X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from ncopa-desktop.alpinelinux.org (3.203.202.84.customer.cdi.no [84.202.203.3]) (using SSLv3 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: n@tanael.org) by mail.alpinelinux.org (Postfix) with ESMTPSA id 356A6DC0175; Mon, 15 Sep 2014 09:23:16 +0000 (UTC) Date: Mon, 15 Sep 2014 11:23:12 +0200 From: Natanael Copa To: Isaac Dunham Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] polkit... Message-ID: <20140915112312.4290ff11@ncopa-desktop.alpinelinux.org> In-Reply-To: <20140913152524.GA1783@newbook> References: <20140913152524.GA1783@newbook> X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.23; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sat, 13 Sep 2014 08:25:25 -0700 Isaac Dunham wrote: > I was planning to upgrade, so I ran this: > apk update --simulate > apk update > #same number of packages > apk upgrade --simulate > > Having run a polkit-free system for several years, I was not happy to see > "adding polkit". (In my past experience, it is a royal pain to get working > right if you use startx and a minimal window manager. > And when it was working, plain authentication worked better for me than the > policies...) I think we should respect polkit-free setups, so sorry about this. > After reading up, I figured out that it was a precaution for the > brightness helper that xf86-video-intel ships with, related to a CVE in > that helper (it was writing to /sys/class/backlight/%s/brightness, > where %s could be any valid portion of a path name). > > Now, as an aside: > The latest version of that helper checks for the presence of '/' in the > command line and exits if found. > This theoretically would still allow writing a new file with one of two > names (/sys/class/brightness or /sys/class/backlight/brightness) if you > use '.' or '..' as the path, except the open/fstat test handles that. I removed the suid root bit from the helper program and it didnt break anything for me. > Anyhow, I tested my laptop, and found that I can change the brightness > even if the helper is chmod a-x. Xorg probably runs as root. > So I wrote the attached apkbuild to satisfy the polkit dependency. > I'd guess that it should not be added to the main repo, since it might > cause an automatic "upgrade"; but some people might find it handy. I think we can remove the polkit dependency from xf86-video-intel for now. You can apk add '!polkit' to create a conflict. It will prevent anything that tries to pull in polkit. > Thanks, > Isaac Dunham > > Aside: I have X starting at boot as a user via this line in inittab: > ::once:/bin/su -c "xinit 2>/dev/null >&2" -l idunham I think Xorg is suid root... -nc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---