From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id TqzfKjp6J2MC3AAAbAwnHQ (envelope-from ) for ; Sun, 18 Sep 2022 22:06:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id +HncKTp6J2P0KgAA9RJhRA (envelope-from ) for ; Sun, 18 Sep 2022 22:06:18 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 275171ACF5 for ; Sun, 18 Sep 2022 22:06:18 +0200 (CEST) Received: from localhost ([::1]:54744 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oa0YT-0004oG-3D for larch@yhetil.org; Sun, 18 Sep 2022 16:06:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43458) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oa0YF-0004o2-B1 for guix-patches@gnu.org; Sun, 18 Sep 2022 16:06:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52292) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oa0YE-00025C-Vl for guix-patches@gnu.org; Sun, 18 Sep 2022 16:06:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oa0YE-0002ac-H4 for guix-patches@gnu.org; Sun, 18 Sep 2022 16:06:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#57881] [PATCH] gnu: hikari: only allow use setuid hikari-unlocker. Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 18 Sep 2022 20:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57881 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: =?UTF-8?Q?=E8=B7=AF=E8=BE=89?= , 57881@debbugs.gnu.org Received: via spool by 57881-submit@debbugs.gnu.org id=B57881.16635315159897 (code B ref 57881); Sun, 18 Sep 2022 20:06:02 +0000 Received: (at 57881) by debbugs.gnu.org; 18 Sep 2022 20:05:15 +0000 Received: from localhost ([127.0.0.1]:51370 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oa0XT-0002ZY-1Q for submit@debbugs.gnu.org; Sun, 18 Sep 2022 16:05:15 -0400 Received: from jpoiret.xyz ([206.189.101.64]:35856) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oa0XN-0002ZG-5r for 57881@debbugs.gnu.org; Sun, 18 Sep 2022 16:05:12 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 78A86184D5F; Sun, 18 Sep 2022 20:05:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1663531507; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MoQaFEmjzb5Zbyhj0Mm6KLSBVHDstIiBouv7659gLjU=; b=ewOUMfT7RyY7kQSMnsOq4tIyyDySfCjPScqqIDrnV6zlWTDyrx6DzcMJzykN9A0gBbrCpb mCR9spXE5bzon4601SMIQ7bNr9EHn/8hP+PGh8ib0tGoU34vlOmhDpX3S4i0fR6UiBO9on pOE12nuln3q2JePuSXcyJGZCooG3XGydE6SHXqReMrSqcUCOkkgLLWxKc9Ft/TILjS/Q6B YTZu2sSyY8U8jXGssOL6agcy5wXYJGYF/T5RM5zwrjN4mlqmEmakekPtA9XW2MFBsU2V7b bEDpnaBT+smcazxk21C9Iv6HLfuD0T0gwcirOq6+IKftA+n4hEYstemmT45LIQ== In-Reply-To: References: Date: Sun, 18 Sep 2022 22:05:04 +0200 Message-ID: <87illk8n4f.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Josselin Poiret X-ACL-Warn: , Josselin Poiret via Guix-patches From: Josselin Poiret via Guix-patches via X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1663531578; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=MoQaFEmjzb5Zbyhj0Mm6KLSBVHDstIiBouv7659gLjU=; b=U3oZB0wF+KENlNOOQBAqOTSY7NSjNhlDq2EXsr4NNdK8gDnmfarX1FFQd3cHCX7JRoNC1j gJ7vuuC7F5ZlPtguio9TCN6u67IE4BBbCJVHrJkyVm14b8wPtegNlJmHxjqweqfWh9aYSN Cg98fsi9T3HSmq3up43O+4PgRYU7U6lF7O3c2VyP+1sdyHqgkX4maTbafHZA++13fJD+zY aSvTAqU6w5jcWGL5GRqqbsWZ3u1ebzljT1LrXlk/LEwgO6epqilYO4sT4GG3IZc4lwABQD zmvU9zpA3zl33ujoUVZzJCoTV1HDiHVljyUrN7Lw77hGAQR/RvDfcbsuwqsYJw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1663531578; a=rsa-sha256; cv=none; b=IgG/h48S75H6YclCy6wCE4kgHDQxf9XTYKnl4cvfYndnoZqqi2FdNAktBofhvN4hpQwbop mnkRgYgnL+f2LVI26mJ7Z0Chp0wcHQEsdkog8xKBFQChg0f+V7bCQp1DaIjrJATDuVDDNM 9L+F+Gehyw0nJE7bV5Bm/ik9WQQU1+Vmu3Vo/0dA0bMNLvQMoa2MZNkG6W9WZMtSgcGRbE sL1dIkugBnKpxV/AQLOl4O/rBOO8YLMGZWJQt4q81cNaE05mDMtMYGH33dMJe1vTRuh6vq /vIW2n3xvhV/3WVm1D/MqodyfU1JVgllLe/ga3bsNT0hspASaa+GfhkRXzniPA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=ewOUMfT7; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.34 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=ewOUMfT7; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 275171ACF5 X-Spam-Score: -3.34 X-Migadu-Scanner: scn1.migadu.com X-TUID: v4mxwgDHQv4X Hi, =E8=B7=AF=E8=BE=89 writes: > hikari-unlocker need setuid and pam to work. > > if hikari exec a non-setuid hikari-unlocker, such as > "$HOME/.guix-profile/bin/hikari-unlocker", it will cause hikari's > lock-mode can't exit, only can press power button to exit it. :( > > https://hikari.acmelabs.space/manpage.html > > https://hub.darcs.net/raichoo/hikari/browse/src/lock_mode.c#71 > From d1bedbc3c850cf0a60b182999c229079bad9cd99 Mon Sep 17 00:00:00 2001 > From: Lu Hui > Date: Sat, 17 Sep 2022 20:10:34 +0800 > Subject: [PATCH] gnu: hikari: only allow use setuid hikari-unlocker. > > * gnu/packages/wm.scm (hikari) > [phases]{force-use-setuid-unlocker}: replace "sh -c hikari-unlocker" to > "/run/setuid-programs/hikari-unlocker" On Guix system, /run/setuid-programs/ should be in front of whatever profiles you're using in your PATH, otherwise it will be shadowed by them. With the default profile loading code in /etc/profile, this should be what happens but there might be issues with any non-default setup (ie. package not installed in the ~/.guix-profile/). To be honest, I'm not happy with hardcoding /run/setuid-programs/hikari-unlocker, since it won't work on foreign distros. Shouldn't we rather report this issue upstream? I'm under the impression that the locker should detect that it isn't running suid and not try to query PAM if it isn't able to, and instead fail and display an error message or something similar. Best, --=20 Josselin Poiret