security-misc/usr/bin/pkexec.security-misc

#!/bin/bash

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with
## hidepid.
## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
## * https://forums.whonix.org/t/cannot-use-pkexec/8129

set -e

## If hidepid is not in use, just use pkexec normally.
if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
   pkexec.security-misc-orig "$@"
   exit $?
fi

## Prefer lxqt-sudo.
use_sudo=false

original_args="$@"

## Thanks to:
## http://mywiki.wooledge.org/BashFAQ/035

while :
do
      case $1 in
         ## Should show 'pkexec --version' or fail?
         --version)
            shift
            pkexec.security-misc-orig "$original_args"
            exit $?
            ;;
         ## Should show 'pkexec --help' or fail?
         --help)
            shift
            pkexec.security-misc-orig "$original_args"
            exit $?
            ;;
         ## Drop --disable-internal-agent as not needed and breaking both,
         ## lxqt-sudo and sudo.
         --disable-internal-agent)
            shift
            ;;
         --user)
            ## lxqt-sudo does not support "--user".
            ## We should not make this wrapper run something as root which
            ## is supposed to run under a different user. Try using
            ## "sudo -A --user user --set-home" instead.
            user_pkexec_wrapper="$2"
            if [ "$user_pkexec_wrapper" = "" ]; then
               shift
            else
               shift 2
            fi
            use_sudo=true
            ;;
         --)
            shift
            break
            ;;
         *)
            break
            ;;
      esac
done

## If there are input files (for example) that follow the options, they
## will remain in the "$@" positional parameters.

if [[ "$@" = "" ]]; then
   ## Call original pkexec in case there are no arguments.
   pkexec.security-misc-orig $original_args
   exit $?
fi

## set PATH same as root
## This is required for gdebi.
## REVIEW: is it ok that users can find out the PATH setting of root?
PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
export PATH

if [ "$use_sudo" = "true" ]; then
   lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@"
else
   lxqt-sudo "$@"
fi
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 Thanks to AnonymousUser for the bug report! 2019-10-21 05:46:49 -04:00			`#!/bin/bash`

			`## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>`
			`## See the file COPYING for copying conditions.`

			`## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with`
			`## hidepid.`
			`## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040`
			`## * https://forums.whonix.org/t/cannot-use-pkexec/8129`

			`set -e`

			`## If hidepid is not in use, just use pkexec normally.`
silence output by mount/grep 2019-10-22 08:54:48 -04:00			`if ! mount \| grep "/proc" \| grep "hidepid=2" &>/dev/null ; then`
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 Thanks to AnonymousUser for the bug report! 2019-10-21 05:46:49 -04:00			`pkexec.security-misc-orig "$@"`
			`exit $?`
			`fi`

			`## Prefer lxqt-sudo.`
			`use_sudo=false`

			`original_args="$@"`

			`## Thanks to:`
			`## http://mywiki.wooledge.org/BashFAQ/035`

			`while :`
			`do`
			`case $1 in`
			`## Should show 'pkexec --version' or fail?`
			`--version)`
			`shift`
			`pkexec.security-misc-orig "$original_args"`
			`exit $?`
			`;;`
			`## Should show 'pkexec --help' or fail?`
			`--help)`
			`shift`
			`pkexec.security-misc-orig "$original_args"`
			`exit $?`
			`;;`
			`## Drop --disable-internal-agent as not needed and breaking both,`
			`## lxqt-sudo and sudo.`
			`--disable-internal-agent)`
			`shift`
			`;;`
			`--user)`
			`## lxqt-sudo does not support "--user".`
			`## We should not make this wrapper run something as root which`
			`## is supposed to run under a different user. Try using`
			`## "sudo -A --user user --set-home" instead.`
			`user_pkexec_wrapper="$2"`
			`if [ "$user_pkexec_wrapper" = "" ]; then`
			`shift`
			`else`
			`shift 2`
			`fi`
			`use_sudo=true`
			`;;`
			`--)`
			`shift`
			`break`
			`;;`
			`*)`
			`break`
			`;;`
			`esac`
			`done`

			`## If there are input files (for example) that follow the options, they`
			`## will remain in the "$@" positional parameters.`

			`if [[ "$@" = "" ]]; then`
			`## Call original pkexec in case there are no arguments.`
quotes fix 2019-10-22 09:22:29 -04:00			`pkexec.security-misc-orig $original_args`
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 Thanks to AnonymousUser for the bug report! 2019-10-21 05:46:49 -04:00			`exit $?`
			`fi`

			`## set PATH same as root`
			`## This is required for gdebi.`
			`## REVIEW: is it ok that users can find out the PATH setting of root?`
			`PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"`
			`export PATH`

			`if [ "$use_sudo" = "true" ]; then`
better solution when using pkexec with --user: wrap sudo --user with lxqt-sudo 2019-10-22 09:08:18 -04:00			`lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@"`
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 Thanks to AnonymousUser for the bug report! 2019-10-21 05:46:49 -04:00			`else`
			`lxqt-sudo "$@"`
			`fi`