Accepting request 627732 from X11:Cinnamon:Factory

OBS-URL: https://build.opensuse.org/request/show/627732
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nemo-extensions?expand=0&rev=12

nemo-extensions.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Aug  6 14:09:43 UTC 2018 - sor.alexei@meowr.ru
+
+- Add nemo-share-prevent-privilege-escalation.patch: Prevent
+  unprivileged users from adding other users to sambashare
+  (commit a831e7b, bsc#1084703).
+
 -------------------------------------------------------------------
 Thu May  8 20:40:20 UTC 2018 - sor.alexei@meowr.ru
 

nemo-extensions.spec

@@ -36,6 +36,8 @@ Patch1:         nemo-dropbox_no-dropbox-bin.patch
 Patch2:         nemo-seahorse_gpg-2.2.patch
 # PATCH-FIX-OPENSUSE nemo-gtkhash_openssl-1.1.patch sor.alexei@meowr.ru -- Add basic OpenSSL 1.1+ compatibility in nemo-gtkhash.
 Patch3:         nemo-gtkhash_openssl-1.1.patch
+# PATCH-FIX-UPSTREAM nemo-share-prevent-privilege-escalation.patch bsc#1084703 -- Prevent unprivileged users from adding other users to sambashare (commit a831e7b).
+Patch4:         nemo-share-prevent-privilege-escalation.patch
 BuildRequires:  gettext-runtime
 BuildRequires:  gnome-common
 BuildRequires:  intltool
@@ -51,9 +53,6 @@ BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
 BuildRequires:  python-devel
 BuildRequires:  python-gtk-devel
-BuildRequires:  python2-distutils-extra
-BuildRequires:  python2-docutils
-BuildRequires:  python2-setuptools
 BuildRequires:  update-desktop-files
 BuildRequires:  pkgconfig(cinnamon-desktop)
 BuildRequires:  pkgconfig(cjs-1.0)
@@ -76,6 +75,15 @@ BuildRequires:  pkgconfig(pygobject-3.0)
 BuildRequires:  pkgconfig(webkit2gtk-4.0)
 BuildRequires:  pkgconfig(xreader-document-1.5)
 BuildRequires:  pkgconfig(xreader-view-1.5)
+%if 0%{?suse_version} >= 1500
+BuildRequires:  python2-distutils-extra
+BuildRequires:  python2-docutils
+BuildRequires:  python2-setuptools
+%else
+BuildRequires:  python-distutils-extra
+BuildRequires:  python-docutils
+BuildRequires:  python-setuptools
+%endif
 
 %description
 Set of extensions for Nemo, the Cinnamon file manager.
@@ -92,7 +100,6 @@ Requires:       nemo >= %{_version}
 # nemo-python was last used in openSUSE 13.2.
 Provides:       nemo-python = %{version}
 Obsoletes:      nemo-python < %{version}
-
 %if 0%{?suse_version} >= 1500
 Provides:       python2-nemo-devel = %{version}
 # python-nemo was last used in openSUSE Leap 42.3.
@@ -363,6 +370,7 @@ directory in Nemo.
 %patch1
 %patch2
 %patch3
+%patch4
 # Remove spurious executable permission.
 chmod a-x nemo-audio-tab/COPYING.GPL3 nemo-emblems/COPYING.GPL3
 

nemo-share-prevent-privilege-escalation.patch

@@ -0,0 +1,28 @@
+--- nemo-share.orig/src/install-samba
++++ nemo-share/src/install-samba
+@@ -33,12 +33,20 @@ class Main:
+ if __name__ == "__main__":
+     ml = GLib.MainLoop.new(None, True)
+ 
+-    if len(sys.argv) == 2:
+-        user = sys.argv[1]
+-    else:
+-        uid = int(os.getenv("PKEXEC_UID"))
++    # prefer using the uid provided by pkexec to the command line argument. if
++    # a user authenticated via pkexec then he should only be able to add
++    # himself to the group.
++    uid = os.getenv("PKEXEC_UID", None)
++
++    if uid != None:
++        uid = int(uid)
+         passwd = pwd.getpwuid(uid)
+         user = passwd[0]
++    elif len(sys.argv) == 2:
++        user = sys.argv[1]
++    else:
++        print("No target uid in environment or on command line found.")
++        exit(-1)
+ 
+     main = Main(user)
+     ml.run()
+