kde-plasma/plasma-workspace: USE=pam, fix setuid, block kdebase-pam:4

SUID optional per kcheckpass/README, only required for shadow based login setuid code in upstream cmake does not work, do it manually instead if USE=-pam Block kdebase-pam which sneakily sabotaged plasma-workspace in /etc/pam.d, leading to broken screenlocker bugs like #564618 Package-Manager: portage-2.2.24
hanetzer · Nov 19, 2015 · 07a9384 · 07a9384
1 parent 3f3d497
commit 07a9384
Show file tree

Hide file tree

Showing 2 changed files with 223 additions and 0 deletions.
diff --git a/kde-plasma/plasma-workspace/files/plasma-workspace-5.4.3-no-SUID-no-GUID.patch b/kde-plasma/plasma-workspace/files/plasma-workspace-5.4.3-no-SUID-no-GUID.patch
@@ -0,0 +1,16 @@
+diff --git a/kcheckpass/CMakeLists.txt b/kcheckpass/CMakeLists.txt
+index a63fa1403e897e70989dc2e1ba7eed4bc69cbb51..12d1bfb3c690eca1acf344045a92eb942669da83 100644
+--- a/ksmserver/screenlocker/kcheckpass/CMakeLists.txt
++++ b/ksmserver/screenlocker/kcheckpass/CMakeLists.txt
+@@ -22,10 +22,6 @@ endif ()
+
+ set_property(TARGET kcheckpass APPEND_STRING PROPERTY COMPILE_FLAGS " -U_REENTRANT")
+ target_link_libraries(kcheckpass ${UNIXAUTH_LIBRARIES} ${SOCKET_LIBRARIES})
+-install(TARGETS kcheckpass DESTINATION ${KDE_INSTALL_LIBEXECDIR})
+-install(CODE "
+- set(KCP_PATH \"\$ENV{DESTDIR}${KDE_INSTALL_LIBEXECDIR}/kcheckpass\")
+- execute_process(COMMAND sh -c \"chown root '\${KCP_PATH}' && chmod +s '\${KCP_PATH}'\")
+-")
++install(TARGETS kcheckpass DESTINATION ${LIBEXEC_INSTALL_DIR})
+
+ #EXTRA_DIST = README
diff --git a/kde-plasma/plasma-workspace/plasma-workspace-5.4.3-r1.ebuild b/kde-plasma/plasma-workspace/plasma-workspace-5.4.3-r1.ebuild
@@ -0,0 +1,207 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+KDE_HANDBOOK="true"
+KDE_PUNT_BOGUS_DEPS="true"
+KDE_TEST="true"
+VIRTUALX_REQUIRED="test"
+inherit kde5 multilib pam qmake-utils
+
+DESCRIPTION="KDE Plasma workspace"
+KEYWORDS=" ~amd64 ~x86"
+IUSE="dbus +drkonqi +geolocation gps pam prison qalculate +systemmonitor"
+
+COMMON_DEPEND="
+ $(add_frameworks_dep baloo)
+ $(add_frameworks_dep kactivities)
+ $(add_frameworks_dep kauth)
+ $(add_frameworks_dep kbookmarks)
+ $(add_frameworks_dep kcmutils)
+ $(add_frameworks_dep kcompletion)
+ $(add_frameworks_dep kconfig)
+ $(add_frameworks_dep kconfigwidgets)
+ $(add_frameworks_dep kcoreaddons)
+ $(add_frameworks_dep kcrash)
+ $(add_frameworks_dep kdbusaddons)
+ $(add_frameworks_dep kdeclarative)
+ $(add_frameworks_dep kdelibs4support)
+ $(add_frameworks_dep kdesu)
+ $(add_frameworks_dep kglobalaccel)
+ $(add_frameworks_dep kguiaddons)
+ $(add_frameworks_dep ki18n)
+ $(add_frameworks_dep kiconthemes)
+ $(add_frameworks_dep kidletime)
+ $(add_frameworks_dep kio)
+ $(add_frameworks_dep kitemviews)
+ $(add_frameworks_dep kjobwidgets)
+ $(add_frameworks_dep kjs)
+ $(add_frameworks_dep kjsembed)
+ $(add_frameworks_dep knewstuff)
+ $(add_frameworks_dep knotifications)
+ $(add_frameworks_dep knotifyconfig)
+ $(add_frameworks_dep kpackage)
+ $(add_frameworks_dep krunner)
+ $(add_frameworks_dep kservice)
+ $(add_frameworks_dep ktexteditor)
+ $(add_frameworks_dep ktextwidgets)
+ $(add_frameworks_dep kwallet)
+ $(add_frameworks_dep kwidgetsaddons)
+ $(add_frameworks_dep kwindowsystem)
+ $(add_frameworks_dep kxmlgui)
+ $(add_frameworks_dep kxmlrpcclient)
+ $(add_frameworks_dep plasma)
+ $(add_frameworks_dep solid)
+ $(add_plasma_dep kwayland)
+ $(add_plasma_dep kwin)
+ $(add_plasma_dep libkscreen)
+ $(add_plasma_dep libksysguard)
+ dev-libs/wayland
+ dev-qt/qtconcurrent:5
+ dev-qt/qtdbus:5
+ dev-qt/qtdeclarative:5[widgets]
+ dev-qt/qtgui:5[jpeg]
+ dev-qt/qtnetwork:5
+ dev-qt/qtscript:5
+ dev-qt/qtsql:5
+ dev-qt/qtwidgets:5
+ dev-qt/qtx11extras:5
+ dev-qt/qtxml:5
+ media-libs/phonon[qt5]
+ sys-libs/zlib
+ x11-libs/libICE
+ x11-libs/libSM
+ x11-libs/libX11
+ x11-libs/libXau
+ x11-libs/libxcb
+ x11-libs/libXfixes
+ x11-libs/libXi
+ x11-libs/libXrender
+ x11-libs/xcb-util-keysyms
+ dbus? ( dev-libs/libdbusmenu-qt[qt5] )
+ drkonqi? (
+ $(add_frameworks_dep kdewebkit)
+ dev-qt/qtwebkit:5
+ )
+ geolocation? ( $(add_frameworks_dep networkmanager-qt) )
+ gps? ( sci-geosciences/gpsd )
+ pam? ( virtual/pam )
+ prison? ( media-libs/prison:5 )
+ qalculate? ( sci-libs/libqalculate )
+ systemmonitor? (
+ $(add_plasma_dep libksysguard processui)
+ )
+"
+RDEPEND="${COMMON_DEPEND}
+ $(add_frameworks_dep kded)
+ $(add_kdeapps_dep kio-extras)
+ $(add_plasma_dep kde-cli-tools)
+ $(add_plasma_dep milou)
+ dev-qt/qdbus:5
+ dev-qt/qtpaths:5
+ dev-qt/qtquickcontrols:5[widgets]
+ x11-apps/mkfontdir
+ x11-apps/xmessage
+ x11-apps/xprop
+ x11-apps/xrdb
+ x11-apps/xset
+ x11-apps/xsetroot
+ systemmonitor? ( $(add_plasma_dep ksysguard) )
+ !kde-base/freespacenotifier:4
+ !kde-base/libtaskmanager:4
+ !<kde-base/kcheckpass-4.11.22-r1:4
+ !kde-base/kcminit:4
+ !kde-base/kdebase-pam:4
+ !kde-base/kdebase-startkde:4
+ !kde-base/klipper:4
+ !kde-base/krunner:4
+ !kde-base/ksmserver:4
+ !kde-base/ksplash:4
+ !kde-base/plasma-workspace:4
+"
+DEPEND="${COMMON_DEPEND}
+ x11-proto/xproto
+"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-5.4-startkde-script.patch"
+ "${FILESDIR}/${PN}-5.4-consolekit2.patch"
+ "${FILESDIR}/${PN}-5.4.3-fix-drkonqi.patch" #Upstream bug 354110
+ "${FILESDIR}/${PN}-5.4.3-no-SUID-no-GUID.patch"
+)
+
+RESTRICT="test"
+
+src_prepare() {
+ # whole patch should be upstreamed, doesn't work in PATCHES
+ epatch "${FILESDIR}/${PN}-tests-optional.patch"
+
+ kde5_src_prepare
+
+ sed -e "s|\`qtpaths|\`$(qt5_get_bindir)/qtpaths|" \
+ -i startkde/startkde.cmake startkde/startplasmacompositor.cmake || die
+
+ if ! use drkonqi; then
+ comment_add_subdirectory drkonqi
+ fi
+
+ if ! use geolocation; then
+ punt_bogus_dep KF5 NetworkManagerQt
+ pushd dataengines > /dev/null || die
+ comment_add_subdirectory geolocation
+ popd > /dev/null || die
+ fi
+
+ if ! use systemmonitor; then
+ comment_add_subdirectory systemmonitor
+ pushd applets > /dev/null || die
+ comment_add_subdirectory systemmonitor
+ popd > /dev/null || die
+ pushd dataengines > /dev/null || die
+ comment_add_subdirectory systemmonitor
+ popd > /dev/null || die
+ fi
+}
+
+src_configure() {
+ local mycmakeargs=(
+ $(cmake-utils_use_find_package pam)
+ $(cmake-utils_use_find_package dbus dbusmenu-qt5)
+ $(cmake-utils_use_find_package gps libgps)
+ $(cmake-utils_use_find_package prison)
+ $(cmake-utils_use_find_package qalculate Qalculate)
+ )
+
+ kde5_src_configure
+}
+
+src_install() {
+ kde5_src_install
+
+ newpamd "${FILESDIR}/kde.pam" kde
+ newpamd "${FILESDIR}/kde-np.pam" kde-np
+
+ # startup and shutdown scripts
+ insinto /etc/plasma/startup
+ doins "${FILESDIR}/agent-startup.sh"
+
+ insinto /etc/plasma/shutdown
+ doins "${FILESDIR}/agent-shutdown.sh"
+
+ if ! use pam; then
+ chown root "${ED}"usr/$(get_libdir)/libexec/kcheckpass || die
+ chmod +s "${ED}"usr/$(get_libdir)/libexec/kcheckpass || die
+ fi
+}
+
+pkg_postinst () {
+ kde5_pkg_postinst
+
+ echo
+ elog "To enable gpg-agent and/or ssh-agent in Plasma sessions,"
+ elog "edit ${EPREFIX}/etc/plasma/startup/agent-startup.sh and"
+ elog "${EPREFIX}/etc/plasma/shutdown/agent-shutdown.sh"
+ echo
+}