[Pkg-acpi-devel] Bug#763134: acpi-support-base: /usr/share/acpi-support/power-funcs broken from line 24 if consolekit installed and no dbus running

Mon Sep 29 11:33:57 UTC 2014

@security: Is this enough of a security problem to warrant a stable upload?

The fix seems easy enough, just run pinky if $user is still empty.

Michael

On Sun, Sep 28, 2014 at 05:12:45AM +0200, waijb wrote:
> getXuser() is broken:
> 
> block starting at line 24 in /usr/share/acpi-support/power-funcs:
> ----
>  24         if [ -x /usr/bin/ck-list-sessions ]; then
>  25                 uid=$(ck-list-sessions | awk 'BEGIN { unix_user = ""; }
>   /^Session/ { unix_user = ""; } /unix-user =/ { gsub(/'\''/,"",$3);
>   unix_user = $3; } /x11-display = '\'$display\''/ { print unix_user; exit
>   (0); }')
>  26 
>  27                 if [ "$uid" ]; then
>  28                         IFS=:
>  29                         set -- $(getent passwd $uid)
>  30                         user=$1
>  31                         unset IFS
>  32                 fi
>  33         else
> ----
> 
> just testing if /usr/bin/ck-list-sessions is executable doesn't do the
> trick.
> until just now i had consolekit installed (some dependency somewhere), but
> dbus was (and still is and will be) not running. this leads to an error in
> line 25, ultimately no $user is set. the pinky check is not executed (but
> would work just fine).
> finally XAUTHORITY and XUSER are exported as blanks.
> 
> this breaks at least /usr/share/acpi-support/screenblank
> debug output:
> ----
> [04:00:22] root at schleppi ~ # /bin/sh -x /usr/share/acpi-support/screenblank
> -- source added by me for testing
> + . /usr/share/acpi-support/power-funcs
> --
> + umask 022
> +
> PATH=/sbin:/usr/sbin:/usr/local/sbin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
> + POWERSTATE=/var/lib/acpi-support/powerstate
> + HDPARM=/sbin/hdparm -q
> + LIDSTATE=/var/lib/acpi-support/lidstate
> + d=/tmp/.X11-unix
> + displaynum=0
> + getXuser
> + local plist display uid user startx pid userhome IFS
> + [ 0 ]
> + display=:0
> + user=
> + [ -x /usr/bin/ck-list-sessions ]
> + ck-list-sessions
> + awk BEGIN { unix_user = ""; } /^Session/ { unix_user = ""; } /unix-user =/ { gsub(/'/,"",$3); unix_user = $3; } /x11-display =
> ':0'/ { print unix_user; exit (0); }
> ** Message: Failed to connect to the D-Bus daemon: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or
> directory
> + uid=
> + [  ]
> + [ -z  ]
> + pgrep -n startx
> + :
> + startx=
> + [ -z  ]
> + [ x != x ]
> + export XAUTHORITY=
> + XUSER=
> + export XUSER
> + [ x != x ]
> + [ -x = xtrue ]
> ----
> 
> result: X not locked as expected after sleep/hibernate. free local and
> possible remote (root)shells etc...
> 
> 
> regards
> waijb

-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
Jabber: michael.meskes at gmail dot com
VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL