45:47 2012
Date: Mon, 30 Jul 2012 14:45:44 -0400
From: Jonathan D Reed <jdreed@MIT.EDU>
Message-Id: <201207301845.q6UIji1o017071@drugstore.mit.edu>
To: source-commits@MIT.EDU
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Author: jdreed
Date: 2012-07-30 14:45:44 -0400 (Mon, 30 Jul 2012)
New Revision: 25671
Added:
trunk/debathena/config/reactivate/Makefile
trunk/debathena/config/reactivate/debian/debathena-reactivate.lintian-overrides
trunk/debathena/config/reactivate/session-wrapper.c
Modified:
trunk/debathena/config/reactivate/debian/changelog
trunk/debathena/config/reactivate/debian/control.in
trunk/debathena/config/reactivate/debian/rules
trunk/debathena/config/reactivate/debian/snapshot-run
Log:
In reactivate:
* Ship a session wrapper that runs initgroups(3) and stop abusing sudo
(Trac: #928)
* Stop depending on kexec-tools, which hasn't been needed since 2.0.25
* Wrap Depends line for easier reading
Added: trunk/debathena/config/reactivate/Makefile
===================================================================
--- trunk/debathena/config/reactivate/Makefile (rev 0)
+++ trunk/debathena/config/reactivate/Makefile 2012-07-30 18:45:44 UTC (rev 25671)
@@ -0,0 +1,13 @@
+all: session-wrapper
+
+session-wrapper: session-wrapper.c
+ $(CC) -o session-wrapper session-wrapper.c
+
+install: all
+ install -d $(DESTDIR)/usr/lib/debathena-reactivate
+ install -m4755 session-wrapper $(DESTDIR)/usr/lib/debathena-reactivate
+
+clean:
+ rm -f session-wrapper
+
+.PHONY: clean all
Modified: trunk/debathena/config/reactivate/debian/changelog
===================================================================
--- trunk/debathena/config/reactivate/debian/changelog 2012-07-30 14:53:40 UTC (rev 25670)
+++ trunk/debathena/config/reactivate/debian/changelog 2012-07-30 18:45:44 UTC (rev 25671)
@@ -1,3 +1,12 @@
+debathena-reactivate (2.0.38) unstable; urgency=low
+
+ * Ship a session wrapper that runs initgroups(3) and stop abusing sudo
+ (Trac: #928)
+ * Stop depending on kexec-tools, which hasn't been needed since 2.0.25
+ * Wrap Depends line for easier reading
+
+ -- Jonathan Reed <jdreed@mit.edu> Mon, 30 Jul 2012 14:44:14 -0400
+
debathena-reactivate (2.0.37) unstable; urgency=low
* Set the time in reactivate, because NTP apparently can't (Trac: #749)
Modified: trunk/debathena/config/reactivate/debian/control.in
===================================================================
--- trunk/debathena/config/reactivate/debian/control.in 2012-07-30 14:53:40 UTC (rev 25670)
+++ trunk/debathena/config/reactivate/debian/control.in 2012-07-30 18:45:44 UTC (rev 25671)
@@ -6,8 +6,16 @@
Standards-Version: 3.9.3
Package: debathena-reactivate
-Architecture: all
-Depends: debathena-schroot | schroot (>= 1.3.2~), psmisc, gdm, alsa-utils, debathena-gdm-config (>= 1.14~), sudo, debathena-cupsys-config (>= 1.9~), kexec-tools, ${misc:Depends}
+Architecture: any
+Depends: debathena-schroot | schroot (>= 1.3.2~),
+ psmisc,
+ gdm,
+ alsa-utils,
+ debathena-gdm-config (>= 1.14~),
+ sudo,
+ debathena-cupsys-config (>= 1.9~),
+ ${misc:Depends},
+ ${shlibs:Depends}
Provides: ${diverted-files}
Conflicts: ${diverted-files}
X-Debathena-Build-For: lucid natty precise
Added: trunk/debathena/config/reactivate/debian/debathena-reactivate.lintian-overrides
===================================================================
--- trunk/debathena/config/reactivate/debian/debathena-reactivate.lintian-overrides (rev 0)
+++ trunk/debathena/config/reactivate/debian/debathena-reactivate.lintian-overrides 2012-07-30 18:45:44 UTC (rev 25671)
@@ -0,0 +1,2 @@
+# No kidding.
+setuid-binary usr/lib/debathena-reactivate/session-wrapper 4755 root/root
Modified: trunk/debathena/config/reactivate/debian/rules
===================================================================
--- trunk/debathena/config/reactivate/debian/rules 2012-07-30 14:53:40 UTC (rev 25670)
+++ trunk/debathena/config/reactivate/debian/rules 2012-07-30 18:45:44 UTC (rev 25671)
@@ -23,5 +23,12 @@
DEB_TRANSFORM_SCRIPT_/etc/pam.d/schroot.debathena = \
debian/transform_schroot_pam
+# The wrapper does in fact need to be setuid
+DEB_FIXPERMS_EXCLUDE += \
+ usr/lib/debathena-reactivate/session-wrapper
+
include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/class/makefile.mk
include /usr/share/cdbs/1/rules/config-package.mk
+
+DEB_MAKE_INSTALL_TARGET = install DESTDIR=$(DEB_DESTDIR)
Modified: trunk/debathena/config/reactivate/debian/snapshot-run
===================================================================
--- trunk/debathena/config/reactivate/debian/snapshot-run 2012-07-30 14:53:40 UTC (rev 25670)
+++ trunk/debathena/config/reactivate/debian/snapshot-run 2012-07-30 18:45:44 UTC (rev 25671)
@@ -74,9 +74,7 @@
set +e
-echo "$USER ALL=(ALL) ALL" | schr sh -c "cat >> /etc/sudoers"
-
cd
-schroot -c "$session" -r -p -- sudo -E -u "$USER" -- "$@"
+schroot -c "$session" -r -p -- /usr/lib/debathena-reactivate/session-wrapper "$@"
cd /
Added: trunk/debathena/config/reactivate/session-wrapper.c
===================================================================
--- trunk/debathena/config/reactivate/session-wrapper.c (rev 0)
+++ trunk/debathena/config/reactivate/session-wrapper.c 2012-07-30 18:45:44 UTC (rev 25671)
@@ -0,0 +1,35 @@
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <pwd.h>
+#include <grp.h>
+
+int main (int argc, char **argv) {
+ struct passwd *pw;
+ if (argc < 2) {
+ fprintf(stderr, "Usage: %s command-to-wrap [args]\n", argv[0]);
+ exit(255);
+ }
+ pw = getpwuid(getuid());
+ if (pw == NULL) {
+ perror("getpwuid() failed");
+ exit(1);
+ }
+ if (initgroups(pw->pw_name, pw->pw_gid) == -1) {
+ perror("initgroups() failed");
+ exit(1);
+ }
+ if (setgid(pw->pw_gid)) {
+ perror("setgid() failed");
+ exit(1);
+ }
+ if (setuid(pw->pw_uid)) {
+ perror("setuid() failed");
+ exit(1);
+ }
+ execvp(argv[1], &argv[1]);
+ perror("execvp() failed");
+ exit(1);
+}
