From 04b3d9b8fdc359739cc54411546a4edb5434dc4cb129284de6fa75c4b1d046fe Mon Sep 17 00:00:00 2001
From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
Date: Fri, 11 Apr 2014 17:44:10 +0000
Subject: [PATCH 1/7] OBS-URL:
 https://build.opensuse.org/package/show/KDE:Frameworks5/kinit?expand=0&rev=18

---
 ...ties-instead-of-SUID-where-available.patch | 201 ++++++++++++++++++
 kinit.changes                                 |   6 +
 kinit.spec                                    |  23 +-
 3 files changed, 218 insertions(+), 12 deletions(-)
 create mode 100644 0001-Use-capabilities-instead-of-SUID-where-available.patch

diff --git a/0001-Use-capabilities-instead-of-SUID-where-available.patch b/0001-Use-capabilities-instead-of-SUID-where-available.patch
new file mode 100644
index 0000000..a5b4855
--- /dev/null
+++ b/0001-Use-capabilities-instead-of-SUID-where-available.patch
@@ -0,0 +1,201 @@
+From ff991d84b66b7aa68c6f24f3ec4b0e35b830a789 Mon Sep 17 00:00:00 2001
+From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
+Date: Fri, 11 Apr 2014 17:41:46 +0200
+Subject: [PATCH 1/1] Use capabilities instead of SUID where available
+
+This requires that both libcap libraries and setcap
+executable are found during build, otherwise the old
+procedure of SUID is used
+
+CCMAIL: krahmer@suse.com
+CCMAIL: kde-packager@kde.org
+
+REVIEW: 117125
+(cherry picked from commit e898d13b430692e775060d49342181192e122fdf)
+---
+ CMakeLists.txt                    | 11 +++++++-
+ cmake/FindLibcap.cmake            | 59 +++++++++++++++++++++++++++++++++++++++
+ src/config-kdeinit.h.cmake        |  1 +
+ src/start_kdeinit/CMakeLists.txt  | 20 +++++++++----
+ src/start_kdeinit/start_kdeinit.c | 14 ++++++++++
+ 5 files changed, 99 insertions(+), 6 deletions(-)
+ create mode 100644 cmake/FindLibcap.cmake
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 8bd43d8..2ba9bbd 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 2.8.12)
+ project(KInit)
+ 
+ find_package(ECM 0.0.12 REQUIRED NO_MODULE)
+-set(CMAKE_MODULE_PATH ${ECM_MODULE_PATH} ${ECM_KDE_MODULE_DIR})
++set(CMAKE_MODULE_PATH ${ECM_MODULE_PATH} ${ECM_KDE_MODULE_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/cmake)
+ 
+ set(REQUIRED_QT_VERSION "5.2")
+ find_package(Qt5 "${REQUIRED_QT_VERSION}" CONFIG REQUIRED Core Gui DBus)
+@@ -50,6 +50,15 @@ if("${CMAKE_BINARY_DIR}" STREQUAL "${CMAKE_CURRENT_BINARY_DIR}")
+   # Remove when we depend on CMake 3.0.0
+ endif()
+ 
++if (NOT WIN32)
++find_package(Libcap)
++set_package_properties(Libcap PROPERTIES
++                       TYPE OPTIONAL
++                       PURPOSE "KInit needs setcap in order to install start_kdeinit with CAP_SYS_RESOURCE capabilities"
++                      )
++endif ()
++set(HAVE_CAPABILITIES ${Libcap_FOUND})
++
+ set(CMAKECONFIG_INSTALL_DIR "${CMAKECONFIG_INSTALL_PREFIX}/KF5Init")
+ ecm_configure_package_config_file(
+   "${CMAKE_CURRENT_SOURCE_DIR}/KF5InitConfig.cmake.in"
+diff --git a/cmake/FindLibcap.cmake b/cmake/FindLibcap.cmake
+new file mode 100644
+index 0000000..4a32446
+--- /dev/null
++++ b/cmake/FindLibcap.cmake
+@@ -0,0 +1,59 @@
++# Try to find the setcap binary and cap libraries
++#
++# This will define:
++#
++#   Libcap_FOUND           - system has the cap library and setcap binary
++#   Libcap_LIBRARIES       - cap libraries to link against
++#   SETCAP_EXECUTABLE      - path of the setcap binary
++# In addition, the following targets are defined:
++#
++#   Libcap::SetCapabilities
++#
++
++
++# Copyright (c) 2014, Hrvoje Senjan, <hrvoje.senjan@gmail.com>
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted provided that the following conditions
++# are met:
++#
++# 1. Redistributions of source code must retain the copyright
++#    notice, this list of conditions and the following disclaimer.
++# 2. Redistributions in binary form must reproduce the copyright
++#    notice, this list of conditions and the following disclaimer in the
++#    documentation and/or other materials provided with the distribution.
++# 3. The name of the author may not be used to endorse or promote products
++#    derived from this software without specific prior written permission.
++#
++# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++find_program(SETCAP_EXECUTABLE NAMES setcap DOC "The setcap executable")
++
++find_library(Libcap_LIBRARIES NAMES cap DOC "The cap (capabilities) library")
++
++include(FindPackageHandleStandardArgs)
++find_package_handle_standard_args(Libcap FOUND_VAR Libcap_FOUND
++                                      REQUIRED_VARS SETCAP_EXECUTABLE Libcap_LIBRARIES)
++
++if(Libcap_FOUND AND NOT TARGET Libcap::SetCapabilities)
++    add_executable(Libcap::SetCapabilities IMPORTED)
++    set_target_properties(Libcap::SetCapabilities PROPERTIES
++        IMPORTED_LOCATION "${SETCAP_EXECUTABLE}"
++    )
++endif()
++
++mark_as_advanced(SETCAP_EXECUTABLE Libcap_LIBRARIES)
++
++include(FeatureSummary)
++set_package_properties(Libcap PROPERTIES
++    URL https://sites.google.com/site/fullycapable/
++    DESCRIPTION "Capabilities are a measure to limit the omnipotence of the superuser.")
+diff --git a/src/config-kdeinit.h.cmake b/src/config-kdeinit.h.cmake
+index c89c713..8f162fa 100644
+--- a/src/config-kdeinit.h.cmake
++++ b/src/config-kdeinit.h.cmake
+@@ -13,6 +13,7 @@
+ #cmakedefine01 CAN_CLOBBER_ARGV
+ 
+ #cmakedefine01 HAVE_X11
++#cmakedefine01 HAVE_CAPABILITIES
+ #cmakedefine01 HAVE_SYS_SELECT_H
+ 
+ /* for start_kdeinit */
+diff --git a/src/start_kdeinit/CMakeLists.txt b/src/start_kdeinit/CMakeLists.txt
+index 6bfc496..8f52ea9 100644
+--- a/src/start_kdeinit/CMakeLists.txt
++++ b/src/start_kdeinit/CMakeLists.txt
+@@ -5,10 +5,20 @@ install(TARGETS start_kdeinit DESTINATION ${LIBEXEC_INSTALL_DIR})
+ install(TARGETS start_kdeinit_wrapper DESTINATION ${LIBEXEC_INSTALL_DIR})
+ 
+ if (CMAKE_SYSTEM_NAME MATCHES Linux)
+-    MESSAGE(STATUS "Using setuid root kdeinit wrapper in order to protect it from bad Linux OOM-killer")
+-    set(KDEINIT_OOM_PROTECT 1)
+-    install(CODE "
+-      set(START_KDEINIT_PATH \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit\")
+-        EXECUTE_PROCESS(COMMAND sh -c \"chown 0 '\${START_KDEINIT_PATH}' && chmod u+s '\${START_KDEINIT_PATH}'\")
++   set(KDEINIT_OOM_PROTECT 1)
++       if (Libcap_FOUND)
++          message(STATUS "Using capabilities kdeinit wrapper in order to protect it from bad Linux OOM-killer")
++                  install( CODE "execute_process(
++                          COMMAND
++                                 ${SETCAP_EXECUTABLE}
++                                 CAP_SYS_RESOURCE=+ep
++                                 $ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit)"
++                )
++       else()
++          message(STATUS "Using setuid root kdeinit wrapper in order to protect it from bad Linux OOM-killer")
++                  install(CODE "
++                  set(START_KDEINIT_PATH \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit\")
++                  EXECUTE_PROCESS(COMMAND sh -c \"chown 0 '\${START_KDEINIT_PATH}' && chmod u+s '\${START_KDEINIT_PATH}'\")
+     ")
++       endif ()
+ endif ()
+diff --git a/src/start_kdeinit/start_kdeinit.c b/src/start_kdeinit/start_kdeinit.c
+index 3c733e7..07a28d3 100644
+--- a/src/start_kdeinit/start_kdeinit.c
++++ b/src/start_kdeinit/start_kdeinit.c
+@@ -27,6 +27,9 @@
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
++#if HAVE_CAPABILITIES
++#include <sys/capability.h>
++#endif
+ 
+ #define EXECUTE CMAKE_INSTALL_PREFIX"/"BIN_INSTALL_DIR "/kdeinit5"
+ 
+@@ -98,6 +101,9 @@ int main(int argc, char **argv)
+     unsigned i;
+     char **orig_environ = NULL;
+     char header[ 7 ];
++#if HAVE_CAPABILITIES
++    cap_t caps;
++#endif
+     if (pipe(pipes) < 0) {
+         perror("pipe()");
+         return 1;
+@@ -111,6 +117,14 @@ int main(int argc, char **argv)
+         perror("fork()");
+         return 1;
+     default: /* parent, drop privileges and exec */
++#if HAVE_CAPABILITIES
++        caps = cap_init();
++        if (cap_set_proc(caps) < 0) {
++            perror("cap_set_proc()");
++            return 1;
++        }
++        cap_free(caps);
++#endif
+         if (setgid(getgid())) {
+             perror("setgid()");
+             return 1;
+-- 
+1.9.1
+
diff --git a/kinit.changes b/kinit.changes
index 4201653..b0c8195 100644
--- a/kinit.changes
+++ b/kinit.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Apr 11 16:40:42 UTC 2014 - hrvoje.senjan@gmail.com
+
+- Added 0001-Use-capabilities-instead-of-SUID-where-available.patch,
+  and set permissions accordingly, bnc#862953
+
 -------------------------------------------------------------------
 Sat Mar 29 19:47:41 UTC 2014 - hrvoje.senjan@gmail.com
 
diff --git a/kinit.spec b/kinit.spec
index 7dca06a..a4a1893 100644
--- a/kinit.spec
+++ b/kinit.spec
@@ -17,10 +17,10 @@
 
 
 Name:           kinit
-Version:        4.97.0
+Version:        4.98.0
 Release:        0
 BuildRequires:  cmake >= 2.8.12
-BuildRequires:  extra-cmake-modules >= 0.0.11
+BuildRequires:  extra-cmake-modules >= 0.0.12
 BuildRequires:  fdupes
 BuildRequires:  kcrash-devel >= %{_kf5_version}
 BuildRequires:  kf5-filesystem
@@ -28,18 +28,20 @@ BuildRequires:  ki18n-devel >= %{_kf5_version}
 BuildRequires:  kio-devel >= %{_kf5_version}
 BuildRequires:  kservice-devel >= %{_kf5_version}
 BuildRequires:  kwindowsystem-devel >= %{_kf5_version}
+BuildRequires:  libcap-devel
 BuildRequires:  pkgconfig(Qt5Core) >= 5.2.0
 BuildRequires:  pkgconfig(Qt5DBus) >= 5.2.0
 BuildRequires:  pkgconfig(Qt5Gui) >= 5.2.0
 BuildRequires:  pkgconfig(Qt5Widgets) >= 5.2.0
 BuildRequires:  pkgconfig(x11)
-BuildRequires:  libcap-devel
-#PreReq:         permissions
+PreReq:         permissions
 Summary:        Helper library to speed up start of applications on KDE workspaces
 License:        LGPL-2.1+
 Group:          System/GUI/KDE
 Url:            http://www.kde.org
 Source0:        kinit-%{version}.tar.xz
+# PATCH-FIX-UPSTREAM 0001-Use-capabilities-instead-of-SUID-where-available.patch -- bnc#862953
+Patch0:         0001-Use-capabilities-instead-of-SUID-where-available.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -58,6 +60,7 @@ booting UNIX. Development files.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
   %cmake_kf5 -d build -- -DCMAKE_CXX_FLAGS="%{optflags} -fpie" -DCMAKE_C_FLAGS="%{optflags} -fpie" -DCMAKE_SHARED_LINKER_FLAGS="-pie" -DCMAKE_EXE_LINKER_FLAGS="-pie" -DCMAKE_MODULE_LINKER_FLAGS="-pie"
@@ -67,19 +70,16 @@ booting UNIX. Development files.
   %kf5_makeinstall -C build
   %fdupes -s %{buildroot}
 
-# Under security review -- bnc#862953
-# echo "setBadness('permissions-file-setuid-bit', 998)" > $RPM_SOURCE_DIR/%name-rpmlintrc
-
 %post
 /sbin/ldconfig
 
-#set_permissions %{_kf5_libexecdir}/start_kdeinit
+%set_permissions %{_kf5_libexecdir}/start_kdeinit
 
 %postun
 /sbin/ldconfig
 
-#verifyscript
-#verify_permissions -e %{_kf5_libexecdir}/start_kdeinit
+%verifyscript
+%verify_permissions -e %{_kf5_libexecdir}/start_kdeinit
 
 %files
 %defattr(-,root,root)
@@ -91,8 +91,7 @@ booting UNIX. Development files.
 %{_kf5_libdir}/libkdeinit5_klauncher.so
 %{_kf5_libexecdir}/klauncher
 %{_kf5_bindir}/kshell5
-#verify(not mode caps) %attr(4755,root,root) %{_kf5_libexecdir}/start_kdeinit
-%{_kf5_libexecdir}/start_kdeinit
+%verify(not mode caps) %caps(cap_sys_resource=ep) %attr(0755,root,root) %{_kf5_libexecdir}/start_kdeinit
 %{_kf5_libexecdir}/start_kdeinit_wrapper
 
 %files devel

From 092a7ab94cfeecdf8c4e7ff829b8b1970fbffea56ba0bf8b4a12909a9809e5f8 Mon Sep 17 00:00:00 2001
From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
Date: Fri, 11 Apr 2014 17:46:07 +0000
Subject: [PATCH 2/7] OBS-URL:
 https://build.opensuse.org/package/show/KDE:Frameworks5/kinit?expand=0&rev=19

---
 kinit.changes | 3 ++-
 kinit.spec    | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/kinit.changes b/kinit.changes
index b0c8195..c0d6a5c 100644
--- a/kinit.changes
+++ b/kinit.changes
@@ -2,7 +2,8 @@
 Fri Apr 11 16:40:42 UTC 2014 - hrvoje.senjan@gmail.com
 
 - Added 0001-Use-capabilities-instead-of-SUID-where-available.patch,
-  and set permissions accordingly, bnc#862953
+  set permissions accordingly, and add libcap-devel/libcap-progs
+  BuildRequires, bnc#862953
 
 -------------------------------------------------------------------
 Sat Mar 29 19:47:41 UTC 2014 - hrvoje.senjan@gmail.com
diff --git a/kinit.spec b/kinit.spec
index a4a1893..a0da12a 100644
--- a/kinit.spec
+++ b/kinit.spec
@@ -29,6 +29,8 @@ BuildRequires:  kio-devel >= %{_kf5_version}
 BuildRequires:  kservice-devel >= %{_kf5_version}
 BuildRequires:  kwindowsystem-devel >= %{_kf5_version}
 BuildRequires:  libcap-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libcap-progs
 BuildRequires:  pkgconfig(Qt5Core) >= 5.2.0
 BuildRequires:  pkgconfig(Qt5DBus) >= 5.2.0
 BuildRequires:  pkgconfig(Qt5Gui) >= 5.2.0

From ae8ccccfa0b4cae2342beac529c497bd0ba641c0cce252ab86bc786ba7255716 Mon Sep 17 00:00:00 2001
From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
Date: Tue, 22 Apr 2014 19:18:18 +0000
Subject: [PATCH 3/7] OBS-URL:
 https://build.opensuse.org/package/show/KDE:Frameworks5/kinit?expand=0&rev=20

---
 ...ties-instead-of-SUID-where-available.patch | 201 ------------------
 disable-OOM-protection.patch                  |  13 ++
 kinit.changes                                 |   7 +-
 kinit.spec                                    |  21 +-
 4 files changed, 21 insertions(+), 221 deletions(-)
 delete mode 100644 0001-Use-capabilities-instead-of-SUID-where-available.patch
 create mode 100644 disable-OOM-protection.patch

diff --git a/0001-Use-capabilities-instead-of-SUID-where-available.patch b/0001-Use-capabilities-instead-of-SUID-where-available.patch
deleted file mode 100644
index a5b4855..0000000
--- a/0001-Use-capabilities-instead-of-SUID-where-available.patch
+++ /dev/null
@@ -1,201 +0,0 @@
-From ff991d84b66b7aa68c6f24f3ec4b0e35b830a789 Mon Sep 17 00:00:00 2001
-From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
-Date: Fri, 11 Apr 2014 17:41:46 +0200
-Subject: [PATCH 1/1] Use capabilities instead of SUID where available
-
-This requires that both libcap libraries and setcap
-executable are found during build, otherwise the old
-procedure of SUID is used
-
-CCMAIL: krahmer@suse.com
-CCMAIL: kde-packager@kde.org
-
-REVIEW: 117125
-(cherry picked from commit e898d13b430692e775060d49342181192e122fdf)
----
- CMakeLists.txt                    | 11 +++++++-
- cmake/FindLibcap.cmake            | 59 +++++++++++++++++++++++++++++++++++++++
- src/config-kdeinit.h.cmake        |  1 +
- src/start_kdeinit/CMakeLists.txt  | 20 +++++++++----
- src/start_kdeinit/start_kdeinit.c | 14 ++++++++++
- 5 files changed, 99 insertions(+), 6 deletions(-)
- create mode 100644 cmake/FindLibcap.cmake
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 8bd43d8..2ba9bbd 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 2.8.12)
- project(KInit)
- 
- find_package(ECM 0.0.12 REQUIRED NO_MODULE)
--set(CMAKE_MODULE_PATH ${ECM_MODULE_PATH} ${ECM_KDE_MODULE_DIR})
-+set(CMAKE_MODULE_PATH ${ECM_MODULE_PATH} ${ECM_KDE_MODULE_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/cmake)
- 
- set(REQUIRED_QT_VERSION "5.2")
- find_package(Qt5 "${REQUIRED_QT_VERSION}" CONFIG REQUIRED Core Gui DBus)
-@@ -50,6 +50,15 @@ if("${CMAKE_BINARY_DIR}" STREQUAL "${CMAKE_CURRENT_BINARY_DIR}")
-   # Remove when we depend on CMake 3.0.0
- endif()
- 
-+if (NOT WIN32)
-+find_package(Libcap)
-+set_package_properties(Libcap PROPERTIES
-+                       TYPE OPTIONAL
-+                       PURPOSE "KInit needs setcap in order to install start_kdeinit with CAP_SYS_RESOURCE capabilities"
-+                      )
-+endif ()
-+set(HAVE_CAPABILITIES ${Libcap_FOUND})
-+
- set(CMAKECONFIG_INSTALL_DIR "${CMAKECONFIG_INSTALL_PREFIX}/KF5Init")
- ecm_configure_package_config_file(
-   "${CMAKE_CURRENT_SOURCE_DIR}/KF5InitConfig.cmake.in"
-diff --git a/cmake/FindLibcap.cmake b/cmake/FindLibcap.cmake
-new file mode 100644
-index 0000000..4a32446
---- /dev/null
-+++ b/cmake/FindLibcap.cmake
-@@ -0,0 +1,59 @@
-+# Try to find the setcap binary and cap libraries
-+#
-+# This will define:
-+#
-+#   Libcap_FOUND           - system has the cap library and setcap binary
-+#   Libcap_LIBRARIES       - cap libraries to link against
-+#   SETCAP_EXECUTABLE      - path of the setcap binary
-+# In addition, the following targets are defined:
-+#
-+#   Libcap::SetCapabilities
-+#
-+
-+
-+# Copyright (c) 2014, Hrvoje Senjan, <hrvoje.senjan@gmail.com>
-+#
-+# Redistribution and use in source and binary forms, with or without
-+# modification, are permitted provided that the following conditions
-+# are met:
-+#
-+# 1. Redistributions of source code must retain the copyright
-+#    notice, this list of conditions and the following disclaimer.
-+# 2. Redistributions in binary form must reproduce the copyright
-+#    notice, this list of conditions and the following disclaimer in the
-+#    documentation and/or other materials provided with the distribution.
-+# 3. The name of the author may not be used to endorse or promote products
-+#    derived from this software without specific prior written permission.
-+#
-+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+
-+find_program(SETCAP_EXECUTABLE NAMES setcap DOC "The setcap executable")
-+
-+find_library(Libcap_LIBRARIES NAMES cap DOC "The cap (capabilities) library")
-+
-+include(FindPackageHandleStandardArgs)
-+find_package_handle_standard_args(Libcap FOUND_VAR Libcap_FOUND
-+                                      REQUIRED_VARS SETCAP_EXECUTABLE Libcap_LIBRARIES)
-+
-+if(Libcap_FOUND AND NOT TARGET Libcap::SetCapabilities)
-+    add_executable(Libcap::SetCapabilities IMPORTED)
-+    set_target_properties(Libcap::SetCapabilities PROPERTIES
-+        IMPORTED_LOCATION "${SETCAP_EXECUTABLE}"
-+    )
-+endif()
-+
-+mark_as_advanced(SETCAP_EXECUTABLE Libcap_LIBRARIES)
-+
-+include(FeatureSummary)
-+set_package_properties(Libcap PROPERTIES
-+    URL https://sites.google.com/site/fullycapable/
-+    DESCRIPTION "Capabilities are a measure to limit the omnipotence of the superuser.")
-diff --git a/src/config-kdeinit.h.cmake b/src/config-kdeinit.h.cmake
-index c89c713..8f162fa 100644
---- a/src/config-kdeinit.h.cmake
-+++ b/src/config-kdeinit.h.cmake
-@@ -13,6 +13,7 @@
- #cmakedefine01 CAN_CLOBBER_ARGV
- 
- #cmakedefine01 HAVE_X11
-+#cmakedefine01 HAVE_CAPABILITIES
- #cmakedefine01 HAVE_SYS_SELECT_H
- 
- /* for start_kdeinit */
-diff --git a/src/start_kdeinit/CMakeLists.txt b/src/start_kdeinit/CMakeLists.txt
-index 6bfc496..8f52ea9 100644
---- a/src/start_kdeinit/CMakeLists.txt
-+++ b/src/start_kdeinit/CMakeLists.txt
-@@ -5,10 +5,20 @@ install(TARGETS start_kdeinit DESTINATION ${LIBEXEC_INSTALL_DIR})
- install(TARGETS start_kdeinit_wrapper DESTINATION ${LIBEXEC_INSTALL_DIR})
- 
- if (CMAKE_SYSTEM_NAME MATCHES Linux)
--    MESSAGE(STATUS "Using setuid root kdeinit wrapper in order to protect it from bad Linux OOM-killer")
--    set(KDEINIT_OOM_PROTECT 1)
--    install(CODE "
--      set(START_KDEINIT_PATH \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit\")
--        EXECUTE_PROCESS(COMMAND sh -c \"chown 0 '\${START_KDEINIT_PATH}' && chmod u+s '\${START_KDEINIT_PATH}'\")
-+   set(KDEINIT_OOM_PROTECT 1)
-+       if (Libcap_FOUND)
-+          message(STATUS "Using capabilities kdeinit wrapper in order to protect it from bad Linux OOM-killer")
-+                  install( CODE "execute_process(
-+                          COMMAND
-+                                 ${SETCAP_EXECUTABLE}
-+                                 CAP_SYS_RESOURCE=+ep
-+                                 $ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit)"
-+                )
-+       else()
-+          message(STATUS "Using setuid root kdeinit wrapper in order to protect it from bad Linux OOM-killer")
-+                  install(CODE "
-+                  set(START_KDEINIT_PATH \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit\")
-+                  EXECUTE_PROCESS(COMMAND sh -c \"chown 0 '\${START_KDEINIT_PATH}' && chmod u+s '\${START_KDEINIT_PATH}'\")
-     ")
-+       endif ()
- endif ()
-diff --git a/src/start_kdeinit/start_kdeinit.c b/src/start_kdeinit/start_kdeinit.c
-index 3c733e7..07a28d3 100644
---- a/src/start_kdeinit/start_kdeinit.c
-+++ b/src/start_kdeinit/start_kdeinit.c
-@@ -27,6 +27,9 @@
- #include <string.h>
- #include <sys/stat.h>
- #include <unistd.h>
-+#if HAVE_CAPABILITIES
-+#include <sys/capability.h>
-+#endif
- 
- #define EXECUTE CMAKE_INSTALL_PREFIX"/"BIN_INSTALL_DIR "/kdeinit5"
- 
-@@ -98,6 +101,9 @@ int main(int argc, char **argv)
-     unsigned i;
-     char **orig_environ = NULL;
-     char header[ 7 ];
-+#if HAVE_CAPABILITIES
-+    cap_t caps;
-+#endif
-     if (pipe(pipes) < 0) {
-         perror("pipe()");
-         return 1;
-@@ -111,6 +117,14 @@ int main(int argc, char **argv)
-         perror("fork()");
-         return 1;
-     default: /* parent, drop privileges and exec */
-+#if HAVE_CAPABILITIES
-+        caps = cap_init();
-+        if (cap_set_proc(caps) < 0) {
-+            perror("cap_set_proc()");
-+            return 1;
-+        }
-+        cap_free(caps);
-+#endif
-         if (setgid(getgid())) {
-             perror("setgid()");
-             return 1;
--- 
-1.9.1
-
diff --git a/disable-OOM-protection.patch b/disable-OOM-protection.patch
new file mode 100644
index 0000000..f93c79f
--- /dev/null
+++ b/disable-OOM-protection.patch
@@ -0,0 +1,13 @@
+diff --git a/src/start_kdeinit/CMakeLists.txt b/src/start_kdeinit/CMakeLists.txt
+index 6bfc496..ae8916e 100644
+--- a/src/start_kdeinit/CMakeLists.txt
++++ b/src/start_kdeinit/CMakeLists.txt
+@@ -4,7 +4,7 @@ add_executable(start_kdeinit_wrapper start_kdeinit_wrapper.c)
+ install(TARGETS start_kdeinit DESTINATION ${LIBEXEC_INSTALL_DIR})
+ install(TARGETS start_kdeinit_wrapper DESTINATION ${LIBEXEC_INSTALL_DIR})
+ 
+-if (CMAKE_SYSTEM_NAME MATCHES Linux)
++if (0)
+     MESSAGE(STATUS "Using setuid root kdeinit wrapper in order to protect it from bad Linux OOM-killer")
+     set(KDEINIT_OOM_PROTECT 1)
+     install(CODE "
diff --git a/kinit.changes b/kinit.changes
index c0d6a5c..273d5d2 100644
--- a/kinit.changes
+++ b/kinit.changes
@@ -1,9 +1,8 @@
 -------------------------------------------------------------------
-Fri Apr 11 16:40:42 UTC 2014 - hrvoje.senjan@gmail.com
+Tue Apr 22 19:17:57 UTC 2014 - hrvoje.senjan@gmail.com
 
-- Added 0001-Use-capabilities-instead-of-SUID-where-available.patch,
-  set permissions accordingly, and add libcap-devel/libcap-progs
-  BuildRequires, bnc#862953
+- Added disable-OOM-protection.patch: it was not proved to be
+  needed feature, and create potential security risk, bnc#862953
 
 -------------------------------------------------------------------
 Sat Mar 29 19:47:41 UTC 2014 - hrvoje.senjan@gmail.com
diff --git a/kinit.spec b/kinit.spec
index a0da12a..f3170df 100644
--- a/kinit.spec
+++ b/kinit.spec
@@ -28,22 +28,18 @@ BuildRequires:  ki18n-devel >= %{_kf5_version}
 BuildRequires:  kio-devel >= %{_kf5_version}
 BuildRequires:  kservice-devel >= %{_kf5_version}
 BuildRequires:  kwindowsystem-devel >= %{_kf5_version}
-BuildRequires:  libcap-devel
-BuildRequires:  libcap-devel
-BuildRequires:  libcap-progs
 BuildRequires:  pkgconfig(Qt5Core) >= 5.2.0
 BuildRequires:  pkgconfig(Qt5DBus) >= 5.2.0
 BuildRequires:  pkgconfig(Qt5Gui) >= 5.2.0
 BuildRequires:  pkgconfig(Qt5Widgets) >= 5.2.0
 BuildRequires:  pkgconfig(x11)
-PreReq:         permissions
 Summary:        Helper library to speed up start of applications on KDE workspaces
 License:        LGPL-2.1+
 Group:          System/GUI/KDE
 Url:            http://www.kde.org
 Source0:        kinit-%{version}.tar.xz
-# PATCH-FIX-UPSTREAM 0001-Use-capabilities-instead-of-SUID-where-available.patch -- bnc#862953
-Patch0:         0001-Use-capabilities-instead-of-SUID-where-available.patch
+# PATCH-FIX-UPSTREAM disable-OOM-protection.patch -- it was not proved to be needed feature, and create potential security risk, bnc#862953
+Patch0:         disable-OOM-protection.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -72,16 +68,9 @@ booting UNIX. Development files.
   %kf5_makeinstall -C build
   %fdupes -s %{buildroot}
 
-%post
-/sbin/ldconfig
+%post -p /sbin/ldconfig
 
-%set_permissions %{_kf5_libexecdir}/start_kdeinit
-
-%postun
-/sbin/ldconfig
-
-%verifyscript
-%verify_permissions -e %{_kf5_libexecdir}/start_kdeinit
+%postun -p /sbin/ldconfig
 
 %files
 %defattr(-,root,root)
@@ -93,7 +82,7 @@ booting UNIX. Development files.
 %{_kf5_libdir}/libkdeinit5_klauncher.so
 %{_kf5_libexecdir}/klauncher
 %{_kf5_bindir}/kshell5
-%verify(not mode caps) %caps(cap_sys_resource=ep) %attr(0755,root,root) %{_kf5_libexecdir}/start_kdeinit
+%{_kf5_libexecdir}/start_kdeinit
 %{_kf5_libexecdir}/start_kdeinit_wrapper
 
 %files devel

From 92266afe8847a1b5cd474a8929029a723744a1cf94b9b99348ca4d685a8387b2 Mon Sep 17 00:00:00 2001
From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
Date: Tue, 22 Apr 2014 19:18:59 +0000
Subject: [PATCH 4/7] OBS-URL:
 https://build.opensuse.org/package/show/KDE:Frameworks5/kinit?expand=0&rev=21

---
 kinit.changes | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kinit.changes b/kinit.changes
index 273d5d2..bbe8385 100644
--- a/kinit.changes
+++ b/kinit.changes
@@ -3,6 +3,7 @@ Tue Apr 22 19:17:57 UTC 2014 - hrvoje.senjan@gmail.com
 
 - Added disable-OOM-protection.patch: it was not proved to be
   needed feature, and create potential security risk, bnc#862953
+- Drop unused and commented out parts of the spec
 
 -------------------------------------------------------------------
 Sat Mar 29 19:47:41 UTC 2014 - hrvoje.senjan@gmail.com

From 5b1af5a99478c4a919b2d3fbd51513f7f89be819629f44d5e5b3a3e558c9c7fb Mon Sep 17 00:00:00 2001
From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
Date: Tue, 22 Apr 2014 19:25:01 +0000
Subject: [PATCH 5/7] OBS-URL:
 https://build.opensuse.org/package/show/KDE:Frameworks5/kinit?expand=0&rev=22

---
 kinit.changes | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kinit.changes b/kinit.changes
index bbe8385..9386c31 100644
--- a/kinit.changes
+++ b/kinit.changes
@@ -2,7 +2,7 @@
 Tue Apr 22 19:17:57 UTC 2014 - hrvoje.senjan@gmail.com
 
 - Added disable-OOM-protection.patch: it was not proved to be
-  needed feature, and create potential security risk, bnc#862953
+  needed feature, and creates potential security risk, bnc#862953
 - Drop unused and commented out parts of the spec
 
 -------------------------------------------------------------------

From 7066fc638a333c4d434299e38fc36bf369acde2e7b47f96cbe1d10c84caf8c6e Mon Sep 17 00:00:00 2001
From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
Date: Sun, 4 May 2014 01:36:07 +0000
Subject: [PATCH 6/7] OBS-URL:
 https://build.opensuse.org/package/show/KDE:Frameworks5/kinit?expand=0&rev=23

---
 kinit.spec | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kinit.spec b/kinit.spec
index f3170df..09bcf56 100644
--- a/kinit.spec
+++ b/kinit.spec
@@ -17,14 +17,15 @@
 
 
 Name:           kinit
-Version:        4.98.0
+Version:        4.99.0
 Release:        0
 BuildRequires:  cmake >= 2.8.12
-BuildRequires:  extra-cmake-modules >= 0.0.12
+BuildRequires:  extra-cmake-modules >= 0.0.13
 BuildRequires:  fdupes
 BuildRequires:  kcrash-devel >= %{_kf5_version}
 BuildRequires:  kf5-filesystem
 BuildRequires:  ki18n-devel >= %{_kf5_version}
+BuildRequires:  kdoctools-devel >= %{_kf5_version}
 BuildRequires:  kio-devel >= %{_kf5_version}
 BuildRequires:  kservice-devel >= %{_kf5_version}
 BuildRequires:  kwindowsystem-devel >= %{_kf5_version}
@@ -84,6 +85,7 @@ booting UNIX. Development files.
 %{_kf5_bindir}/kshell5
 %{_kf5_libexecdir}/start_kdeinit
 %{_kf5_libexecdir}/start_kdeinit_wrapper
+%{_kf5_mandir}/man8/kdeinit5.*
 
 %files devel
 %defattr(-,root,root)

From 943f6481f7f0e2bba9945198f4097e6c80256141f3ec06aa016c43b12987088c Mon Sep 17 00:00:00 2001
From: Hrvoje Senjan <hrvoje.senjan@gmail.com>
Date: Mon, 5 May 2014 09:57:48 +0000
Subject: [PATCH 7/7] OBS-URL:
 https://build.opensuse.org/package/show/KDE:Frameworks5/kinit?expand=0&rev=24

---
 disable-OOM-protection.patch |  6 +++---
 kinit-4.99.0.tar.xz          |  3 +++
 kinit.changes                | 10 ++++++++++
 3 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 kinit-4.99.0.tar.xz

diff --git a/disable-OOM-protection.patch b/disable-OOM-protection.patch
index f93c79f..15df0de 100644
--- a/disable-OOM-protection.patch
+++ b/disable-OOM-protection.patch
@@ -1,10 +1,10 @@
 diff --git a/src/start_kdeinit/CMakeLists.txt b/src/start_kdeinit/CMakeLists.txt
-index 6bfc496..ae8916e 100644
+index 73e50b8..e84e6a9 100644
 --- a/src/start_kdeinit/CMakeLists.txt
 +++ b/src/start_kdeinit/CMakeLists.txt
 @@ -4,7 +4,7 @@ add_executable(start_kdeinit_wrapper start_kdeinit_wrapper.c)
- install(TARGETS start_kdeinit DESTINATION ${LIBEXEC_INSTALL_DIR})
- install(TARGETS start_kdeinit_wrapper DESTINATION ${LIBEXEC_INSTALL_DIR})
+ install(TARGETS start_kdeinit DESTINATION ${KF5_LIBEXEC_INSTALL_DIR})
+ install(TARGETS start_kdeinit_wrapper DESTINATION ${KF5_LIBEXEC_INSTALL_DIR})
  
 -if (CMAKE_SYSTEM_NAME MATCHES Linux)
 +if (0)
diff --git a/kinit-4.99.0.tar.xz b/kinit-4.99.0.tar.xz
new file mode 100644
index 0000000..2821b10
--- /dev/null
+++ b/kinit-4.99.0.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d017bcadd4c089c7ee76a4a2a7d33a24479972c453be53119f70283cfa716d8f
+size 2792356
diff --git a/kinit.changes b/kinit.changes
index 9386c31..f8184ba 100644
--- a/kinit.changes
+++ b/kinit.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Sun May  4 01:41:14 UTC 2014 - hrvoje.senjan@gmail.com
+
+- Update to 4.99.0
+  * API improvements and cleanups
+  * Buildsystem fixes
+  * For more details please see:
+    http://www.kde.org/announcements/announce-frameworks5-beta2.php
+- Added kdoctools-devel BuildRequires
+
 -------------------------------------------------------------------
 Tue Apr 22 19:17:57 UTC 2014 - hrvoje.senjan@gmail.com