Accepting request 96378 from home:vuntz:branches:GNOME:Factory

Do not run as root user

OBS-URL: https://build.opensuse.org/request/show/96378
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/colord?expand=0&rev=25

colord-polkit-annotate-owner.patch

@@ -0,0 +1,354 @@
+commit 9f088d598187b1bddd0ce4fb97a56d61564d8381
+Author: Vincent Untz <vuntz@gnome.org>
+Date:   Tue Dec 6 10:40:21 2011 +0100
+
+    Add org.freedesktop.policykit.owner annotations to .policy file
+    
+    We only add those annotations when the daemon is configured to run as
+    non-root.
+
+diff --git a/policy/Makefile.am b/policy/Makefile.am
+index 85e3ecc..272675b 100644
+--- a/policy/Makefile.am
++++ b/policy/Makefile.am
+@@ -1,9 +1,16 @@
++org.freedesktop.color.policy.in: org.freedesktop.color.policy.in.in Makefile.am
++	$(AM_V_GEN)if test "x$(daemon_user)" != "xroot"; then \
++		sed -e "s|<@ANNOTATE_OWNER@/>|<annotate key=\"org.freedesktop.policykit.owner\">unix-user:$(daemon_user)</annotate>|g" $< > $@ ; \
++	else \
++		sed -e "/^\s*<@ANNOTATE_OWNER@\/>\s*$$/d;s|<@ANNOTATE_OWNER@/>||g" $< > $@ ; \
++	fi
++
+ @INTLTOOL_POLICY_RULE@
+ polkit_policydir = $(datadir)/polkit-1/actions
+-dist_polkit_policy_DATA =					\
++polkit_policy_DATA =					\
+ 	org.freedesktop.color.policy
+ 
+-EXTRA_DIST = org.freedesktop.color.policy.in
+-DISTCLEANFILES = org.freedesktop.color.policy
++EXTRA_DIST = org.freedesktop.color.policy.in.in
++DISTCLEANFILES = org.freedesktop.color.policy org.freedesktop.color.policy.in
+ 
+ -include $(top_srcdir)/git.mk
+diff --git a/policy/org.freedesktop.color.policy.in b/policy/org.freedesktop.color.policy.in
+deleted file mode 100644
+index a5bcfaf..0000000
+--- a/policy/org.freedesktop.color.policy.in
++++ /dev/null
+@@ -1,150 +0,0 @@
+-<?xml version="1.0" encoding="UTF-8"?>
+-<!DOCTYPE policyconfig PUBLIC
+- "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+- "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+-<policyconfig>
+-
+-  <!--
+-    Policy definitions for System Color Manager actions.
+-    Copyright (c) 2010 Richard Hughes <richard@hughsie.com>
+-  -->
+-
+-  <vendor>System Color Manager</vendor>
+-  <vendor_url>http://www.freedesktop.org/projects/system-color-manager/</vendor_url>
+-  <icon_name>application-vnd.iccprofile</icon_name>
+-
+-  <action id="org.freedesktop.color-manager.create-device">
+-    <!-- SECURITY:
+-          - Normal users should not have to authenticate to add devices
+-     -->
+-    <_description>Create a color managed device</_description>
+-    <_message>Authentication is required to create a color managed device</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-  </action>
+-
+-  <action id="org.freedesktop.color-manager.create-profile">
+-    <!-- SECURITY:
+-          - Normal users should not have to authenticate to add profiles
+-     -->
+-    <_description>Create a color profile</_description>
+-    <_message>Authentication is required to create a color profile</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-  </action>
+-
+-  <action id="org.freedesktop.color-manager.delete-device">
+-    <!-- SECURITY:
+-          - Normal users should not have to authenticate to delete devices
+-     -->
+-    <_description>Remove a color managed device</_description>
+-    <_message>Authentication is required to remove a color managed device</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-  </action>
+-
+-  <action id="org.freedesktop.color-manager.delete-profile">
+-    <!-- SECURITY:
+-          - Normal users should not have to authenticate to delete profiles
+-     -->
+-    <_description>Remove a color profile</_description>
+-    <_message>Authentication is required to remove a color profile</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-  </action>
+-
+-  <action id="org.freedesktop.color-manager.modify-device">
+-    <!-- SECURITY:
+-          - Normal users should not have to authenticate to modify devices
+-     -->
+-    <_description>Modify color settings for a device</_description>
+-    <_message>Authentication is required to modify the color settings for a device</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-  </action>
+-
+-  <action id="org.freedesktop.color-manager.modify-profile">
+-    <!-- SECURITY:
+-          - Normal users should not have to authenticate to modify profiles
+-     -->
+-    <_description>Modify a color profile</_description>
+-    <_message>Authentication is required to modify a color profile</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-  </action>
+-
+-  <action id="org.freedesktop.color-manager.install-system-wide">
+-    <!-- SECURITY:
+-          - Normal users require admin authentication to install files system
+-            wide to apply color profiles for sessions that have not explicitly
+-            chosen profiles to apply.
+-          - This should not be set to 'yes' as unprivileged users could then
+-            set a profile set to all-white or all-black and thus make the
+-            other sessions unusable.
+-     -->
+-    <_description>Install system color profiles</_description>
+-    <_message>Authentication is required to install the color profile for all users</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>auth_admin_keep</allow_active>
+-    </defaults>
+-  </action>
+-
+-  <action id="org.freedesktop.color-manager.device-inhibit">
+-    <!-- SECURITY:
+-          - Normal users should not have to authenticate to profile
+-            devices.
+-     -->
+-    <_description>Inhibit color profile selection</_description>
+-    <_message>Authentication is required to disable profile matching for a device</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-  </action>
+-
+-  <action id="org.freedesktop.color-manager.sensor-lock">
+-    <!-- SECURITY:
+-          - Normal users should not have to authenticate to use the
+-            colorimeter device.
+-     -->
+-    <_description>Use color sensor</_description>
+-    <_message>Authentication is required to use the color sensor</_message>
+-    <icon_name>application-vnd.iccprofile</icon_name>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-  </action>
+-
+-</policyconfig>
+-
+diff --git a/policy/org.freedesktop.color.policy.in.in b/policy/org.freedesktop.color.policy.in.in
+new file mode 100644
+index 0000000..4570f8f
+--- /dev/null
++++ b/policy/org.freedesktop.color.policy.in.in
+@@ -0,0 +1,159 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE policyconfig PUBLIC
++ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
++ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
++<policyconfig>
++
++  <!--
++    Policy definitions for System Color Manager actions.
++    Copyright (c) 2010 Richard Hughes <richard@hughsie.com>
++  -->
++
++  <vendor>System Color Manager</vendor>
++  <vendor_url>http://www.freedesktop.org/projects/system-color-manager/</vendor_url>
++  <icon_name>application-vnd.iccprofile</icon_name>
++
++  <action id="org.freedesktop.color-manager.create-device">
++    <!-- SECURITY:
++          - Normal users should not have to authenticate to add devices
++     -->
++    <_description>Create a color managed device</_description>
++    <_message>Authentication is required to create a color managed device</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>yes</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++  <action id="org.freedesktop.color-manager.create-profile">
++    <!-- SECURITY:
++          - Normal users should not have to authenticate to add profiles
++     -->
++    <_description>Create a color profile</_description>
++    <_message>Authentication is required to create a color profile</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>yes</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++  <action id="org.freedesktop.color-manager.delete-device">
++    <!-- SECURITY:
++          - Normal users should not have to authenticate to delete devices
++     -->
++    <_description>Remove a color managed device</_description>
++    <_message>Authentication is required to remove a color managed device</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>yes</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++  <action id="org.freedesktop.color-manager.delete-profile">
++    <!-- SECURITY:
++          - Normal users should not have to authenticate to delete profiles
++     -->
++    <_description>Remove a color profile</_description>
++    <_message>Authentication is required to remove a color profile</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>yes</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++  <action id="org.freedesktop.color-manager.modify-device">
++    <!-- SECURITY:
++          - Normal users should not have to authenticate to modify devices
++     -->
++    <_description>Modify color settings for a device</_description>
++    <_message>Authentication is required to modify the color settings for a device</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>yes</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++  <action id="org.freedesktop.color-manager.modify-profile">
++    <!-- SECURITY:
++          - Normal users should not have to authenticate to modify profiles
++     -->
++    <_description>Modify a color profile</_description>
++    <_message>Authentication is required to modify a color profile</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>yes</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++  <action id="org.freedesktop.color-manager.install-system-wide">
++    <!-- SECURITY:
++          - Normal users require admin authentication to install files system
++            wide to apply color profiles for sessions that have not explicitly
++            chosen profiles to apply.
++          - This should not be set to 'yes' as unprivileged users could then
++            set a profile set to all-white or all-black and thus make the
++            other sessions unusable.
++     -->
++    <_description>Install system color profiles</_description>
++    <_message>Authentication is required to install the color profile for all users</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>auth_admin_keep</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++  <action id="org.freedesktop.color-manager.device-inhibit">
++    <!-- SECURITY:
++          - Normal users should not have to authenticate to profile
++            devices.
++     -->
++    <_description>Inhibit color profile selection</_description>
++    <_message>Authentication is required to disable profile matching for a device</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>yes</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++  <action id="org.freedesktop.color-manager.sensor-lock">
++    <!-- SECURITY:
++          - Normal users should not have to authenticate to use the
++            colorimeter device.
++     -->
++    <_description>Use color sensor</_description>
++    <_message>Authentication is required to use the color sensor</_message>
++    <icon_name>application-vnd.iccprofile</icon_name>
++    <defaults>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
++      <allow_active>yes</allow_active>
++    </defaults>
++    <@ANNOTATE_OWNER@/>
++  </action>
++
++</policyconfig>
++

colord.changes

@@ -3,6 +3,22 @@ Thu Dec  8 20:25:09 UTC 2011 - dimstar@opensuse.org
 
 - Split tyelib file into typelib-1_0-Colord-1_0.
 
+-------------------------------------------------------------------
+Tue Dec  6 16:06:22 UTC 2011 - vuntz@opensuse.org
+
+- Run the colord daemon as user colord (bnc#698250):
+  + Add colord-polkit-annotate-owner.patch: add
+    org.freedesktop.policykit.owner annotations to policy file so
+    that running as colord user works.
+  + Add a %pre script to create the colord user and change
+    ownership of /var/lib/colord.
+  + Add pwdutils Requires(pre), to make sure we can create the
+    user.
+  + Pass --with-daemon-user=colord to configure.
+  + Package /var/lib/colord with the right user.
+  + Add libtool BuildRequires and calls to autoreconf and
+    intltoolize, as needed by above patch.
+
 -------------------------------------------------------------------
 Tue Nov 29 21:27:11 UTC 2011 - dimstar@opensuse.org
 

colord.spec

@@ -26,8 +26,12 @@ Url:            http://colord.hughsie.com/
 Group:          System/Daemons
 Source0:        http://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz
 Source99:       baselibs.conf
+# PATCH-FIX-UPSTREAM colord-polkit-annotate-owner.patch vuntz@opensuse.org -- Add org.freedesktop.policykit.owner annotations to policy file; will enter git very soon
+Patch1:         colord-polkit-annotate-owner.patch
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  intltool
+# needed for patch1
+BuildRequires:  libtool
 BuildRequires:  sane-backends-devel
 BuildRequires:  vala
 # Only needed because we don't (and won't) support building xz tarballs by default... See bnc#697467
@@ -43,6 +47,7 @@ BuildRequires:  pkgconfig(lcms2)
 BuildRequires:  pkgconfig(libusb-1.0) >= 1.0.0
 BuildRequires:  pkgconfig(polkit-gobject-1)
 BuildRequires:  pkgconfig(sqlite3)
+Requires(pre):  pwdutils
 Requires:       shared-color-profiles
 Recommends:     %{name}-lang
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -85,11 +90,16 @@ there are no users logged in.
 %lang_package
 %prep
 %setup -q
+%patch1 -p1
 
 %build
+# needed for patch1
+autoreconf -fi
+intltoolize --force
 %configure \
     --disable-static \
-    --enable-polkit
+    --enable-polkit \
+    --with-daemon-user=colord
 make %{?_smp_mflags}
 
 %install
@@ -106,6 +116,13 @@ test ! -f *.[2-9]
 popd
 %find_lang %{name}
 
+%pre
+getent group colord >/dev/null || groupadd -r colord
+getent passwd colord >/dev/null || useradd -r -g colord -d %{_localstatedir}/lib/colord -s /sbin/nologin -c "user for colord" colord
+# Fix ownership of /var/lib/colord from first packages (in 12.1)
+test ! -d %{_localstatedir}/lib/colord || chown -R colord:colord %{_localstatedir}/lib/colord
+exit 0
+
 %post -n libcolord1 -p /sbin/ldconfig
 
 %postun -n libcolord1 -p /sbin/ldconfig
@@ -114,6 +131,7 @@ popd
 %defattr(-,root,root)
 %doc AUTHORS ChangeLog COPYING NEWS README
 /lib/udev/rules.d/*.rules
+%attr(755,colord,colord) %dir %{_localstatedir}/lib/colord
 %config(noreplace) %{_sysconfdir}/%{name}.conf
 %{_sysconfdir}/dbus-1/system.d/org.freedesktop.ColorManager.conf
 %{_bindir}/cd-create-profile