Stop using pkexec for grub2-set-bootflag

Stop using pkexec for grub2-set-bootflag, it does not work under gdm instead make it suid root (it was written with this in mind) Signed-off-by: Peter Jones <pjones@redhat.com>
2024-11-28 07:44:52 +00:00 · 2018-09-14 16:20:30 +00:00 · 2018-09-14 16:20:30 +00:00 · bb02e16c59
commit bb02e16c59
parent b796a9a04b
3 changed files with 76 additions and 6 deletions
--- a/0241-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch
+++ b/0241-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch
@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 14 Sep 2018 16:39:40 +0200
+Subject: [PATCH] docs: Stop using polkit / pkexec for grub-boot-success.timer
+ / service
+
+We also want to call grub2-set-bootflag under gdm and pkexec does not
+work under gdm because the gdm user has /sbin/nologin as shell.
+
+So instead we are going to install grub2-set-bootflag as suid root,
+grub2-set-bootflag was written with this usage in mind, so is safe
+to be made suid root.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+---
+ docs/grub-boot-success.service |  2 +-
+ docs/grub-boot-success.timer   |  1 -
+ docs/org.gnu.grub.policy       | 20 --------------------
+ 3 files changed, 1 insertion(+), 22 deletions(-)
+ delete mode 100644 docs/org.gnu.grub.policy
+
+diff --git a/docs/grub-boot-success.service b/docs/grub-boot-success.service
+index c8c91c34d49..80e79584c91 100644
+--- a/docs/grub-boot-success.service
+++ b/docs/grub-boot-success.service
+@@ -3,4 +3,4 @@ Description=Mark boot as successful
+ 
+ [Service]
+ Type=oneshot
+-ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success
+ExecStart=/usr/sbin/grub2-set-bootflag boot_success
+diff --git a/docs/grub-boot-success.timer b/docs/grub-boot-success.timer
+index 67bd829b795..5d8fcba21aa 100644
+--- a/docs/grub-boot-success.timer
+++ b/docs/grub-boot-success.timer
+@@ -1,7 +1,6 @@
+ [Unit]
+ Description=Mark boot as successful after the user session has run 2 minutes
+ ConditionUser=!@system
+-ConditionPathExists=/usr/bin/pkexec
+ 
+ [Timer]
+ OnActiveSec=2min
+diff --git a/docs/org.gnu.grub.policy b/docs/org.gnu.grub.policy
+deleted file mode 100644
+index 18391efc8e7..00000000000
+--- a/docs/org.gnu.grub.policy
+++ /dev/null
+@@ -1,20 +0,0 @@
+-<?xml version="1.0" encoding="UTF-8"?>
+-<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+-<policyconfig>
+-  <vendor>GNU GRUB</vendor>
+-  <vendor_url>https://www.gnu.org/software/grub/</vendor_url>
+-  <action id="org.gnu.grub.set-bootflag">
+-    <!-- SECURITY:
+-          - A normal active user on the local machine does not need permission
+-            to set bootflags to show the menu / mark current boot successful.
+-     -->
+-    <description>Set GRUB bootflags</description>
+-    <message>Authentication is required to modify the bootloaders bootflags</message>
+-    <defaults>
+-      <allow_any>no</allow_any>
+-      <allow_inactive>no</allow_inactive>
+-      <allow_active>yes</allow_active>
+-    </defaults>
+-    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/grub2-set-bootflag</annotate>
+-  </action>
+-</policyconfig>
--- a/grub.patches
+++ b/grub.patches
@ -238,3 +238,4 @@ Patch0237: 0237-Add-more-dprintf-and-nerf-dprintf-in-script.c.patch
 Patch0238: 0238-arm-arm64-loader-Better-memory-allocation-and-error-.patch
 Patch0239: 0239-Try-to-pick-better-locations-for-kernel-and-initrd.patch
 Patch0240: 0240-grub-boot-success.timer-Add-a-few-Conditions-for-run.patch
+Patch0241: 0241-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch
--- a/grub2.spec
+++ b/grub2.spec
@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	58%{?dist}
+Release:	59%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@ -223,9 +223,6 @@ install -D -m 0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE9}
 install -d -m 0755 %{buildroot}%{_sysconfdir}/kernel/install.d/
 install -m 0644 /dev/null %{buildroot}%{_sysconfdir}/kernel/install.d/20-grubby.install
 install -m 0644 /dev/null %{buildroot}%{_sysconfdir}/kernel/install.d/90-loaderentry.install
-# Install grub2-set-bootflag polkit policy
-install -D -m 0755 -t %{buildroot}%{_datadir}/polkit-1/actions \
-	docs/org.gnu.grub.policy
 # Install systemd user service to set the boot_success flag
 install -D -m 0755 -t %{buildroot}%{_userunitdir} \
 	docs/grub-boot-success.{timer,service}
@ -366,7 +363,7 @@ fi
 %files tools-minimal
 %{_sysconfdir}/prelink.conf.d/grub2.conf
 %{_sbindir}/%{name}-get-kernel-settings
-%{_sbindir}/%{name}-set-bootflag
+%attr(4755, root, root) %{_sbindir}/%{name}-set-bootflag
 %{_sbindir}/%{name}-set-default
 %{_sbindir}/%{name}-set*password
 %{_bindir}/%{name}-editenv
@ -390,7 +387,6 @@ fi
 %attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/default/grub
 %config %{_sysconfdir}/grub.d/??_*
 %{_sysconfdir}/grub.d/README
-%{_datadir}/polkit-1/actions/org.gnu.grub.policy
 %{_userunitdir}/grub-boot-success.timer
 %{_userunitdir}/grub-boot-success.service
 %{_userunitdir}/timers.target.wants
@ -498,6 +494,10 @@ fi
 %endif

 %changelog
+* Tue Sep 25 2018 Peter Jones <pjones@redhat.com> - 2.02-59
+- Stop using pkexec for grub2-set-bootflag, it does not work under gdm
+  instead make it suid root (it was written with this in mind)
+
 * Wed Sep 12 2018 Peter Jones <pjones@redhat.com> - 2.02-58
 - Add 2 conditions to boot-success timer and service:
  - Don't run it for system users