From f799bfd9f2f2cbaa279823792bc4955c717a7d17 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Sep 21 2021 19:17:10 +0000 Subject: Re-enable a workaround to fix g-i-s/gnome-keyring (#2005625) This re-enables a workaround which upstream recently disabled for security reasons, but which is still currently needed for gnome-keyring to function properly during gnome-initial-setup. This should fix several bugs that were all consequences of gnome-keyring not working correctly: https://bugzilla.redhat.com/show_bug.cgi?id=2004565 https://bugzilla.redhat.com/show_bug.cgi?id=2005625 https://bugzilla.redhat.com/show_bug.cgi?id=2006314 --- diff --git a/0001-Re-do-gdbus-Use-DBUS_SESSION_BUS_ADDRESS-if-AT_SECUR.patch b/0001-Re-do-gdbus-Use-DBUS_SESSION_BUS_ADDRESS-if-AT_SECUR.patch new file mode 100644 index 0000000..bea27a4 --- /dev/null +++ b/0001-Re-do-gdbus-Use-DBUS_SESSION_BUS_ADDRESS-if-AT_SECUR.patch @@ -0,0 +1,61 @@ +From d7dcec0e801fb1b78cc4e77b1a9d3b7998291c68 Mon Sep 17 00:00:00 2001 +From: Adam Williamson +Date: Tue, 21 Sep 2021 12:09:06 -0700 +Subject: [PATCH] Re-do "gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but + not setuid"" + +This reverts commit 0f9c7ed0219cc182a183ba78245f3b461fd664e6, +which reverted commit 7aa0580cc559148e0f4646461a42102bd98228b6, +so we go back to allowing this workaround. gnome-keyring still +needs it to work correctly during gnome-initial-setup on Fedora, +and when it doesn't work correctly, there are several major +consequences: + +https://bugzilla.redhat.com/show_bug.cgi?id=2004565 +https://bugzilla.redhat.com/show_bug.cgi?id=2005625 +https://bugzilla.redhat.com/show_bug.cgi?id=2006314 +--- + gio/gdbusaddress.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c +index 48c766682..f873be282 100644 +--- a/gio/gdbusaddress.c ++++ b/gio/gdbusaddress.c +@@ -1343,9 +1343,31 @@ g_dbus_address_get_for_bus_sync (GBusType bus_type, + + case G_BUS_TYPE_SESSION: + if (has_elevated_privileges) +- ret = NULL; ++ { ++#ifdef G_OS_UNIX ++ if (geteuid () == getuid ()) ++ { ++ /* Ideally we shouldn't do this, because setgid and ++ * filesystem capabilities are also elevated privileges ++ * with which we should not be trusting environment variables ++ * from the caller. Unfortunately, there are programs with ++ * elevated privileges that rely on the session bus being ++ * available. We already prevent the really dangerous ++ * transports like autolaunch: and unixexec: when our ++ * privileges are elevated, so this can only make us connect ++ * to the wrong AF_UNIX or TCP socket. */ ++ ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS")); ++ } ++ else ++#endif ++ { ++ ret = NULL; ++ } ++ } + else +- ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS")); ++ { ++ ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS")); ++ } + + if (ret == NULL) + { +-- +2.32.0 + diff --git a/glib2.spec b/glib2.spec index bb807aa..53bc73d 100644 --- a/glib2.spec +++ b/glib2.spec @@ -17,6 +17,17 @@ Patch0: gnutls-hmac.patch # Proposed upstream at https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1596 Patch1: gdesktopappinfo.patch +# Re-enable a workaround which has been disabled upstream for security +# reasons, but which is still needed or else we have major problems +# with gnome-keyring during gnome-initial-setup. Not upstreamable, we +# need a better long-term fix. See: +# https://gitlab.gnome.org/GNOME/glib/-/issues/2316 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2212 +# https://bugzilla.redhat.com/show_bug.cgi?id=2004565 +# https://bugzilla.redhat.com/show_bug.cgi?id=2005625 +# https://bugzilla.redhat.com/show_bug.cgi?id=2006314 +Patch2: 0001-Re-do-gdbus-Use-DBUS_SESSION_BUS_ADDRESS-if-AT_SECUR.patch + BuildRequires: chrpath BuildRequires: gcc BuildRequires: gcc-c++