From bf6608db2d98373ad8b385a6115ed214eded18cf450966dbff05a0ceb2f5dd54 Mon Sep 17 00:00:00 2001 From: Alexei Sorokin Date: Mon, 6 Aug 2018 15:10:22 +0000 Subject: [PATCH 1/2] OBS-URL: https://build.opensuse.org/package/show/X11:Cinnamon:Factory/nemo-extensions?expand=0&rev=47 --- nemo-extensions.changes | 7 +++++ nemo-extensions.spec | 3 ++ ...e-3.8.0-prevent-privilege-escalation.patch | 28 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 nemo-share-3.8.0-prevent-privilege-escalation.patch diff --git a/nemo-extensions.changes b/nemo-extensions.changes index c79501b..644a063 100644 --- a/nemo-extensions.changes +++ b/nemo-extensions.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Aug 6 14:09:43 UTC 2018 - sor.alexei@meowr.ru + +- Add nemo-share-3.8.0-prevent-privilege-escalation.patch: Prevent + unprivileged users from adding other users to sambashare + (commit a831e7b, bsc#1084703). + ------------------------------------------------------------------- Thu May 8 20:40:20 UTC 2018 - sor.alexei@meowr.ru diff --git a/nemo-extensions.spec b/nemo-extensions.spec index 3ee3b0a..ba0dddd 100644 --- a/nemo-extensions.spec +++ b/nemo-extensions.spec @@ -36,6 +36,8 @@ Patch1: nemo-dropbox_no-dropbox-bin.patch Patch2: nemo-seahorse_gpg-2.2.patch # PATCH-FIX-OPENSUSE nemo-gtkhash_openssl-1.1.patch sor.alexei@meowr.ru -- Add basic OpenSSL 1.1+ compatibility in nemo-gtkhash. Patch3: nemo-gtkhash_openssl-1.1.patch +# PATCH-FIX-UPSTREAM nemo-share-3.8.0-prevent-privilege-escalation.patch bsc#1084703 -- Prevent unprivileged users from adding other users to sambashare (commit a831e7b). +Patch4: nemo-share-3.8.0-prevent-privilege-escalation.patch BuildRequires: gettext-runtime BuildRequires: gnome-common BuildRequires: intltool @@ -363,6 +365,7 @@ directory in Nemo. %patch1 %patch2 %patch3 +%patch4 # Remove spurious executable permission. chmod a-x nemo-audio-tab/COPYING.GPL3 nemo-emblems/COPYING.GPL3 diff --git a/nemo-share-3.8.0-prevent-privilege-escalation.patch b/nemo-share-3.8.0-prevent-privilege-escalation.patch new file mode 100644 index 0000000..956753c --- /dev/null +++ b/nemo-share-3.8.0-prevent-privilege-escalation.patch @@ -0,0 +1,28 @@ +--- nemo-share.orig/src/install-samba ++++ nemo-share/src/install-samba +@@ -33,12 +33,20 @@ class Main: + if __name__ == "__main__": + ml = GLib.MainLoop.new(None, True) + +- if len(sys.argv) == 2: +- user = sys.argv[1] +- else: +- uid = int(os.getenv("PKEXEC_UID")) ++ # prefer using the uid provided by pkexec to the command line argument. if ++ # a user authenticated via pkexec then he should only be able to add ++ # himself to the group. ++ uid = os.getenv("PKEXEC_UID", None) ++ ++ if uid != None: ++ uid = int(uid) + passwd = pwd.getpwuid(uid) + user = passwd[0] ++ elif len(sys.argv) == 2: ++ user = sys.argv[1] ++ else: ++ print("No target uid in environment or on command line found.") ++ exit(-1) + + main = Main(user) + ml.run() + From fbd839e29e4e52fd32bd195aac866a6ff9e57558741fb5d3a57bd30fe3099a68 Mon Sep 17 00:00:00 2001 From: Alexei Sorokin Date: Mon, 6 Aug 2018 15:44:30 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/X11:Cinnamon:Factory/nemo-extensions?expand=0&rev=48 --- nemo-extensions.changes | 2 +- nemo-extensions.spec | 17 +++++++++++------ ...emo-share-prevent-privilege-escalation.patch | 0 3 files changed, 12 insertions(+), 7 deletions(-) rename nemo-share-3.8.0-prevent-privilege-escalation.patch => nemo-share-prevent-privilege-escalation.patch (100%) diff --git a/nemo-extensions.changes b/nemo-extensions.changes index 644a063..fdf96aa 100644 --- a/nemo-extensions.changes +++ b/nemo-extensions.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- Mon Aug 6 14:09:43 UTC 2018 - sor.alexei@meowr.ru -- Add nemo-share-3.8.0-prevent-privilege-escalation.patch: Prevent +- Add nemo-share-prevent-privilege-escalation.patch: Prevent unprivileged users from adding other users to sambashare (commit a831e7b, bsc#1084703). diff --git a/nemo-extensions.spec b/nemo-extensions.spec index ba0dddd..a1e64bd 100644 --- a/nemo-extensions.spec +++ b/nemo-extensions.spec @@ -36,8 +36,8 @@ Patch1: nemo-dropbox_no-dropbox-bin.patch Patch2: nemo-seahorse_gpg-2.2.patch # PATCH-FIX-OPENSUSE nemo-gtkhash_openssl-1.1.patch sor.alexei@meowr.ru -- Add basic OpenSSL 1.1+ compatibility in nemo-gtkhash. Patch3: nemo-gtkhash_openssl-1.1.patch -# PATCH-FIX-UPSTREAM nemo-share-3.8.0-prevent-privilege-escalation.patch bsc#1084703 -- Prevent unprivileged users from adding other users to sambashare (commit a831e7b). -Patch4: nemo-share-3.8.0-prevent-privilege-escalation.patch +# PATCH-FIX-UPSTREAM nemo-share-prevent-privilege-escalation.patch bsc#1084703 -- Prevent unprivileged users from adding other users to sambashare (commit a831e7b). +Patch4: nemo-share-prevent-privilege-escalation.patch BuildRequires: gettext-runtime BuildRequires: gnome-common BuildRequires: intltool @@ -53,9 +53,6 @@ BuildRequires: openssl-devel BuildRequires: pkgconfig BuildRequires: python-devel BuildRequires: python-gtk-devel -BuildRequires: python2-distutils-extra -BuildRequires: python2-docutils -BuildRequires: python2-setuptools BuildRequires: update-desktop-files BuildRequires: pkgconfig(cinnamon-desktop) BuildRequires: pkgconfig(cjs-1.0) @@ -78,6 +75,15 @@ BuildRequires: pkgconfig(pygobject-3.0) BuildRequires: pkgconfig(webkit2gtk-4.0) BuildRequires: pkgconfig(xreader-document-1.5) BuildRequires: pkgconfig(xreader-view-1.5) +%if 0%{?suse_version} >= 1500 +BuildRequires: python2-distutils-extra +BuildRequires: python2-docutils +BuildRequires: python2-setuptools +%else +BuildRequires: python-distutils-extra +BuildRequires: python-docutils +BuildRequires: python-setuptools +%endif %description Set of extensions for Nemo, the Cinnamon file manager. @@ -94,7 +100,6 @@ Requires: nemo >= %{_version} # nemo-python was last used in openSUSE 13.2. Provides: nemo-python = %{version} Obsoletes: nemo-python < %{version} - %if 0%{?suse_version} >= 1500 Provides: python2-nemo-devel = %{version} # python-nemo was last used in openSUSE Leap 42.3. diff --git a/nemo-share-3.8.0-prevent-privilege-escalation.patch b/nemo-share-prevent-privilege-escalation.patch similarity index 100% rename from nemo-share-3.8.0-prevent-privilege-escalation.patch rename to nemo-share-prevent-privilege-escalation.patch