From 80159545a580830565ec01a507915add9c44838a Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed, 15 Jan 2020 02:42:10 -0500
Subject: [PATCH] fix xfce4-power-manager xfpm-power-backlight-helper pkexec
 lxsudo popup

https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764

do show lxqt-sudo password prompt if there is a sudoers exceptoin

improved pkexec wrapper logging
---
 etc/sudoers.d/pkexec-security-misc | 11 +++++++
 etc/sudoers.d/security-misc        |  2 --
 etc/sudoers.d/xfce-security-misc   | 19 +++++++++++
 usr/bin/pkexec.security-misc       | 51 ++++++++++++++++++++++++------
 4 files changed, 72 insertions(+), 11 deletions(-)
 create mode 100644 etc/sudoers.d/pkexec-security-misc
 create mode 100644 etc/sudoers.d/xfce-security-misc

diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc
new file mode 100644
index 0000000..1572b03
--- /dev/null
+++ b/etc/sudoers.d/pkexec-security-misc
@@ -0,0 +1,11 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## REVIEW: is it ok that users can find out the PATH setting of root?
+%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
+
+## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
+## set. Would otherwise error out with the following error message:
+## "This program must only be run through pkexec"
+## REVIEW: Can bad things be done by spoofing PKEXEC_UID?
+Defaults:ALL env_keep += "PKEXEC_UID"
diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc
index a3a7114..3f98634 100644
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@@ -3,5 +3,3 @@
 
 user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
-
-%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc
new file mode 100644
index 0000000..8e75102
--- /dev/null
+++ b/etc/sudoers.d/xfce-security-misc
@@ -0,0 +1,19 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
+## /usr/share/polkit-1/actions/org.xfce.power.policy
+
+## Feel free to out comment this if you are not using xfce4-power-manager or XFCE.
+
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]]
+
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]]
+%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]]
+
+## XXX: Should we allow this?
+#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend
+#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate
diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc
index 6a718ab..8a844fc 100755
--- a/usr/bin/pkexec.security-misc
+++ b/usr/bin/pkexec.security-misc
@@ -10,8 +10,18 @@
 
 set -e
 
+my_real_path="$(realpath "$0")" || true
+identifier="$my_real_path wrapper"
+exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1
+
+log_to_journal() {
+   echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true
+}
+
+log_to_journal "$0 $@"
+log_to_journal "DISPLAY: '$DISPLAY'"
 my_pstree="$(pstree -p $$)" || true
-echo "my_pstree: '$my_pstree' | $0 $@" | systemd-cat --identifier="$0" || true
+log_to_journal "my_pstree: '$my_pstree'"
 
 ## If hidepid is not in use, just use pkexec normally.
 if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
@@ -19,8 +29,7 @@ if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
    exit $?
 fi
 
-## Prefer lxqt-sudo.
-use_sudo=false
+switch_user=false
 
 original_args="$@"
 
@@ -58,7 +67,8 @@ do
             else
                shift 2
             fi
-            use_sudo=true
+            switch_user=true
+            maybe_switch_to_user="--user $user_pkexec_wrapper"
             ;;
          --)
             shift
@@ -73,6 +83,17 @@ done
 ## If there are input files (for example) that follow the options, they
 ## will remain in the "$@" positional parameters.
 
+if [ "$PKEXEC_UID" = "" ]; then
+   if [ ! "$user_pkexec_wrapper" = "" ]; then
+      PKEXEC_UID="$user_pkexec_wrapper"
+   elif [ ! "$SUDO_USER" = "" ]; then
+      PKEXEC_UID="$SUDO_USER"
+   else
+      PKEXEC_UID="$(whoami)"
+   fi
+fi
+export PKEXEC_UID
+
 if [[ "$@" = "" ]]; then
    ## Call original pkexec in case there are no arguments.
    pkexec.security-misc-orig $original_args
@@ -80,19 +101,31 @@ if [[ "$@" = "" ]]; then
 fi
 
 exit_code=0
-if [ "$use_sudo" = "true" ]; then
-   ## 'sudo --user user' environment variables such as PATH.
-   lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@" || { exit_code=$? ; true; };
+
+## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions.
+## Therefore use 'sudo -l' to see if there is any already existing sudoers exception.
+if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then
+   log_to_journal "sudoers exception: yes"
+   sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
+   log_to_journal "sudo --user | exit_code: '$exit_code'"
+   exit "$exit_code"
+fi
+
+log_to_journal "sudoers exception: no"
+
+if [ "$switch_user" = "true" ]; then
+   ## 'sudo --user user' clears environment variables such as PATH.
+   lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
 else
    ## set PATH same as root
    ## This is required for gdebi.
    ## REVIEW: is it ok that users can find out the PATH setting of root?
-   ## lxqt-sudo does not clear environment variables such as PATH.
+   ## lxqt-sudo does not clear environment variable PATH.
    PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
    export PATH
    lxqt-sudo "$@" || { exit_code=$? ; true; };
 fi
 
-echo "exit_code: '$exit_code'" | systemd-cat --identifier="$0" || true
+log_to_journal "exit_code: '$exit_code'"
 
 exit "$exit_code"