GNU bug report logs - #57881
[PATCH] gnu: hikari: only allow use setuid hikari-unlocker.

Previous Next

Package: guix-patches;

Reported by: 路辉 <luhux76 <at> gmail.com>

Date: Sat, 17 Sep 2022 12:24:02 UTC

Severity: normal

Tags: moreinfo, patch

To reply to this bug, email your comments to 57881 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#57881; Package guix-patches. (Sat, 17 Sep 2022 12:24:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to 路辉 <luhux76 <at> gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sat, 17 Sep 2022 12:24:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: 路辉 <luhux76 <at> gmail.com>
To: guix-patches <guix-patches <at> gnu.org>
Subject: [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.
Date: Sat, 17 Sep 2022 12:23:45 +0000

[Message part 1 (text/plain, inline)]
hikari-unlocker need setuid and pam to work.

if hikari exec a non-setuid hikari-unlocker, such as
"$HOME/.guix-profile/bin/hikari-unlocker", it will cause hikari's
lock-mode can't exit, only can press power button to exit it. :(

https://hikari.acmelabs.space/manpage.html

https://hub.darcs.net/raichoo/hikari/browse/src/lock_mode.c#71

[0001-gnu-hikari-only-allow-use-setuid-hikari-unlocker.patch (text/x-patch, attachment)]
Information forwarded to guix-patches <at> gnu.org:
bug#57881; Package guix-patches. (Sun, 18 Sep 2022 20:06:02 GMT) Full text and rfc822 format available.

Message #8 received at 57881 <at> debbugs.gnu.org (full text, mbox):

From: Josselin Poiret <dev <at> jpoiret.xyz>
To: 路辉 <luhux76 <at> gmail.com>, 57881 <at> debbugs.gnu.org
Subject: Re: [bug#57881] [PATCH] gnu: hikari: only allow use setuid
 hikari-unlocker.
Date: Sun, 18 Sep 2022 22:05:04 +0200

Hi,

路辉 <luhux76 <at> gmail.com> writes:

> hikari-unlocker need setuid and pam to work.
>
> if hikari exec a non-setuid hikari-unlocker, such as
> "$HOME/.guix-profile/bin/hikari-unlocker", it will cause hikari's
> lock-mode can't exit, only can press power button to exit it. :(
>
> https://hikari.acmelabs.space/manpage.html
>
> https://hub.darcs.net/raichoo/hikari/browse/src/lock_mode.c#71
> From d1bedbc3c850cf0a60b182999c229079bad9cd99 Mon Sep 17 00:00:00 2001
> From: Lu Hui <luhux76 <at> gmail.com>
> Date: Sat, 17 Sep 2022 20:10:34 +0800
> Subject: [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.
>
> * gnu/packages/wm.scm (hikari)
> [phases]{force-use-setuid-unlocker}: replace "sh -c hikari-unlocker" to
> "/run/setuid-programs/hikari-unlocker"

On Guix system, /run/setuid-programs/ should be in front of whatever
profiles you're using in your PATH, otherwise it will be shadowed by
them.  With the default profile loading code in /etc/profile, this
should be what happens but there might be issues with any non-default
setup (ie. package not installed in the ~/.guix-profile/).

To be honest, I'm not happy with hardcoding
/run/setuid-programs/hikari-unlocker, since it won't work on foreign
distros.

Shouldn't we rather report this issue upstream?  I'm under the
impression that the locker should detect that it isn't running suid and
not try to query PAM if it isn't able to, and instead fail and display
an error message or something similar.

Best,
-- 
Josselin Poiret
Information forwarded to guix-patches <at> gnu.org:
bug#57881; Package guix-patches. (Fri, 23 Sep 2022 02:31:02 GMT) Full text and rfc822 format available.

Message #11 received at 57881 <at> debbugs.gnu.org (full text, mbox):

From: 路辉 <luhux76 <at> gmail.com>
To: Josselin Poiret <dev <at> jpoiret.xyz>
Cc: 57881 <at> debbugs.gnu.org
Subject: Re: [bug#57881] [PATCH] gnu: hikari: only allow use setuid
 hikari-unlocker.
Date: Fri, 23 Sep 2022 02:30:47 +0000

ok, I will take some time to fix it.

2022-09-18 20:05 GMT, Josselin Poiret <dev <at> jpoiret.xyz>:
> Hi,
>
> 路辉 <luhux76 <at> gmail.com> writes:
>
>> hikari-unlocker need setuid and pam to work.
>>
>> if hikari exec a non-setuid hikari-unlocker, such as
>> "$HOME/.guix-profile/bin/hikari-unlocker", it will cause hikari's
>> lock-mode can't exit, only can press power button to exit it. :(
>>
>> https://hikari.acmelabs.space/manpage.html
>>
>> https://hub.darcs.net/raichoo/hikari/browse/src/lock_mode.c#71
>> From d1bedbc3c850cf0a60b182999c229079bad9cd99 Mon Sep 17 00:00:00 2001
>> From: Lu Hui <luhux76 <at> gmail.com>
>> Date: Sat, 17 Sep 2022 20:10:34 +0800
>> Subject: [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.
>>
>> * gnu/packages/wm.scm (hikari)
>> [phases]{force-use-setuid-unlocker}: replace "sh -c hikari-unlocker" to
>> "/run/setuid-programs/hikari-unlocker"
>
> On Guix system, /run/setuid-programs/ should be in front of whatever
> profiles you're using in your PATH, otherwise it will be shadowed by
> them.  With the default profile loading code in /etc/profile, this
> should be what happens but there might be issues with any non-default
> setup (ie. package not installed in the ~/.guix-profile/).
>
> To be honest, I'm not happy with hardcoding
> /run/setuid-programs/hikari-unlocker, since it won't work on foreign
> distros.
>
> Shouldn't we rather report this issue upstream?  I'm under the
> impression that the locker should detect that it isn't running suid and
> not try to query PAM if it isn't able to, and instead fail and display
> an error message or something similar.
>
> Best,
> --
> Josselin Poiret
>
Added tag(s) moreinfo. Request was from Christopher Baines <mail <at> cbaines.net> to control <at> debbugs.gnu.org. (Thu, 06 Oct 2022 13:59:01 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 255 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.