From af47c28297ecc0b9b70fc787ca75cb321ea7e798 Mon Sep 17 00:00:00 2001 From: Willy Sudiarto Raharjo Date: Fri, 14 Feb 2014 19:23:05 +0700 Subject: [PATCH] Added note about how to fix gksu problem Signed-off-by: Willy Sudiarto Raharjo --- KNOWN_ISSUES.TXT | 40 ++++++++++++------- .../shadow-4.1.5.1_CVE-2005-4890_relax.diff | 35 ++++++++++++++++ 2 files changed, 61 insertions(+), 14 deletions(-) create mode 100644 testing/shadow/shadow-4.1.5.1_CVE-2005-4890_relax.diff diff --git a/KNOWN_ISSUES.TXT b/KNOWN_ISSUES.TXT index fa6266d..cce5f8a 100644 --- a/KNOWN_ISSUES.TXT +++ b/KNOWN_ISSUES.TXT @@ -1,5 +1,31 @@ The following is a list of known issues with MATE on Slackware: +Fri Feb 14 12:11:22 UTC 2014 +By default, gksu will not work in Slackware 14.1 since shadow has been patched +to fix security vulnerabilities, but this caused gksu to be broken. +See this thread on LQ for more information +http://www.linuxquestions.org/questions/slackware-14/%5Bslackware-14-1%5D-su-c-tty-hijacking-and-some-breakage-4175486942/ + +The solution for this problem is easy, but since it's not yet applied upstream, +we provided a simple fix from Mancha to fix this problem. + +Download the shadow source from Slackware mirror site such as +http://slackware.osuosl.org/slackware-14.1/source/a/shadow/ +or +http://slackware.osuosl.org/slackware64-14.1/source/a/shadow/ + +and also a patch included in testing/shadow and put it on the same folder. +Edit the shadow.SlackBuild and add this line +patch -p1 --verbose < $CWD/shadow-4.1.5.1_CVE-2005-4890_relax.diff || exit 1 + +before configure line and rebuild shadow package. +You can upgrade to the modified version by running: +upgradepkg /tmp/shadow-4.1.5.1-i486-2.tgz +or +upgradepkg /tmp/shadow-4.1.5.1-x86_64-2.tgz + +After upgrading to the modified version, gksu will work normally. + Fri Feb 14 11:02:15 UTC 2014 If you are encountering problems with multiple Caja instances during loading the MATE desktop, change this line in /usr/share/applications/caja.desktop @@ -18,15 +44,6 @@ and rebuild caja again. However, doing this will break gksu module in caja-extensions, so you can not run applications using root account from caja's context menu anymore. -Tue Dec 3 12:12:18 UTC 2013 -libgksu doesn't work anymore on Slackware 14.1 (and eventually -Current). -Possible workaround is to switch to root user using normal "su -" command. - -Note: -We don't think there will be a solution for this problem as gksu and libgksu -are no longer maintained upstream. We will probably drop this in future -releases. This will also effect caja-extensions which has gksu modules in it. - Mon Jun 10 03:09:28 UTC 2013 If you are encountering problems with Caja (MATE's file manager) opening directories when clicking on files in certain programs like Dropbox, Skype, @@ -67,11 +84,6 @@ your $HOME, like $HOME/.config and $HOME/.cache and $HOME/.local. If you switch back and forth between different desktop environments, sometimes those settings can get polluted. -Fri Mar 22 16:44:59 UTC 2013 -Help menus and help buttons do not work -- this is a known issue per a MATE -upstream developer and scheduled to be fixed at some point but not in the next -release (1.6). - Fri Mar 22 16:43:36 UTC 2013 Working to determine whether mate-polkit is necessary. According to upstream, it is, although it results in duplicative polkit actions when a USB stick is diff --git a/testing/shadow/shadow-4.1.5.1_CVE-2005-4890_relax.diff b/testing/shadow/shadow-4.1.5.1_CVE-2005-4890_relax.diff new file mode 100644 index 0000000..6c4d0d1 --- /dev/null +++ b/testing/shadow/shadow-4.1.5.1_CVE-2005-4890_relax.diff @@ -0,0 +1,35 @@ +From 0f6a809b7c4c9a8f4adb5b25808dd68000e17aa2 Mon Sep 17 00:00:00 2001 +From: mancha +Date: Wed, 04 Dec 2013 +Subject: restrict "su -c" only when callee is not root + +Shadow 4.1.5 addressed a tty-hijacking vulnerability in "su -c" +(CVE-2005-4890) by detaching the controlling terminal. + +Omni-directional protection is excessive and breaks commonly-used +methods for privilege escalation. Breakage is particularly severe +on non-PAM systems. + +This patch relaxes the restriction and only detaches the controlling +tty when the callee is not root. After all, we are not overly concerned +with root injecting commands to non-privileged users. + +--- + src/su.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/su.c ++++ b/src/su.c +@@ -1076,10 +1076,10 @@ int main (int argc, char **argv) + + set_environment (pw); + +- if (!doshell) { ++ if (!doshell && pw->pw_uid != 0) { + /* There is no need for a controlling terminal. + * This avoids the callee to inject commands on +- * the caller's tty. */ ++ * the caller's tty when the callee is not root. */ + int err = -1; + + #ifdef USE_PAM