Remove workaround for gnome-keyring
We'll use this workaround to ship Fedora 35 Beta, and we might even leave it in F35 indefinitely since there is no particularly urgent reason to remove it, but let's not carry it in rawhide. I have done a new gnome-keyring build that should avoid the need for this workaround, so it should no longer be needed to avoid breakage in rawhide.
This commit is contained in:
Michael Catanzaro
parent
f799bfd9f2
commit
a4640c18cd
@ -1,61 +0,0 @@
|
||||
From d7dcec0e801fb1b78cc4e77b1a9d3b7998291c68 Mon Sep 17 00:00:00 2001
|
||||
From: Adam Williamson <awilliam@redhat.com>
|
||||
Date: Tue, 21 Sep 2021 12:09:06 -0700
|
||||
Subject: [PATCH] Re-do "gdbus: Use DBUS_SESSION_BUS_ADDRESS if AT_SECURE but
|
||||
not setuid""
|
||||
|
||||
This reverts commit 0f9c7ed0219cc182a183ba78245f3b461fd664e6,
|
||||
which reverted commit 7aa0580cc559148e0f4646461a42102bd98228b6,
|
||||
so we go back to allowing this workaround. gnome-keyring still
|
||||
needs it to work correctly during gnome-initial-setup on Fedora,
|
||||
and when it doesn't work correctly, there are several major
|
||||
consequences:
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2004565
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2005625
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2006314
|
||||
---
|
||||
gio/gdbusaddress.c | 26 ++++++++++++++++++++++++--
|
||||
1 file changed, 24 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c
|
||||
index 48c766682..f873be282 100644
|
||||
--- a/gio/gdbusaddress.c
|
||||
+++ b/gio/gdbusaddress.c
|
||||
@@ -1343,9 +1343,31 @@ g_dbus_address_get_for_bus_sync (GBusType bus_type,
|
||||
|
||||
case G_BUS_TYPE_SESSION:
|
||||
if (has_elevated_privileges)
|
||||
- ret = NULL;
|
||||
+ {
|
||||
+#ifdef G_OS_UNIX
|
||||
+ if (geteuid () == getuid ())
|
||||
+ {
|
||||
+ /* Ideally we shouldn't do this, because setgid and
|
||||
+ * filesystem capabilities are also elevated privileges
|
||||
+ * with which we should not be trusting environment variables
|
||||
+ * from the caller. Unfortunately, there are programs with
|
||||
+ * elevated privileges that rely on the session bus being
|
||||
+ * available. We already prevent the really dangerous
|
||||
+ * transports like autolaunch: and unixexec: when our
|
||||
+ * privileges are elevated, so this can only make us connect
|
||||
+ * to the wrong AF_UNIX or TCP socket. */
|
||||
+ ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
|
||||
+ }
|
||||
+ else
|
||||
+#endif
|
||||
+ {
|
||||
+ ret = NULL;
|
||||
+ }
|
||||
+ }
|
||||
else
|
||||
- ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
|
||||
+ {
|
||||
+ ret = g_strdup (g_getenv ("DBUS_SESSION_BUS_ADDRESS"));
|
||||
+ }
|
||||
|
||||
if (ret == NULL)
|
||||
{
|
||||
--
|
||||
2.32.0
|
||||
|
||||
11
glib2.spec
11
glib2.spec
@ -17,17 +17,6 @@ Patch0: gnutls-hmac.patch
|
||||
# Proposed upstream at https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1596
|
||||
Patch1: gdesktopappinfo.patch
|
||||
|
||||
# Re-enable a workaround which has been disabled upstream for security
|
||||
# reasons, but which is still needed or else we have major problems
|
||||
# with gnome-keyring during gnome-initial-setup. Not upstreamable, we
|
||||
# need a better long-term fix. See:
|
||||
# https://gitlab.gnome.org/GNOME/glib/-/issues/2316
|
||||
# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2212
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2004565
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2005625
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2006314
|
||||
Patch2: 0001-Re-do-gdbus-Use-DBUS_SESSION_BUS_ADDRESS-if-AT_SECUR.patch
|
||||
|
||||
BuildRequires: chrpath
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc-c++
|
||||
|
||||
Loading…
Reference in New Issue
Block a user