rev 3302 - in trunk/packages/kdeutils/debian: . patches

Christopher Martin chrsmrtn at costa.debian.org
Sun Mar 12 16:06:28 UTC 2006 

Author: chrsmrtn
Date: 2006-03-12 16:06:27 +0000 (Sun, 12 Mar 2006)
New Revision: 3302

Added:
   trunk/packages/kdeutils/debian/klaptopdaemon.README.Debian
   trunk/packages/kdeutils/debian/klaptopdaemon.prerm
   trunk/packages/kdeutils/debian/patches/13_klaptopdaemon_dpkg_statoverride.diff
Modified:
   trunk/packages/kdeutils/debian/changelog
Log:
New patch: use dpkg-statoverride for klaptop_acpi_helper.

Then we need to clean up after remove/purge.

Document all this for admins.


Modified: trunk/packages/kdeutils/debian/changelog
===================================================================
--- trunk/packages/kdeutils/debian/changelog	2006-03-11 18:08:01 UTC (rev 3301)
+++ trunk/packages/kdeutils/debian/changelog	2006-03-12 16:06:27 UTC (rev 3302)
@@ -1,3 +1,14 @@
+kdeutils (4:3.5.1-3) UNRELEASED; urgency=low
+
+  +++ Changes by Christopher Martin:
+
+  * When klaptopdaemon changes klaptop_acpi_helper's permissions, use
+    dpkg-statoverride. Thanks to Romain Lenglet for the patch. See
+    klatopdaemon's README.Debian for details.
+    (Closes: #355527, #355529)
+
+ -- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>  Sat, 11 Mar 2006 20:22:34 -0500
+
 kdeutils (4:3.5.1-2) unstable; urgency=low
 
   +++ Changes by Christopher Martin:

Added: trunk/packages/kdeutils/debian/klaptopdaemon.README.Debian
===================================================================
--- trunk/packages/kdeutils/debian/klaptopdaemon.README.Debian	2006-03-11 18:08:01 UTC (rev 3301)
+++ trunk/packages/kdeutils/debian/klaptopdaemon.README.Debian	2006-03-12 16:06:27 UTC (rev 3302)
@@ -0,0 +1,28 @@
+klaptopdaemon and SUID permissions
+----------------------------------
+
+To allow ordinary users to control certain power management features,
+klaptopdaemon's panel in the KDE Control Center has a button which prompts
+the user to enter the root password (KDE Control Center --> Power Control
+--> Laptop Battery, then the ACPI Config tab, then the Setup Helper
+Application button). This button changes the permissions of
+/usr/bin/klaptop_acpi_helper from "0755 root.root" to "6755 root.root",
+and therefore grants all regular users extra power management abilities.
+This has obvious security implications, and should not be done on any
+system where all users are not trusted absolutely.
+
+The standard klaptopdaemon changes the binary's permissions using chmod.
+However, if an updated version of the Debian klaptopdaemon package
+were then to be installed, it would reset the permissions, forcing the
+sysadmin to reconfigure after each upgrade.
+
+The Debian package has therefore been patched to use dpkg-statoverride to
+permanently change the permissions of /usr/bin/klaptop_acpi_helper. The
+override is removed and permissions reset if the package is removed or
+purged. However, if the sysadmin wishes to remove the special permissions
+of /usr/bin/klaptop_acpi_helper, they can do so at any time by issuing,
+as root, the following commands:
+
+dpkg-statoverride --remove /usr/bin/klaptop_acpi_helper
+chown root:root /usr/bin/klaptop_acpi_helper
+chmod 0755 /usr/bin/klaptop_acpi_helper

Added: trunk/packages/kdeutils/debian/klaptopdaemon.prerm
===================================================================
--- trunk/packages/kdeutils/debian/klaptopdaemon.prerm	2006-03-11 18:08:01 UTC (rev 3301)
+++ trunk/packages/kdeutils/debian/klaptopdaemon.prerm	2006-03-12 16:06:27 UTC (rev 3302)
@@ -0,0 +1,30 @@
+#! /bin/sh
+
+set -e
+
+case "$1" in
+
+	remove)
+		/usr/sbin/dpkg-statoverride --quiet --remove /usr/bin/klaptop_acpi_helper > /dev/null 2>&1 || true
+		if [ -e /usr/bin/klaptop_acpi_helper ]; then
+			chown root:root /usr/bin/klaptop_acpi_helper
+			chmod 0755 /usr/bin/klaptop_acpi_helper
+		fi
+	;;
+
+	upgrade|deconfigure)
+	;;
+
+	failed-upgrade)
+	;;
+
+	*)
+		echo "prerm called with unknown argument \`$1'" >&2
+		exit 1
+	;;
+
+esac
+
+#DEBHELPER#
+
+exit 0

Added: trunk/packages/kdeutils/debian/patches/13_klaptopdaemon_dpkg_statoverride.diff
===================================================================
--- trunk/packages/kdeutils/debian/patches/13_klaptopdaemon_dpkg_statoverride.diff	2006-03-11 18:08:01 UTC (rev 3301)
+++ trunk/packages/kdeutils/debian/patches/13_klaptopdaemon_dpkg_statoverride.diff	2006-03-12 16:06:27 UTC (rev 3302)
@@ -0,0 +1,31 @@
+--- kde.orig/klaptopdaemon/acpi.cpp
++++ kde.patched/klaptopdaemon/acpi.cpp
+@@ -186,7 +186,7 @@
+ 			proc << kdesu;
+ 			proc << "-u";
+ 			proc << "root";
+-			proc <<  "chown root "+helper+"; chmod +s "+helper;
++			proc <<  "dpkg-statoverride --update --add root root 6755 "+helper;
+ 			proc.start(KProcess::Block);	// run it sync so has_acpi below sees the results
+ 		}
+ 	} else {
+--- kde.orig/klaptopdaemon/apm.cpp
++++ kde.patched/klaptopdaemon/apm.cpp
+@@ -166,7 +166,7 @@
+ 			proc << kdesu;
+ 			proc << "-u";
+ 			proc << "root";
+-			proc <<  QString("chown root ")+apm_name+"; chmod +s "+apm_name;
++			proc <<  QString("dpkg-statoverride --update --add root root 6755 ")+apm_name;
+ 			proc.start(KProcess::Block);	// run it sync so has_apm below sees the results
+ 		}
+ 	} else {
+@@ -208,7 +208,7 @@
+ 			proc << kdesu;
+ 			proc << "-u";
+ 			proc << "root";
+-			proc <<  "chown root "+helper+"; chmod +s "+helper;
++			proc <<  "dpkg-statoverride --update --add root root 6755 "+helper;
+ 			proc.start(KProcess::Block);	// run it sync so has_acpi below sees the results
+ 		}
+ 	} else {

More information about the pkg-kde-commits mailing list