Stop using pkexec for grub2-set-bootflag
Stop using pkexec for grub2-set-bootflag, it does not work under gdm instead make it suid root (it was written with this in mind) Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
		
							parent
							
								
									e30274adfa
								
							
						
					
					
						commit
						ace3c257a6
					
				| @ -0,0 +1,69 @@ | |||||||
|  | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Hans de Goede <hdegoede@redhat.com> | ||||||
|  | Date: Fri, 14 Sep 2018 16:39:40 +0200 | ||||||
|  | Subject: [PATCH] docs: Stop using polkit / pkexec for grub-boot-success.timer | ||||||
|  |  / service | ||||||
|  | 
 | ||||||
|  | We also want to call grub2-set-bootflag under gdm and pkexec does not | ||||||
|  | work under gdm because the gdm user has /sbin/nologin as shell. | ||||||
|  | 
 | ||||||
|  | So instead we are going to install grub2-set-bootflag as suid root, | ||||||
|  | grub2-set-bootflag was written with this usage in mind, so is safe | ||||||
|  | to be made suid root. | ||||||
|  | 
 | ||||||
|  | Signed-off-by: Hans de Goede <hdegoede@redhat.com> | ||||||
|  | ---
 | ||||||
|  |  docs/grub-boot-success.service |  2 +- | ||||||
|  |  docs/grub-boot-success.timer   |  1 - | ||||||
|  |  docs/org.gnu.grub.policy       | 20 -------------------- | ||||||
|  |  3 files changed, 1 insertion(+), 22 deletions(-) | ||||||
|  |  delete mode 100644 docs/org.gnu.grub.policy | ||||||
|  | 
 | ||||||
|  | diff --git a/docs/grub-boot-success.service b/docs/grub-boot-success.service
 | ||||||
|  | index c8c91c34d49..80e79584c91 100644
 | ||||||
|  | --- a/docs/grub-boot-success.service
 | ||||||
|  | +++ b/docs/grub-boot-success.service
 | ||||||
|  | @@ -3,4 +3,4 @@ Description=Mark boot as successful
 | ||||||
|  |   | ||||||
|  |  [Service] | ||||||
|  |  Type=oneshot | ||||||
|  | -ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success
 | ||||||
|  | +ExecStart=/usr/sbin/grub2-set-bootflag boot_success
 | ||||||
|  | diff --git a/docs/grub-boot-success.timer b/docs/grub-boot-success.timer
 | ||||||
|  | index 67bd829b795..5d8fcba21aa 100644
 | ||||||
|  | --- a/docs/grub-boot-success.timer
 | ||||||
|  | +++ b/docs/grub-boot-success.timer
 | ||||||
|  | @@ -1,7 +1,6 @@
 | ||||||
|  |  [Unit] | ||||||
|  |  Description=Mark boot as successful after the user session has run 2 minutes | ||||||
|  |  ConditionUser=!@system | ||||||
|  | -ConditionPathExists=/usr/bin/pkexec
 | ||||||
|  |   | ||||||
|  |  [Timer] | ||||||
|  |  OnActiveSec=2min | ||||||
|  | diff --git a/docs/org.gnu.grub.policy b/docs/org.gnu.grub.policy
 | ||||||
|  | deleted file mode 100644 | ||||||
|  | index 18391efc8e7..00000000000
 | ||||||
|  | --- a/docs/org.gnu.grub.policy
 | ||||||
|  | +++ /dev/null
 | ||||||
|  | @@ -1,20 +0,0 @@
 | ||||||
|  | -<?xml version="1.0" encoding="UTF-8"?>
 | ||||||
|  | -<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
 | ||||||
|  | -<policyconfig>
 | ||||||
|  | -  <vendor>GNU GRUB</vendor>
 | ||||||
|  | -  <vendor_url>https://www.gnu.org/software/grub/</vendor_url>
 | ||||||
|  | -  <action id="org.gnu.grub.set-bootflag">
 | ||||||
|  | -    <!-- SECURITY:
 | ||||||
|  | -          - A normal active user on the local machine does not need permission
 | ||||||
|  | -            to set bootflags to show the menu / mark current boot successful.
 | ||||||
|  | -     -->
 | ||||||
|  | -    <description>Set GRUB bootflags</description>
 | ||||||
|  | -    <message>Authentication is required to modify the bootloaders bootflags</message>
 | ||||||
|  | -    <defaults>
 | ||||||
|  | -      <allow_any>no</allow_any>
 | ||||||
|  | -      <allow_inactive>no</allow_inactive>
 | ||||||
|  | -      <allow_active>yes</allow_active>
 | ||||||
|  | -    </defaults>
 | ||||||
|  | -    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/grub2-set-bootflag</annotate>
 | ||||||
|  | -  </action>
 | ||||||
|  | -</policyconfig>
 | ||||||
| @ -244,3 +244,4 @@ Patch0243: 0243-x86-efi-Use-bounce-buffers-for-reading-to-addresses-.patch | |||||||
| Patch0244: 0244-x86-efi-Re-arrange-grub_cmd_linux-a-little-bit.patch | Patch0244: 0244-x86-efi-Re-arrange-grub_cmd_linux-a-little-bit.patch | ||||||
| Patch0245: 0245-x86-efi-Make-our-own-allocator-for-kernel-stuff.patch | Patch0245: 0245-x86-efi-Make-our-own-allocator-for-kernel-stuff.patch | ||||||
| Patch0246: 0246-x86-efi-Allow-initrd-params-cmdline-allocations-abov.patch | Patch0246: 0246-x86-efi-Allow-initrd-params-cmdline-allocations-abov.patch | ||||||
|  | Patch0247: 0247-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch | ||||||
|  | |||||||
							
								
								
									
										12
									
								
								grub2.spec
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								grub2.spec
									
									
									
									
									
								
							| @ -7,7 +7,7 @@ | |||||||
| Name:		grub2 | Name:		grub2 | ||||||
| Epoch:		1 | Epoch:		1 | ||||||
| Version:	2.02 | Version:	2.02 | ||||||
| Release:	58%{?dist} | Release:	59%{?dist} | ||||||
| Summary:	Bootloader with support for Linux, Multiboot and more | Summary:	Bootloader with support for Linux, Multiboot and more | ||||||
| Group:		System Environment/Base | Group:		System Environment/Base | ||||||
| License:	GPLv3+ | License:	GPLv3+ | ||||||
| @ -223,9 +223,6 @@ install -D -m 0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE9} | |||||||
| install -d -m 0755 %{buildroot}%{_sysconfdir}/kernel/install.d/ | install -d -m 0755 %{buildroot}%{_sysconfdir}/kernel/install.d/ | ||||||
| install -m 0644 /dev/null %{buildroot}%{_sysconfdir}/kernel/install.d/20-grubby.install | install -m 0644 /dev/null %{buildroot}%{_sysconfdir}/kernel/install.d/20-grubby.install | ||||||
| install -m 0644 /dev/null %{buildroot}%{_sysconfdir}/kernel/install.d/90-loaderentry.install | install -m 0644 /dev/null %{buildroot}%{_sysconfdir}/kernel/install.d/90-loaderentry.install | ||||||
| # Install grub2-set-bootflag polkit policy |  | ||||||
| install -D -m 0755 -t %{buildroot}%{_datadir}/polkit-1/actions \ |  | ||||||
| 	docs/org.gnu.grub.policy |  | ||||||
| # Install systemd user service to set the boot_success flag | # Install systemd user service to set the boot_success flag | ||||||
| install -D -m 0755 -t %{buildroot}%{_userunitdir} \ | install -D -m 0755 -t %{buildroot}%{_userunitdir} \ | ||||||
| 	docs/grub-boot-success.{timer,service} | 	docs/grub-boot-success.{timer,service} | ||||||
| @ -366,7 +363,7 @@ fi | |||||||
| %files tools-minimal | %files tools-minimal | ||||||
| %{_sysconfdir}/prelink.conf.d/grub2.conf | %{_sysconfdir}/prelink.conf.d/grub2.conf | ||||||
| %{_sbindir}/%{name}-get-kernel-settings | %{_sbindir}/%{name}-get-kernel-settings | ||||||
| %{_sbindir}/%{name}-set-bootflag | %attr(4755, root, root) %{_sbindir}/%{name}-set-bootflag | ||||||
| %{_sbindir}/%{name}-set-default | %{_sbindir}/%{name}-set-default | ||||||
| %{_sbindir}/%{name}-set*password | %{_sbindir}/%{name}-set*password | ||||||
| %{_bindir}/%{name}-editenv | %{_bindir}/%{name}-editenv | ||||||
| @ -390,7 +387,6 @@ fi | |||||||
| %attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/default/grub | %attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/default/grub | ||||||
| %config %{_sysconfdir}/grub.d/??_* | %config %{_sysconfdir}/grub.d/??_* | ||||||
| %{_sysconfdir}/grub.d/README | %{_sysconfdir}/grub.d/README | ||||||
| %{_datadir}/polkit-1/actions/org.gnu.grub.policy |  | ||||||
| %{_userunitdir}/grub-boot-success.timer | %{_userunitdir}/grub-boot-success.timer | ||||||
| %{_userunitdir}/grub-boot-success.service | %{_userunitdir}/grub-boot-success.service | ||||||
| %{_userunitdir}/timers.target.wants | %{_userunitdir}/timers.target.wants | ||||||
| @ -498,6 +494,10 @@ fi | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Sep 25 2018 Hans de Goede <hdegoede@redhat.com> - 2.02-59 | ||||||
|  | - Stop using pkexec for grub2-set-bootflag, it does not work under gdm | ||||||
|  |   instead make it suid root (it was written with this in mind) | ||||||
|  | 
 | ||||||
| * Tue Sep 25 2018 Peter Jones <pjones@redhat.com> | * Tue Sep 25 2018 Peter Jones <pjones@redhat.com> | ||||||
| - Use bounce buffers for addresses above 4GB | - Use bounce buffers for addresses above 4GB | ||||||
| - Allow initramfs, cmdline, and params >4GB, but not kernel | - Allow initramfs, cmdline, and params >4GB, but not kernel | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user