commit: 8bc66fb0ff303f000a34d83af5cd69587d1da26e Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Sun Jul 8 15:47:37 2018 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Sun Jul 8 15:47:37 2018 +0000 URL: https://gitweb.gentoo.org/proj/kde.git/commit/?id=8bc66fb0
kde-apps/kwrite: Backport start-as-root Package-Manager: Portage-2.3.41, Repoman-2.3.9 .../kwrite/files/kwrite-18.04.3-root-user.patch | 62 ++++++++++++++++++++++ kde-apps/kwrite/kwrite-18.04.49.9999.ebuild | 2 + 2 files changed, 64 insertions(+) diff --git a/kde-apps/kwrite/files/kwrite-18.04.3-root-user.patch b/kde-apps/kwrite/files/kwrite-18.04.3-root-user.patch new file mode 100644 index 0000000000..5bbf2da605 --- /dev/null +++ b/kde-apps/kwrite/files/kwrite-18.04.3-root-user.patch @@ -0,0 +1,62 @@ +From bf6d5b7532968763bdc629aa90426c53500af13f Mon Sep 17 00:00:00 2001 +From: Nathaniel Graham <n...@kde.org> +Date: Sat, 26 May 2018 14:50:24 -0600 +Subject: Re-allow running Kate and KWrite as the actual root user (but still + not using sudo) + +Summary: +The original change (9adcebd3c2e476c8a32e9b455cc99f46b0e12a7e) to prevent sudo usage broke the use case of running KWrite or Kate while logged in as the actual `root` user with a GUI session. This is how the Kali distro is set up by default, so the original change amounted to making Kate and KWrite not launch at all on this KDE distro. + +This patch re-enables running as the actual root user, but keeps blocking usage via `sudo` or `kdesu`. There are no negative security implications associated with re-allowing usage via the root user, since if you're running a GUI session, you were already exposed to the original security threat and Kate and KWrite do not increase the attack surface. + +I have submitted a similar change for Dolphin that has been accepted (D12795), but @elvisangelaccio wants that to go in at the same time as this, to keep them in sync. + +BUG: 387973 +FIXED-IN: 18.08.0 + +Test Plan: +- Log in as normal user and run `sudo kate` or `sudo kwrite`: you get an error message. +- Log in as normal user and run `kdesu kate` or `kdesu kwrite`: you get an error message. +- Log in as the root user and run Kate or KWrite normally: it works. + +Reviewers: #kate, dhaumann, cullmann, #ktexteditor + +Reviewed By: #kate, dhaumann, #ktexteditor + +Subscribers: kwrite-devel, elvisangelaccio + +Tags: #kate + +Differential Revision: https://phabricator.kde.org/D13138 +--- + kwrite/main.cpp | 14 ++++++++------ + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/kwrite/main.cpp b/kwrite/main.cpp +index 62f4f2d..d3f3ca9 100644 +--- a/kwrite/main.cpp ++++ b/kwrite/main.cpp +@@ -50,13 +50,15 @@ + extern "C" Q_DECL_EXPORT int main(int argc, char **argv) + { + #ifndef Q_OS_WIN +- /** +- * Check whether we are running as root +- **/ ++ // Prohibit using sudo or kdesu (but allow using the root user directly) + if (getuid() == 0) { +- std::cout << "Executing KWrite as root is not possible. To edit files as root use:" << std::endl; +- std::cout << "SUDO_EDITOR=kwrite sudoedit <file>" << std::endl; +- return 0; ++ if (!qEnvironmentVariableIsEmpty("SUDO_USER")) { ++ std::cout << "Executing Kate with sudo is not possible due to unfixable security vulnerabilities." << std::endl; ++ return EXIT_FAILURE; ++ } else if (!qEnvironmentVariableIsEmpty("KDESU_USER")) { ++ std::cout << "Executing Kate with kdesu is not possible due to unfixable security vulnerabilities." << std::endl; ++ return EXIT_FAILURE; ++ } + } + #endif + /** +-- +cgit v0.11.2 diff --git a/kde-apps/kwrite/kwrite-18.04.49.9999.ebuild b/kde-apps/kwrite/kwrite-18.04.49.9999.ebuild index 91aa935a67..c98171c27e 100644 --- a/kde-apps/kwrite/kwrite-18.04.49.9999.ebuild +++ b/kde-apps/kwrite/kwrite-18.04.49.9999.ebuild @@ -30,6 +30,8 @@ DEPEND=" " RDEPEND="${DEPEND}" +PATCHES=( "${FILESDIR}/${PN}-18.04.3-root-user.patch" ) + src_prepare() { kde5_src_prepare # delete colliding kate translations
