Re: [alpine-devel] polkit...
On Sat, 13 Sep 2014 08:25:25 -0700
Isaac Dunham <ibid.ag_at_gmail.com> wrote:
> I was planning to upgrade, so I ran this:
> apk update --simulate
> apk update
> #same number of packages
> apk upgrade --simulate
> Having run a polkit-free system for several years, I was not happy to see
> "adding polkit". (In my past experience, it is a royal pain to get working
> right if you use startx and a minimal window manager.
> And when it was working, plain authentication worked better for me than the
I think we should respect polkit-free setups, so sorry about this.
> After reading up, I figured out that it was a precaution for the
> brightness helper that xf86-video-intel ships with, related to a CVE in
> that helper (it was writing to /sys/class/backlight/%s/brightness,
> where %s could be any valid portion of a path name).
> Now, as an aside:
> The latest version of that helper checks for the presence of '/' in the
> command line and exits if found.
> This theoretically would still allow writing a new file with one of two
> names (/sys/class/brightness or /sys/class/backlight/brightness) if you
> use '.' or '..' as the path, except the open/fstat test handles that.
I removed the suid root bit from the helper program and it didnt break
anything for me.
> Anyhow, I tested my laptop, and found that I can change the brightness
> even if the helper is chmod a-x.
Xorg probably runs as root.
> So I wrote the attached apkbuild to satisfy the polkit dependency.
> I'd guess that it should not be added to the main repo, since it might
> cause an automatic "upgrade"; but some people might find it handy.
I think we can remove the polkit dependency from xf86-video-intel for now.
You can apk add '!polkit' to create a conflict. It will prevent
anything that tries to pull in polkit.
> Isaac Dunham
> Aside: I have X starting at boot as a user via this line in inittab:
> ::once:/bin/su -c "xinit 2>/dev/null >&2" -l idunham
I think Xorg is suid root...
Received on Mon Sep 15 2014 - 11:23:12 GMT