systemd/0028-exec-util-allow-to-invoke-polkit-ask-password-agent-.patch

From 070c28a12a3687966d91a633ce9df78b35e0b364 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 1 Dec 2024 17:36:33 +0900
Subject: [PATCH] exec-util: allow to invoke polkit/ask-password agent even if
 STDIN is not a tty

Closes #35018.

(cherry picked from commit 0f81c8406f0f47175c699715e84de8291057033c)
---
 src/shared/ask-password-agent.c |  8 ++------
 src/shared/exec-util.c          | 23 ++++++++++++++---------
 src/shared/polkit-agent.c       |  8 ++------
 3 files changed, 18 insertions(+), 21 deletions(-)

diff --git a/src/shared/ask-password-agent.c b/src/shared/ask-password-agent.c
index 62b73503ca..d02d68a4e1 100644
--- a/src/shared/ask-password-agent.c
+++ b/src/shared/ask-password-agent.c
@@ -18,12 +18,8 @@ int ask_password_agent_open(void) {
         if (agent_pid > 0)
                 return 0;
 
-        /* We check STDIN here, not STDOUT, since this is about input, not output */
-        if (!isatty_safe(STDIN_FILENO))
-                return 0;
-
-        /* Also check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
-         * interactively on a terminal, hence fail */
+        /* Check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
+         * interactively on a terminal, hence fail. */
         r = get_ctty_devnr(0, NULL);
         if (r == -ENXIO)
                 return 0;
diff --git a/src/shared/exec-util.c b/src/shared/exec-util.c
index 8435c4f118..599b925a99 100644
--- a/src/shared/exec-util.c
+++ b/src/shared/exec-util.c
@@ -544,7 +544,6 @@ int fexecve_or_execve(int executable_fd, const char *executable, char *const arg
 }
 
 int _fork_agent(const char *name, const int except[], size_t n_except, pid_t *ret_pid, const char *path, ...) {
-        bool stdout_is_tty, stderr_is_tty;
         size_t n, i;
         va_list ap;
         char **l;
@@ -567,17 +566,18 @@ int _fork_agent(const char *name, const int except[], size_t n_except, pid_t *re
 
         /* In the child: */
 
-        stdout_is_tty = isatty_safe(STDOUT_FILENO);
-        stderr_is_tty = isatty_safe(STDERR_FILENO);
+        bool stdin_is_tty = isatty_safe(STDIN_FILENO),
+                stdout_is_tty = isatty_safe(STDOUT_FILENO),
+                stderr_is_tty = isatty_safe(STDERR_FILENO);
 
-        if (!stdout_is_tty || !stderr_is_tty) {
+        if (!stdin_is_tty || !stdout_is_tty || !stderr_is_tty) {
                 int fd;
 
-                /* Detach from stdout/stderr and reopen /dev/tty for them. This is important to ensure that
-                 * when systemctl is started via popen() or a similar call that expects to read EOF we
+                /* Detach from stdin/stdout/stderr and reopen /dev/tty for them. This is important to ensure
+                 * that when systemctl is started via popen() or a similar call that expects to read EOF we
                  * actually do generate EOF and not delay this indefinitely by keeping an unused copy of
                  * stdin around. */
-                fd = open("/dev/tty", O_WRONLY);
+                fd = open("/dev/tty", stdin_is_tty ? O_WRONLY : (stdout_is_tty && stderr_is_tty) ? O_RDONLY : O_RDWR);
                 if (fd < 0) {
                         if (errno != ENXIO) {
                                 log_error_errno(errno, "Failed to open /dev/tty: %m");
@@ -588,13 +588,18 @@ int _fork_agent(const char *name, const int except[], size_t n_except, pid_t *re
                          * connected to a TTY. That's a weird setup, but let's handle it gracefully: let's
                          * skip the forking of the agents, given the TTY setup is not in order. */
                 } else {
+                        if (!stdin_is_tty && dup2(fd, STDIN_FILENO) < 0) {
+                                log_error_errno(errno, "Failed to dup2 /dev/tty to STDIN: %m");
+                                _exit(EXIT_FAILURE);
+                        }
+
                         if (!stdout_is_tty && dup2(fd, STDOUT_FILENO) < 0) {
-                                log_error_errno(errno, "Failed to dup2 /dev/tty: %m");
+                                log_error_errno(errno, "Failed to dup2 /dev/tty to STDOUT: %m");
                                 _exit(EXIT_FAILURE);
                         }
 
                         if (!stderr_is_tty && dup2(fd, STDERR_FILENO) < 0) {
-                                log_error_errno(errno, "Failed to dup2 /dev/tty: %m");
+                                log_error_errno(errno, "Failed to dup2 /dev/tty to STDERR: %m");
                                 _exit(EXIT_FAILURE);
                         }
 
diff --git a/src/shared/polkit-agent.c b/src/shared/polkit-agent.c
index 842e41e8db..d87eb56164 100644
--- a/src/shared/polkit-agent.c
+++ b/src/shared/polkit-agent.c
@@ -31,12 +31,8 @@ int polkit_agent_open(void) {
         if (geteuid() == 0)
                 return 0;
 
-        /* We check STDIN here, not STDOUT, since this is about input, not output */
-        if (!isatty_safe(STDIN_FILENO))
-                return 0;
-
-        /* Also check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
-         * interactively on a terminal, hence fail */
+        /* Check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
+         * interactively on a terminal, hence fail. */
         r = get_ctty_devnr(0, NULL);
         if (r == -ENXIO)
                 return 0;