From bb02e16c593291ef1aa03dab74544d74a38cd3da Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Fri, 14 Sep 2018 16:20:30 +0000 Subject: [PATCH] Stop using pkexec for grub2-set-bootflag Stop using pkexec for grub2-set-bootflag, it does not work under gdm instead make it suid root (it was written with this in mind) Signed-off-by: Peter Jones --- ...polkit-pkexec-for-grub-boot-success..patch | 69 +++++++++++++++++++ grub.patches | 1 + grub2.spec | 12 ++-- 3 files changed, 76 insertions(+), 6 deletions(-) create mode 100644 0241-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch diff --git a/0241-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch b/0241-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch new file mode 100644 index 0000000..bf4ad27 --- /dev/null +++ b/0241-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch @@ -0,0 +1,69 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 14 Sep 2018 16:39:40 +0200 +Subject: [PATCH] docs: Stop using polkit / pkexec for grub-boot-success.timer + / service + +We also want to call grub2-set-bootflag under gdm and pkexec does not +work under gdm because the gdm user has /sbin/nologin as shell. + +So instead we are going to install grub2-set-bootflag as suid root, +grub2-set-bootflag was written with this usage in mind, so is safe +to be made suid root. + +Signed-off-by: Hans de Goede +--- + docs/grub-boot-success.service | 2 +- + docs/grub-boot-success.timer | 1 - + docs/org.gnu.grub.policy | 20 -------------------- + 3 files changed, 1 insertion(+), 22 deletions(-) + delete mode 100644 docs/org.gnu.grub.policy + +diff --git a/docs/grub-boot-success.service b/docs/grub-boot-success.service +index c8c91c34d49..80e79584c91 100644 +--- a/docs/grub-boot-success.service ++++ b/docs/grub-boot-success.service +@@ -3,4 +3,4 @@ Description=Mark boot as successful + + [Service] + Type=oneshot +-ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success ++ExecStart=/usr/sbin/grub2-set-bootflag boot_success +diff --git a/docs/grub-boot-success.timer b/docs/grub-boot-success.timer +index 67bd829b795..5d8fcba21aa 100644 +--- a/docs/grub-boot-success.timer ++++ b/docs/grub-boot-success.timer +@@ -1,7 +1,6 @@ + [Unit] + Description=Mark boot as successful after the user session has run 2 minutes + ConditionUser=!@system +-ConditionPathExists=/usr/bin/pkexec + + [Timer] + OnActiveSec=2min +diff --git a/docs/org.gnu.grub.policy b/docs/org.gnu.grub.policy +deleted file mode 100644 +index 18391efc8e7..00000000000 +--- a/docs/org.gnu.grub.policy ++++ /dev/null +@@ -1,20 +0,0 @@ +- +- +- +- GNU GRUB +- https://www.gnu.org/software/grub/ +- +- +- Set GRUB bootflags +- Authentication is required to modify the bootloaders bootflags +- +- no +- no +- yes +- +- /usr/sbin/grub2-set-bootflag +- +- diff --git a/grub.patches b/grub.patches index 3fcfac6..df2542a 100644 --- a/grub.patches +++ b/grub.patches @@ -238,3 +238,4 @@ Patch0237: 0237-Add-more-dprintf-and-nerf-dprintf-in-script.c.patch Patch0238: 0238-arm-arm64-loader-Better-memory-allocation-and-error-.patch Patch0239: 0239-Try-to-pick-better-locations-for-kernel-and-initrd.patch Patch0240: 0240-grub-boot-success.timer-Add-a-few-Conditions-for-run.patch +Patch0241: 0241-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch diff --git a/grub2.spec b/grub2.spec index 2f78155..c2a296a 100644 --- a/grub2.spec +++ b/grub2.spec @@ -7,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 58%{?dist} +Release: 59%{?dist} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -223,9 +223,6 @@ install -D -m 0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE9} install -d -m 0755 %{buildroot}%{_sysconfdir}/kernel/install.d/ install -m 0644 /dev/null %{buildroot}%{_sysconfdir}/kernel/install.d/20-grubby.install install -m 0644 /dev/null %{buildroot}%{_sysconfdir}/kernel/install.d/90-loaderentry.install -# Install grub2-set-bootflag polkit policy -install -D -m 0755 -t %{buildroot}%{_datadir}/polkit-1/actions \ - docs/org.gnu.grub.policy # Install systemd user service to set the boot_success flag install -D -m 0755 -t %{buildroot}%{_userunitdir} \ docs/grub-boot-success.{timer,service} @@ -366,7 +363,7 @@ fi %files tools-minimal %{_sysconfdir}/prelink.conf.d/grub2.conf %{_sbindir}/%{name}-get-kernel-settings -%{_sbindir}/%{name}-set-bootflag +%attr(4755, root, root) %{_sbindir}/%{name}-set-bootflag %{_sbindir}/%{name}-set-default %{_sbindir}/%{name}-set*password %{_bindir}/%{name}-editenv @@ -390,7 +387,6 @@ fi %attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/default/grub %config %{_sysconfdir}/grub.d/??_* %{_sysconfdir}/grub.d/README -%{_datadir}/polkit-1/actions/org.gnu.grub.policy %{_userunitdir}/grub-boot-success.timer %{_userunitdir}/grub-boot-success.service %{_userunitdir}/timers.target.wants @@ -498,6 +494,10 @@ fi %endif %changelog +* Tue Sep 25 2018 Peter Jones - 2.02-59 +- Stop using pkexec for grub2-set-bootflag, it does not work under gdm + instead make it suid root (it was written with this in mind) + * Wed Sep 12 2018 Peter Jones - 2.02-58 - Add 2 conditions to boot-success timer and service: - Don't run it for system users