diff --git a/nemo-extensions.changes b/nemo-extensions.changes index c79501b..fdf96aa 100644 --- a/nemo-extensions.changes +++ b/nemo-extensions.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Aug 6 14:09:43 UTC 2018 - sor.alexei@meowr.ru + +- Add nemo-share-prevent-privilege-escalation.patch: Prevent + unprivileged users from adding other users to sambashare + (commit a831e7b, bsc#1084703). + ------------------------------------------------------------------- Thu May 8 20:40:20 UTC 2018 - sor.alexei@meowr.ru diff --git a/nemo-extensions.spec b/nemo-extensions.spec index 3ee3b0a..a1e64bd 100644 --- a/nemo-extensions.spec +++ b/nemo-extensions.spec @@ -36,6 +36,8 @@ Patch1: nemo-dropbox_no-dropbox-bin.patch Patch2: nemo-seahorse_gpg-2.2.patch # PATCH-FIX-OPENSUSE nemo-gtkhash_openssl-1.1.patch sor.alexei@meowr.ru -- Add basic OpenSSL 1.1+ compatibility in nemo-gtkhash. Patch3: nemo-gtkhash_openssl-1.1.patch +# PATCH-FIX-UPSTREAM nemo-share-prevent-privilege-escalation.patch bsc#1084703 -- Prevent unprivileged users from adding other users to sambashare (commit a831e7b). +Patch4: nemo-share-prevent-privilege-escalation.patch BuildRequires: gettext-runtime BuildRequires: gnome-common BuildRequires: intltool @@ -51,9 +53,6 @@ BuildRequires: openssl-devel BuildRequires: pkgconfig BuildRequires: python-devel BuildRequires: python-gtk-devel -BuildRequires: python2-distutils-extra -BuildRequires: python2-docutils -BuildRequires: python2-setuptools BuildRequires: update-desktop-files BuildRequires: pkgconfig(cinnamon-desktop) BuildRequires: pkgconfig(cjs-1.0) @@ -76,6 +75,15 @@ BuildRequires: pkgconfig(pygobject-3.0) BuildRequires: pkgconfig(webkit2gtk-4.0) BuildRequires: pkgconfig(xreader-document-1.5) BuildRequires: pkgconfig(xreader-view-1.5) +%if 0%{?suse_version} >= 1500 +BuildRequires: python2-distutils-extra +BuildRequires: python2-docutils +BuildRequires: python2-setuptools +%else +BuildRequires: python-distutils-extra +BuildRequires: python-docutils +BuildRequires: python-setuptools +%endif %description Set of extensions for Nemo, the Cinnamon file manager. @@ -92,7 +100,6 @@ Requires: nemo >= %{_version} # nemo-python was last used in openSUSE 13.2. Provides: nemo-python = %{version} Obsoletes: nemo-python < %{version} - %if 0%{?suse_version} >= 1500 Provides: python2-nemo-devel = %{version} # python-nemo was last used in openSUSE Leap 42.3. @@ -363,6 +370,7 @@ directory in Nemo. %patch1 %patch2 %patch3 +%patch4 # Remove spurious executable permission. chmod a-x nemo-audio-tab/COPYING.GPL3 nemo-emblems/COPYING.GPL3 diff --git a/nemo-share-prevent-privilege-escalation.patch b/nemo-share-prevent-privilege-escalation.patch new file mode 100644 index 0000000..956753c --- /dev/null +++ b/nemo-share-prevent-privilege-escalation.patch @@ -0,0 +1,28 @@ +--- nemo-share.orig/src/install-samba ++++ nemo-share/src/install-samba +@@ -33,12 +33,20 @@ class Main: + if __name__ == "__main__": + ml = GLib.MainLoop.new(None, True) + +- if len(sys.argv) == 2: +- user = sys.argv[1] +- else: +- uid = int(os.getenv("PKEXEC_UID")) ++ # prefer using the uid provided by pkexec to the command line argument. if ++ # a user authenticated via pkexec then he should only be able to add ++ # himself to the group. ++ uid = os.getenv("PKEXEC_UID", None) ++ ++ if uid != None: ++ uid = int(uid) + passwd = pwd.getpwuid(uid) + user = passwd[0] ++ elif len(sys.argv) == 2: ++ user = sys.argv[1] ++ else: ++ print("No target uid in environment or on command line found.") ++ exit(-1) + + main = Main(user) + ml.run() +