@security: Is this enough of a security problem to warrant a stable upload?
The fix seems easy enough, just run pinky if $user is still empty.
Michael
On Sun, Sep 28, 2014 at 05:12:45AM +0200, waijb wrote:
> getXuser() is broken:
>
> block starting at line 24 in /usr/share/acpi-support/power-funcs:
> ----
> 24 if [ -x /usr/bin/ck-list-sessions ]; then
> 25 uid=$(ck-list-sessions | awk 'BEGIN { unix_user = ""; }
> /^Session/ { unix_user = ""; } /unix-user =/ { gsub(/'\''/,"",$3);
> unix_user = $3; } /x11-display = '\'$display\''/ { print unix_user; exit
> (0); }')
> 26
> 27 if [ "$uid" ]; then
> 28 IFS=:
> 29 set -- $(getent passwd $uid)
> 30 user=$1
> 31 unset IFS
> 32 fi
> 33 else
> ----
>
> just testing if /usr/bin/ck-list-sessions is executable doesn't do the
> trick.
> until just now i had consolekit installed (some dependency somewhere), but
> dbus was (and still is and will be) not running. this leads to an error in
> line 25, ultimately no $user is set. the pinky check is not executed (but
> would work just fine).
> finally XAUTHORITY and XUSER are exported as blanks.
>
> this breaks at least /usr/share/acpi-support/screenblank
> debug output:
> ----
> [04:00:22] root@schleppi ~ # /bin/sh -x /usr/share/acpi-support/screenblank
> -- source added by me for testing
> + . /usr/share/acpi-support/power-funcs
> --
> + umask 022
> +
> PATH=/sbin:/usr/sbin:/usr/local/sbin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
> + POWERSTATE=/var/lib/acpi-support/powerstate
> + HDPARM=/sbin/hdparm -q
> + LIDSTATE=/var/lib/acpi-support/lidstate
> + d=/tmp/.X11-unix
> + displaynum=0
> + getXuser
> + local plist display uid user startx pid userhome IFS
> + [ 0 ]
> + display=:0
> + user=
> + [ -x /usr/bin/ck-list-sessions ]
> + ck-list-sessions
> + awk BEGIN { unix_user = ""; } /^Session/ { unix_user = ""; } /unix-user =/
> { gsub(/'/,"",$3); unix_user = $3; } /x11-display =
> ':0'/ { print unix_user; exit (0); }
> ** Message: Failed to connect to the D-Bus daemon: Failed to connect to
> socket /var/run/dbus/system_bus_socket: No such file or
> directory
> + uid=
> + [ ]
> + [ -z ]
> + pgrep -n startx
> + :
> + startx=
> + [ -z ]
> + [ x != x ]
> + export XAUTHORITY=
> + XUSER=
> + export XUSER
> + [ x != x ]
> + [ -x = xtrue ]
> ----
>
> result: X not locked as expected after sleep/hibernate. free local and
> possible remote (root)shells etc...
>
>
> regards
> waijb
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
Jabber: michael.meskes at gmail dot com
VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
