[quake] 06/10: Add a confirmation step before running binary-only executables
Simon McVittie
smcv at debian.org
Mon Dec 28 00:24:21 UTC 2015
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to branch master
in repository quake.
commit f0cb994713499b521ca9678ec7f72d22a207837d
Author: Simon McVittie <smcv at debian.org>
Date: Sun Dec 27 23:25:53 2015 +0000
Add a confirmation step before running binary-only executables
The proprietary binaries don't really have any security support
at this point, so the least we can do is to recommend that users
are careful.
---
Makefile | 24 +++++++++
README.binary.in | 8 +++
confirm-binary-only.sh | 134 +++++++++++++++++++++++++++++++++++++++++++++++++
debian/control | 2 +
debian/etqw.install | 2 +
debian/quake4.install | 2 +
debian/rules | 3 ++
quake4.in | 18 ++++++-
8 files changed, 191 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 1d00d40..29828e4 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,7 @@
# Makefile - used for building icon
+distro ?= $(shell lsb_release -si)
+
layer_sizes = 16 22 32 48 256
text = \
@@ -13,6 +15,8 @@ text = \
build/quake3-server \
build/quake4-dedicated \
build/etqw-dedicated \
+ build/README.etqw-bin \
+ build/README.quake4-bin \
$(NULL)
obj = \
@@ -77,6 +81,7 @@ build/quake4: quake4.in Makefile
install -d build
sed \
-e 's!@id@!quake4!' \
+ -e 's!@icon@!/usr/share/icons/hicolor/48x48/apps/quake4.png!' \
-e 's!@longname@!Quake 4!' \
-e 's!@shortname@!Quake 4!' \
-e 's!@binary@!quake4.x86!' \
@@ -89,10 +94,19 @@ build/quake4: quake4.in Makefile
< $< > $@
chmod +x $@
+build/README.quake4-bin: README.binary.in Makefile
+ install -d build
+ sed \
+ -e 's!@id@!quake4!' \
+ -e 's!@shortname@!Quake 4!' \
+ -e 's!@distro@!$(distro)!' \
+ < $< > $@
+
build/etqw: quake4.in Makefile
install -d build
sed \
-e 's!@id@!etqw!' \
+ -e 's!@icon@!/usr/share/pixmaps/etqw.png!' \
-e 's!@longname@!Enemy Territory: Quake Wars!' \
-e 's!@shortname@!ETQW!' \
-e 's!@binary@!etqw.x86!' \
@@ -105,6 +119,14 @@ build/etqw: quake4.in Makefile
< $< > $@
chmod +x $@
+build/README.etqw-bin: README.binary.in Makefile
+ install -d build
+ sed \
+ -e 's!@id@!etqw!' \
+ -e 's!@shortname@!ETQW!' \
+ -e 's!@distro@!$(distro)!' \
+ < $< > $@
+
build/quake2-server: quake2.in
install -d build
sed -e 's/@self@/quake2-server/g' \
@@ -136,6 +158,7 @@ build/quake4-dedicated: quake4.in Makefile
install -d build
sed \
-e 's!@id@!quake4!' \
+ -e 's!@icon@!/usr/share/icons/hicolor/48x48/apps/quake4.png!' \
-e 's!@longname@!Quake 4!' \
-e 's!@shortname@!Quake 4!' \
-e 's!@binary@!q4ded.x86!' \
@@ -152,6 +175,7 @@ build/etqw-dedicated: quake4.in Makefile
install -d build
sed \
-e 's!@id@!etqw!' \
+ -e 's!@icon@!/usr/share/pixmaps/etqw.png!' \
-e 's!@longname@!Enemy Territory: Quake Wars!' \
-e 's!@shortname@!ETQW!' \
-e 's!@binary@!etqwded.x86!' \
diff --git a/README.binary.in b/README.binary.in
new file mode 100644
index 0000000..2d381bb
--- /dev/null
+++ b/README.binary.in
@@ -0,0 +1,8 @@
+ at shortname@ is a binary-only game and might contain security
+vulnerabilities or other bugs. If it does, @distro@ cannot fix them.
+
+Using this game for multiplayer on untrusted networks is not
+recommended. To protect personal files, you could create a dedicated
+user ID to run games.
+
+This message will be shown once for each user ID that runs @shortname at .
diff --git a/confirm-binary-only.sh b/confirm-binary-only.sh
new file mode 100755
index 0000000..c782e3a
--- /dev/null
+++ b/confirm-binary-only.sh
@@ -0,0 +1,134 @@
+#!/bin/sh
+
+set -e
+
+icon=
+dotdir=
+text_file=
+title=
+
+run () {
+ mkdir -p -m700 "${dotdir}"
+ touch "${dotdir}/confirmed-binary-only"
+ exec "$@"
+ exit 70 # EX_SOFTWARE
+}
+
+try_zenity () {
+ if ! command -v zenity >/dev/null; then
+ return 1
+ fi
+
+ e=0
+ zenity --text-info --filename="$text_file" --title="$title" \
+ --checkbox="I'll be careful" --ok-label="Run" \
+ --window-icon="${icon}" \
+ --width=500 --height=400 || e=$?
+ case "$e" in
+ (0)
+ run "$@"
+ ;;
+ (*)
+ exit 77 # EX_NOPERM
+ ;;
+ esac
+}
+
+try_kdialog () {
+ if ! command -v kdialog >/dev/null; then
+ return 1
+ fi
+
+ e=0
+ kdialog --title "$TITLE" --warningcontinuecancel "$(cat "$text_file")" || \
+ e=$?
+ case "$e" in
+ (0)
+ run "$@"
+ ;;
+ (*)
+ exit 77 # EX_NOPERM
+ ;;
+ esac
+}
+
+try_xmessage () {
+ if ! command -v xmessage >/dev/null; then
+ return 1
+ fi
+
+ e=0
+ xmessage -buttons Run:100,Cancel:101 -nearmouse -file "$text_file" || e=$?
+ case "$e" in
+ (100)
+ run "$@"
+ ;;
+ (*)
+ exit 77 # EX_NOPERM
+ ;;
+ esac
+}
+
+while [ "$#" -gt 0 ]; do
+ case "$1" in
+ (--dotdir)
+ dotdir="$2"
+ shift 2
+ ;;
+
+ (--icon)
+ icon="$2"
+ shift 2
+ ;;
+
+ (--title)
+ title="$2"
+ shift 2
+ ;;
+
+ (--text-file)
+ text_file="$2"
+ shift 2
+ ;;
+
+ (--)
+ shift
+ ;;
+
+ (*)
+ break
+ ;;
+ esac
+done
+
+if [ -z "$icon" ] || [ -z "$dotdir" ] || [ -z "$text_file" ] || \
+ [ -z "$title" ]; then
+ echo "$0: usage error: missing parameter" >&2
+ exit 2
+fi
+
+if [ -e "${dotdir}/confirmed-binary-only" ]; then
+ run "$@"
+fi
+
+case $(echo "$DESKTOP_SESSION" | tr A-Z a-z) in
+ (kde)
+ pref=try_kdialog
+ ;;
+ (gnome)
+ pref=try_zenity
+ ;;
+ # easter egg for testing
+ (1990slinuxuser)
+ pref=try_xmessage
+ ;;
+ (*)
+ pref=false
+ ;;
+esac
+
+$pref "$@" || try_zenity "$@" || try_kdialog "$@" || try_xmessage "$@"
+
+exit 72 # EX_OSFILE
+
+# vim:set et sts=2 sw=2:
diff --git a/debian/control b/debian/control
index 4ee33da..18323bd 100644
--- a/debian/control
+++ b/debian/control
@@ -150,6 +150,7 @@ Architecture: i386
Depends:
${misc:Depends},
quake4-bin | game-data-packager (>= 43),
+ x11-utils | zenity | kde-baseapps-bin,
Suggests:
quake4-pb-bin,
Description: science-fiction-themed first person shooter
@@ -206,6 +207,7 @@ Architecture: i386
Depends:
${misc:Depends},
etqw-bin | game-data-packager (>= 44),
+ x11-utils | zenity | kde-baseapps-bin,
Suggests:
etqw-pb-bin,
Description: science-fiction-themed multiplayer first person shooter
diff --git a/debian/etqw.install b/debian/etqw.install
index 6b248d9..dde2faa 100644
--- a/debian/etqw.install
+++ b/debian/etqw.install
@@ -1,4 +1,6 @@
build/etqw usr/games
+build/README.etqw-bin usr/lib/etqw
README.etqw-data usr/lib/etqw
need-data.sh usr/lib/etqw
+confirm-binary-only.sh usr/lib/etqw
etqw.desktop usr/share/applications
diff --git a/debian/quake4.install b/debian/quake4.install
index 19909b3..621bd4f 100644
--- a/debian/quake4.install
+++ b/debian/quake4.install
@@ -6,6 +6,8 @@ build/32/quake4*.png usr/share/icons/hicolor/32x32/apps
build/48/quake4*.png usr/share/icons/hicolor/48x48/apps
build/quake4 usr/games
build/quake4*.svg usr/share/icons/hicolor/scalable/apps
+build/README.quake4-bin usr/lib/quake4
README.quake4-data usr/lib/quake4
need-data.sh usr/lib/quake4
+confirm-binary-only.sh usr/lib/quake4
quake4.desktop usr/share/applications
diff --git a/debian/rules b/debian/rules
index 70cc344..ade9d70 100755
--- a/debian/rules
+++ b/debian/rules
@@ -3,6 +3,9 @@
%:
dh $@ --parallel --with=systemd
+override_dh_auto_build:
+ dh_auto_build -- distro=$(shell dpkg-vendor --query Vendor)
+
override_dh_installinit:
dh_installinit -pquake4-server --noscripts
dh_installinit -petqw-server --noscripts
diff --git a/quake4.in b/quake4.in
index bad7886..6454056 100644
--- a/quake4.in
+++ b/quake4.in
@@ -18,7 +18,10 @@ smpbinary="@smpbinary@"
basegame="@basegame@"
# required packages
paks="@paks@"
+# absolute path to icon
+icon="@icon@"
+dotdir="${HOME}/.${id}"
pkglibdir="/usr/lib/${id}"
help() {
@@ -77,7 +80,9 @@ cvars="+set com_allowconsole 1"
# Quake 4 expects to run in its installation directory
cd "$pkglibdir"
-# The SMP binary needs a modified bundled copy of SDL.
+# The SMP binary needs a modified bundled copy of SDL. We don't set this
+# environment variable until after going through confirm-binary-only.sh,
+# so that we can't accidentally load sourceless binaries.
set \
env LD_LIBRARY_PATH="${pkglibdir}${LD_LIBRARY_PATH:+":${LD_LIBRARY_PATH}"}" \
"$@"
@@ -94,6 +99,15 @@ else
shift
fi
-exec "$@"
+if [ "${role}" = "client" ]; then
+ exec "${pkglibdir}/confirm-binary-only.sh" \
+ --icon "${icon}" \
+ --dotdir "${dotdir}" \
+ --text-file "${pkglibdir}/README.${id}-bin" \
+ --title "${longname}" \
+ -- "$@"
+else
+ exec "$@"
+fi
# vim:set sw=2 sts=2 et:
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/quake.git
More information about the Pkg-games-commits
mailing list