reinit the tree, so we can have metadata

author: V3n3RiX <venerix@redcorelinux.org> 2017-10-09 18:53:29 +0100
committer: V3n3RiX <venerix@redcorelinux.org> 2017-10-09 18:53:29 +0100
commit: 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch)
tree: ba5f07bf3f9d22d82e54a462313f5d244036c768 /kde-plasma/kwallet-pam
6 files changed, 383 insertions, 0 deletions
diff --git a/kde-plasma/kwallet-pam/Manifest b/kde-plasma/kwallet-pam/Manifest
new file mode 100644
index 000000000000..e26cebcaa03d
--- /dev/null
+++ b/kde-plasma/kwallet-pam/Manifest
@@ -0,0 +1,7 @@
+AUX kwallet-pam-5.10.5-check-graphical.patch 2956 SHA256 ce9c644000e055f2f323d2c5247db18fe9df993d33c7c95acd9e89e9013ec864 SHA512 05541b77a1aa21a157d6af1d8c4e97a1b229de098d121dec7784b11f37a8352bf51b69851aeccf135908805270052143f426db165b1a160fdeb0b5400b863ff9 WHIRLPOOL 51192aba9fc5918e80c971ec22b8e64eb64e940bdc0fdb856ef6c799697a2d6a4c92cbea3d94abc44329decf9634f36f40b90632a94f08b2fb9817d3156b1c4f
+AUX kwallet-pam-5.10.5-cleanups.patch 6488 SHA256 4985d7935a6f18f7ee7b4743bec5e60f3d07ba111ead772be332c9cae53bc4ec SHA512 19791dfffb8f9978269911cf6d8ef7b3ad1c658f3c377ab6d4f967b821fba49952a67c157a818bf79343162acd9d273bd809a370baa0971a4c9b460caace0335 WHIRLPOOL bbc61549711beaa4b665396f4f3419f11eab24f75aa686adfc0f32ce789bbbbf0f87f7102040b7a8e089807ed7d17756651cdad5fb9d6a14ad8259d3ccdffe02
+AUX kwallet-pam-5.10.5-privileges.patch 1538 SHA256 0bc60ba0e92ccf8ccb137838c649f54277884f3f81d5e12cdd17195e66ed3831 SHA512 010e1be15771d3a3c141fdc3cbeb989c295efc46da885d175c3dd76839cad6bdce3e74937619de6d54a94897a827bc8c78ef73b04b4561c4d7d0e55aee350a9b WHIRLPOOL 50d50ffbe1994d070ebff3d7ef659069c7ec5574f4ef62a2e26924324b09552286f46365255a5ad487ea44942015cd9818582be4267baf3dc1f285931a4009bf
+DIST kwallet-pam-5.10.5.tar.xz 17908 SHA256 c42e444c9c85dc5bbc60bbd666d20ea72162ddd38dc18254c47c48a0ca404073 SHA512 7a2e1a0a85ffc7d9dfd6a1dc8a16d7117f30fc3b983756e28fc11a19bddf99a273842a1774ccf93c5c879a1d899212f6b6d0808fa14eb17260396f5c207e3dc5 WHIRLPOOL d0db78bc52855b700242079d423fbdb1089796f40be994ad1b9109570e7be46eada006ea62dda8181afdf52f834510121b6fc00c1af3e36bbff7512a32e463f0
+EBUILD kwallet-pam-5.10.5-r1.ebuild 1616 SHA256 3a93aeb01ca197930d8ea2085a10b466053a0e9b955378a6cb7a9239800f80c8 SHA512 1246397b1a1ca458613e81e03470aee6b59bec8ce0638bad870bc0944444d918cf5528d163a95b59a7147499e2086bdf48257c94363926f1cab22a1d757e622a WHIRLPOOL 6391b960c337dc90ccdd32ce1baf71e5211f758c152f75882628a02163d4fe90dd2eb3795f88e302491f6c18049e63d6203632d9c547057e98d366870c679f62
+MISC ChangeLog 12748 SHA256 528680401f76d8b17c8cdaa1f021f290093650c847501765efb38630d01d1c18 SHA512 caa34b5789699d8fd8dbe821aa426c9c6d8a0279481cdd8d53bf41f95d16ec914926d25d726ba6270d7a601f211950b7c4e3a3bd2dd62c62bcb1513af208ae5b WHIRLPOOL eaee260bca455231e33fcda2154be422934a27c946ee49fd5c611eab8956591ddd23d1bcac1d26071283c16425a8ee864fa00d9e2ff8794201d6e07b9c4c51bb
+MISC metadata.xml 249 SHA256 584f1dcf51866dc24a9abf7a89bfba0fad11dde81ae1c1b715da41770d233c99 SHA512 76a5a340b13f0053ca3c5e94ed24380ea8d29b45ac8655419e22eaadb1e4a827c04d2e7e36b65145c4964e6526f656618fc6ac144e277ef53cb7373e6239e3c3 WHIRLPOOL 200c07a8bf7c55b11b7936d5cd30e991a511684913334e72f59def66c0ced5fed0b4a8754e2d98bffbab631cb90d4e17fcccc59d5dcc5a8e988f69e47c85518c
diff --git a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-check-graphical.patch b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-check-graphical.patch
new file mode 100644
index 000000000000..61ea4604586f
--- /dev/null
+++ b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-check-graphical.patch
@@ -0,0 +1,87 @@
+From f3b230f7f3bf39dc46b97a216aa7c28595d20a7a Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Thu, 3 Aug 2017 09:50:30 +0200
+Subject: Check for a graphical session
+
+Summary:
+Avoid running if it detects a text session. This can be overridden by adding
+"force_run" as argument.
+
+Test Plan:
+Put pam_kwallet5.so as optional in a global common-session pam file
+that is included by all other services. It is not invoked when logging in from
+a tty with getty, sudo or su and still works when using SDDM. When adding
+force_run it runs in all cases.
+
+Reviewers: #plasma
+
+Subscribers: plasma-devel
+
+Tags: #plasma
+
+Differential Revision: https://phabricator.kde.org/D7125
+---
+ pam_kwallet.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/pam_kwallet.c b/pam_kwallet.c
+index cba57e7..46720a5 100644
+--- a/pam_kwallet.c
++++ b/pam_kwallet.c
+@@ -72,6 +72,7 @@ const static char *kwalletd = NULL;
+ const static char *socketPath = NULL;
+ const static char *kwalletPamDataKey = NULL;
+ const static char *logPrefix = NULL;
++static int force_run = 0;
+ 
+ #ifdef KWALLET5
+ const static char *envVar = "PAM_KWALLET5_LOGIN";
+@@ -98,6 +99,8 @@ static void parseArguments(int argc, const char **argv)
+             kwalletd = argv[x] + 9;
+         } else if (strstr(argv[x], "socketPath=") != NULL) {
+             socketPath= argv[x] + 11;
++        } else if (strcmp(argv[x], "force_run") == 0) {
++            force_run = 1;
+         }
+     }
+ #ifdef KWALLET5
+@@ -246,6 +249,24 @@ static void cleanup_free(pam_handle_t *pamh, void *ptr, int error_status)
+     free(ptr);
+ }
+ 
++static int is_graphical_session(pam_handle_t *pamh)
++{
++    //Detect a graphical session
++    const char *pam_tty = NULL, *pam_xdisplay = NULL,
++               *xdg_session_type = NULL, *display = NULL;
++
++    pam_get_item(pamh, PAM_TTY, (const void**) &pam_tty);
++#ifdef PAM_XDISPLAY
++    pam_get_item(pamh, PAM_XDISPLAY, (const void**) &pam_xdisplay);
++#endif
++    xdg_session_type = get_env(pamh, "XDG_SESSION_TYPE");
++
++    return (pam_xdisplay && strlen(pam_xdisplay) != 0)
++           || (pam_tty && pam_tty[0] == ':')
++           || (xdg_session_type && strcmp(xdg_session_type, "x11") == 0)
++           || (xdg_session_type && strcmp(xdg_session_type, "wayland") == 0);
++}
++
+ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ {
+     pam_syslog(pamh, LOG_INFO, "%s: pam_sm_authenticate\n", logPrefix);
+@@ -537,6 +558,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
+ 
+     parseArguments(argc, argv);
+ 
++    if (!force_run && !is_graphical_session(pamh)) {
++        pam_syslog(pamh, LOG_INFO, "%s: not a graphical session, skipping. Use force_run parameter to ignore this.", logPrefix);
++        return PAM_IGNORE;
++    }
++
+     int result;
+     result = pam_set_data(pamh, "sm_open_session", "1", NULL);
+     if (result != PAM_SUCCESS) {
+-- 
+cgit v0.11.2
+
diff --git a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-cleanups.patch b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-cleanups.patch
new file mode 100644
index 000000000000..38a333131e93
--- /dev/null
+++ b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-cleanups.patch
@@ -0,0 +1,173 @@
+From a33ec22b96e837899528b05963eae8ea6b01171a Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Thu, 3 Aug 2017 09:02:14 +0200
+Subject: Several cleanups
+
+Summary:
+- No cppcheck warnings anymore
+- Use snprintf everywhere
+- Avoid pointless multiplication with sizeof(char)
+- Avoid memory leaks
+
+Test Plan: Still builds, works the same as before.
+
+Reviewers: #plasma
+
+Subscribers: plasma-devel
+
+Tags: #plasma
+
+Differential Revision: https://phabricator.kde.org/D7123
+---
+ pam_kwallet.c | 44 ++++++++++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/pam_kwallet.c b/pam_kwallet.c
+index d88c5e0..cba57e7 100644
+--- a/pam_kwallet.c
++++ b/pam_kwallet.c
+@@ -151,13 +151,14 @@ static int set_env(pam_handle_t *pamh, const char *name, const char *value)
+         //We do not return because pam_putenv might work
+     }
+ 
+-    char *pamEnv = malloc(strlen(name) + strlen(value) + 2); //2 is for = and \0
++    size_t pamEnvSize = strlen(name) + strlen(value) + 2; //2 is for = and \0
++    char *pamEnv = malloc(pamEnvSize);
+     if (!pamEnv) {
+         pam_syslog(pamh, LOG_WARNING, "%s: Impossible to allocate memory for pamEnv", logPrefix);
+         return -1;
+     }
+ 
+-    sprintf (pamEnv, "%s=%s", name, value);
++    snprintf (pamEnv, pamEnvSize, "%s=%s", name, value);
+     int ret = pam_putenv(pamh, pamEnv);
+     free(pamEnv);
+ 
+@@ -240,6 +241,11 @@ cleanup:
+     return result;
+ }
+ 
++static void cleanup_free(pam_handle_t *pamh, void *ptr, int error_status)
++{
++    free(ptr);
++}
++
+ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ {
+     pam_syslog(pamh, LOG_INFO, "%s: pam_sm_authenticate\n", logPrefix);
+@@ -297,14 +303,17 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
+         return PAM_IGNORE;
+     }
+ 
+-    char *key = malloc(sizeof(char) * KWALLET_PAM_KEYSIZE);
+-    if (kwallet_hash(password, userInfo, key) != 0) {
++    char *key = malloc(KWALLET_PAM_KEYSIZE);
++    if (!key || kwallet_hash(password, userInfo, key) != 0) {
++        free(key);
+         pam_syslog(pamh, LOG_ERR, "%s: Fail into creating the hash", logPrefix);
+         return PAM_IGNORE;
+     }
+ 
+-    result = pam_set_data(pamh, kwalletPamDataKey, key, NULL);
++    result = pam_set_data(pamh, kwalletPamDataKey, key, cleanup_free);
++
+     if (result != PAM_SUCCESS) {
++        free(key);
+         pam_syslog(pamh, LOG_ERR, "%s: Impossible to store the hashed password: %s", logPrefix
+             , pam_strerror(pamh, result));
+         return PAM_IGNORE;
+@@ -385,9 +394,8 @@ cleanup:
+ static int better_write(int fd, const char *buffer, int len)
+ {
+     size_t writtenBytes = 0;
+-    int result;
+     while(writtenBytes < len) {
+-        result = write(fd, buffer + writtenBytes, len - writtenBytes);
++        int result = write(fd, buffer + writtenBytes, len - writtenBytes);
+         if (result < 0) {
+             if (errno != EAGAIN && errno != EINTR) {
+                 return -1;
+@@ -450,6 +458,7 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
+     if (result != PAM_SUCCESS) {
+         pam_syslog(pamh, LOG_ERR, "%s: Impossible to set %s env, %s",
+                    logPrefix, envVar, pam_strerror(pamh, result));
++        free(fullSocket);
+         return;
+     }
+ 
+@@ -459,12 +468,15 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
+     if (strlen(fullSocket) > sizeof(local.sun_path)) {
+         pam_syslog(pamh, LOG_ERR, "%s: socket path %s too long to open",
+                    logPrefix, fullSocket);
++        free(fullSocket);
+         return;
+     }
+     strcpy(local.sun_path, fullSocket);
++    free(fullSocket);
++    fullSocket = NULL;
+     unlink(local.sun_path);//Just in case it exists from a previous login
+ 
+-    pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, fullSocket);
++    pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, local.sun_path);
+ 
+     size_t len = strlen(local.sun_path) + sizeof(local.sun_family);
+     if (bind(envSocket, (struct sockaddr *)&local, len) == -1) {
+@@ -477,7 +489,7 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
+         return;
+     }
+ 
+-    if (chown(fullSocket, userInfo->pw_uid, userInfo->pw_gid) == -1) {
++    if (chown(local.sun_path, userInfo->pw_uid, userInfo->pw_gid) == -1) {
+         pam_syslog(pamh, LOG_INFO, "%s: Couldn't change ownership of the socket", logPrefix);
+         return;
+     }
+@@ -655,7 +667,8 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key)
+ #else
+     char *fixpath = "share/apps/kwallet/kdewallet.salt";
+ #endif
+-    char *path = (char*) malloc(strlen(userInfo->pw_dir) + strlen(kdehome) + strlen(fixpath) + 3);//3 == / and \0
++    size_t pathSize = strlen(userInfo->pw_dir) + strlen(kdehome) + strlen(fixpath) + 3;//3 == /, / and \0
++    char *path = (char*) malloc(pathSize);
+     sprintf(path, "%s/%s/%s", userInfo->pw_dir, kdehome, fixpath);
+ 
+     struct stat info;
+@@ -666,21 +679,26 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key)
+         FILE *fd = fopen(path, "r");
+         if (fd == NULL) {
+             syslog(LOG_ERR, "%s: Couldn't open file: %s because: %d-%s", logPrefix, path, errno, strerror(errno));
++            free(path);
+             return 1;
+         }
+-        salt = (char*) malloc(sizeof(char) * KWALLET_PAM_SALTSIZE);
++        salt = (char*) malloc(KWALLET_PAM_SALTSIZE);
+         memset(salt, '\0', KWALLET_PAM_SALTSIZE);
+         fread(salt, KWALLET_PAM_SALTSIZE, 1, fd);
+         fclose(fd);
+     }
++    free(path);
++
+     if (salt == NULL) {
+         syslog(LOG_ERR, "%s-kwalletd: Couldn't create or read the salt file", logPrefix);
+         return 1;
+     }
+ 
+     gcry_error_t error;
++
+     error = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0);
+     if (error != 0) {
++        free(salt);
+         syslog(LOG_ERR, "%s-kwalletd: Can't get secure memory: %d", logPrefix, error);
+         return 1;
+     }
+@@ -691,5 +709,7 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key)
+                             GCRY_KDF_PBKDF2, GCRY_MD_SHA512,
+                             salt, KWALLET_PAM_SALTSIZE,
+                             KWALLET_PAM_ITERATIONS,KWALLET_PAM_KEYSIZE, key);
+-    return 0;
++
++    free(salt);
++    return (int) error; // gcry_kdf_derive returns 0 on success
+ }
+-- 
+cgit v0.11.2
+
diff --git a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-privileges.patch b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-privileges.patch
new file mode 100644
index 000000000000..8b45b293bbf9
--- /dev/null
+++ b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-privileges.patch
@@ -0,0 +1,49 @@
+From 1a01e1eb870e1ab1d96a8641f1f3500af646c974 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Thu, 3 Aug 2017 09:27:10 +0200
+Subject: Avoid dropping privileges by initializing gcrypt secmem
+
+Summary:
+It's a documented side effect that initialization of secure memory in gcrypt
+drops privileges if getuid() != geteuid(). This results in breaking setuid
+callers, like sudo or su.
+
+Test Plan: Can use sudo again when pam_kwallet is involved.
+
+Reviewers: #plasma
+
+Subscribers: plasma-devel
+
+Tags: #plasma
+
+Differential Revision: https://phabricator.kde.org/D7124
+---
+ pam_kwallet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/pam_kwallet.c b/pam_kwallet.c
+index 46720a5..20d9603 100644
+--- a/pam_kwallet.c
++++ b/pam_kwallet.c
+@@ -722,12 +722,18 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key)
+ 
+     gcry_error_t error;
+ 
++    /* We cannot call GCRYCTL_INIT_SECMEM as it drops privileges if getuid() != geteuid().
++     * PAM modules are in many cases executed through setuid binaries, which this call
++     * would break.
++     * It was never effective anyway as neither key nor passphrase are in secure memory,
++     * which is a prerequisite for secure operation...
+     error = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0);
+     if (error != 0) {
+         free(salt);
+         syslog(LOG_ERR, "%s-kwalletd: Can't get secure memory: %d", logPrefix, error);
+         return 1;
+     }
++    */
+ 
+     gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+ 
+-- 
+cgit v0.11.2
+
diff --git a/kde-plasma/kwallet-pam/kwallet-pam-5.10.5-r1.ebuild b/kde-plasma/kwallet-pam/kwallet-pam-5.10.5-r1.ebuild
new file mode 100644
index 000000000000..a92f06b64222
--- /dev/null
+++ b/kde-plasma/kwallet-pam/kwallet-pam-5.10.5-r1.ebuild
@@ -0,0 +1,59 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit kde5
+
+DESCRIPTION="KWallet PAM module to not enter password again"
+LICENSE="LGPL-2.1"
+KEYWORDS="amd64 ~arm x86"
+IUSE=""
+
+DEPEND="
+	dev-libs/libgcrypt:0=
+	virtual/pam
+"
+RDEPEND="${DEPEND}
+	net-misc/socat
+"
+
+PATCHES=(
+	"${FILESDIR}/${P}-cleanups.patch"
+	"${FILESDIR}/${P}-check-graphical.patch"
+	"${FILESDIR}/${P}-privileges.patch"
+)
+
+src_configure() {
+	local mycmakeargs=(
+		-DCMAKE_INSTALL_LIBDIR="/$(get_libdir)"
+		-DKWALLET4=0
+	)
+	kde5_src_configure
+}
+
+pkg_postinst() {
+	check_dm() {
+		if [[ -e "${ROOT}${2}" ]] ; then
+			if grep -Eq "auth\s+optional\s+pam_kwallet5.so" "${ROOT}${2}" && \
+				grep -Eq "session\s+optional\s+pam_kwallet5.so" "${ROOT}${2}" ; then
+				elog "    ${1} - ${2} ...GOOD"
+			else
+				ewarn "    ${1} - ${2} ...BAD"
+			fi
+		fi
+	}
+	elog "This package enables auto-unlocking of kde-frameworks/kwallet:5."
+	elog "List of things to make it work:"
+	elog "1.  Use standard blowfish encryption instead of GPG"
+	elog "2.  Use same password for login and kwallet"
+	elog "3.  A display manager with support for PAM"
+	elog "4.a Have the following lines in the display manager's pam.d file:"
+	elog "    -auth        optional        pam_kwallet5.so"
+	elog "    -session     optional        pam_kwallet5.so auto_start"
+	elog "4.b Checking installed DMs..."
+	has_version "x11-misc/sddm" && check_dm "SDDM" "/etc/pam.d/sddm"
+	has_version "x11-misc/lightdm" && check_dm "LightDM" "/etc/pam.d/lightdm"
+	elog
+	elog "See also: https://wiki.gentoo.org/wiki/KDE#KWallet_auto-unlocking"
+}
diff --git a/kde-plasma/kwallet-pam/metadata.xml b/kde-plasma/kwallet-pam/metadata.xml
new file mode 100644
index 000000000000..2fdbf33d963d
--- /dev/null
+++ b/kde-plasma/kwallet-pam/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>kde@gentoo.org</email>
+		<name>Gentoo KDE Project</name>
+	</maintainer>
+</pkgmetadata>
author	V3n3RiX <venerix@redcorelinux.org>	2017-10-09 18:53:29 +0100
committer	V3n3RiX <venerix@redcorelinux.org>	2017-10-09 18:53:29 +0100
commit	4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch)
tree	ba5f07bf3f9d22d82e54a462313f5d244036c768 /kde-plasma/kwallet-pam