[Bug 1766765] Re: xflock4 fails if light-locker installed in /usr/local/bin
Fixed in release 4.13.2. ** Changed in: xfce4-session (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1766765 Title: xflock4 fails if light-locker installed in /usr/local/bin To manage notifications about this bug go to: https://bugs.launchpad.net/xfce4-session/+bug/1766765/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1766765] Re: xflock4 fails if light-locker installed in /usr/local/bin
** Changed in: xfce4-session Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1766765 Title: xflock4 fails if light-locker installed in /usr/local/bin To manage notifications about this bug go to: https://bugs.launchpad.net/xfce4-session/+bug/1766765/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1766765] Re: xflock4 fails if light-locker installed in /usr/local/bin
** Description changed: I'm running Xubuntu 17.10. After I installed libglib2.0-dev 2.54.1-1ubuntu1, light-locker 1.7.0-2ubuntu1 stopped working correctly, because it couldn't ready its schema (/usr/share/glib-2.0/schemas/apps .light-locker.gschema.xml) anymore, so it couldn't get its settings from the gsettings backend, logging an error message in ~/.xsession-errors: Schema "apps.light-locker" not found. Not storing runtime settings The consequence of this was: whenever the screen was blanked, it was locked, even though I had configured on Xfce Power Manager: Security => Light Locker => Automatically lock the session: Never light-locker was always locking the session automatically because it couldn't read the settings through its gsettings backend. So, I uninstalled light-locker 1.7.0-2ubuntu1, cloned its upstream git repository: https://github.com/the-cavalry/light-locker built and installed it, under /usr/local, its default. This solved my first problem: light-locker was now able to read its configurations through gsettings, but xflock4 stopped working. Looking at this bug: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1537507 I realized that xflock4 was just a shell script, and I discovered that, right at the beginning, it sets its PATH to: PATH=/bin:/usr/bin export PATH So, as light-locker is installed as /usr/local/bin/light-locker, xflock4 obviously cannot find it through PATH. Of course, I could just install light-locker under /usr, but it's standard practice to install locally built software under /usr/local, to avoid conflicts with software installed from the distribution, which is installed under /usr. Therefore, xflock4 needs to be fixed so as to include /usr/local/bin in the PATH variable: PATH=/bin:/usr/local/bin:/usr/bin This will also affects Xubuntu 17.10 and 18.04, because xfce4-session remained at version 4.12.1-3ubuntu3. + A workaround is to copy a modified version of xflock4 to + /usr/local/bin/. + ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: xfce4-session 4.12.1-3ubuntu3 ProcVersionSignature: Ubuntu 4.13.0-39.44-generic 4.13.16 Uname: Linux 4.13.0-39-generic x86_64 ApportVersion: 2.20.7-0ubuntu3.8 Architecture: amd64 CurrentDesktop: XFCE Date: Tue Apr 24 23:57:44 2018 InstallationDate: Installed on 2017-10-20 (186 days ago) InstallationMedia: Xubuntu 17.10 "Artful Aardvark" - Release amd64 (20171017.1) SourcePackage: xfce4-session UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1766765 Title: xflock4 fails if light-locker installed in /usr/local/bin To manage notifications about this bug go to: https://bugs.launchpad.net/xfce4-session/+bug/1766765/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1766765] Re: xflock4 fails if light-locker installed in /usr/local/bin
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: xfce4-session (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1766765 Title: xflock4 fails if light-locker installed in /usr/local/bin To manage notifications about this bug go to: https://bugs.launchpad.net/xfce4-session/+bug/1766765/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1766765] Re: xflock4 fails if light-locker installed in /usr/local/bin
Launchpad has imported 8 comments from the remote bug at https://bugzilla.xfce.org/show_bug.cgi?id=12282. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2015-10-30T12:35:00+00:00 David Thompson wrote: Created attachment 6514 patch file xflock4 clobbers the PATH environment variable with a hardcoded value. /bin and /usr/bin may be common locations to find binaries on FHS distros, but it is not always so. I am a maintainer for the GNU GuixSD project, which does not conform to the FHS, and we do not have /usr/bin or anything in /bin except /bin/sh. So, I think the sanest thing to do in this script is not touch PATH at all. It should be properly configured before the xflock4 process is launched. I noticed this bug on 4.12.0. The attached patch is against the current master branch. Thanks! Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/0 On 2016-01-29T09:16:06+00:00 Landry-o wrote: I think the original idea of setting PATH to a limited 'trusted' list of subdirs was to avoid potential attackers/malwares to drop malicious replacements for xlock/etc in user-writable directories potentially in the user's PATH... Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/1 On 2016-01-29T13:59:32+00:00 Jarno Suni wrote: So isn't the solution then that system administer changes PATH so that it does not contain user-writeable directories? Well, in terminal a regular user can change PATH though. I think it would be safer to check in xflock4 that the command is not user-writeable and is owned by root. (I have a shell function for that.) If the command told by an xfconf variable is used for locking, it can be changed by regular user to run some command that might not lock anyway, but supposedly not as harmful command. Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/2 On 2016-01-29T17:30:19+00:00 Jarno Suni wrote: (In reply to Jarno Suni from comment #2) > I think it would be safer to check in xflock4 that the command is not > user-writeable and is owned by root. (I have a shell function for that.) Actually this is tricky. The command could be wrapped by e.g. "time ", "dash -c " etc. so how do you find the final wrapped command? Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/3 On 2016-01-29T20:03:30+00:00 Jarno Suni wrote: How could you know that the command is not in a removeable drive then? Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/4 On 2016-01-29T21:46:21+00:00 Jarno Suni wrote: I think xflock4 could use "command -vp command_name" to get the secure path of a locker command command_name. Would that work in GNU GuixSD, too? Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/5 On 2016-01-30T15:45:01+00:00 Jarno Suni wrote: Oh, unfortunately `command -vp` does not work by dash even in Linux, but works by bash. (https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1539932) Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/6 On 2016-01-31T14:09:35+00:00 Jarno Suni wrote: `command -pv` or even `command -v` is not required in POSIX 2004 http://stackoverflow.com/a/34572831/4414935 but I think we can use `command -p getconf PATH` to get a reasonable PATH for the script. Reply at: https://bugs.launchpad.net/ubuntu/+source/xfce4-session/+bug/1766765/comments/7 ** Changed in: xfce4-session Status: Unknown => Confirmed ** Changed in: xfce4-session Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1766765 Title: xflock4 fails if light-locker installed in /usr/local/bin To manage notifications about this bug go to: https://bugs.launchpad.net/xfce4-session/+bug/1766765/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1766765] Re: xflock4 fails if light-locker installed in /usr/local/bin
** Bug watch added: Xfce Bugzilla #12282 https://bugzilla.xfce.org/show_bug.cgi?id=12282 ** Also affects: xfce4-session via https://bugzilla.xfce.org/show_bug.cgi?id=12282 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1766765 Title: xflock4 fails if light-locker installed in /usr/local/bin To manage notifications about this bug go to: https://bugs.launchpad.net/xfce4-session/+bug/1766765/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs