fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup

https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 do show lxqt-sudo password prompt if there is a sudoers exceptoin improved pkexec wrapper logging
2025-01-11 13:39:28 -05:00 · 2020-01-15 02:42:10 -05:00 · 2020-01-15 02:42:10 -05:00 · 80159545a5
commit 80159545a5
parent d90ca4b1ad
4 changed files with 72 additions and 11 deletions
--- a/etc/sudoers.d/pkexec-security-misc
+++ b/etc/sudoers.d/pkexec-security-misc
@ -0,0 +1,11 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 ## REVIEW: is it ok that users can find out the PATH setting of root?
 %sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
 ## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be
 ## set. Would otherwise error out with the following error message:
 ## "This program must only be run through pkexec"
 ## REVIEW: Can bad things be done by spoofing PKEXEC_UID?
 Defaults:ALL env_keep += "PKEXEC_UID"
--- a/etc/sudoers.d/security-misc
+++ b/etc/sudoers.d/security-misc
@ -3,5 +3,3 @@
 user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path
--- a/etc/sudoers.d/xfce-security-misc
+++ b/etc/sudoers.d/xfce-security-misc
@ -0,0 +1,19 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
 ## /usr/share/polkit-1/actions/org.xfce.power.policy
 ## Feel free to out comment this if you are not using xfce4-power-manager or XFCE.
 %sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]]
 %sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]]
 %sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]]
 %sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]]
 %sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]]
 %sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]]
 ## XXX: Should we allow this?
 #%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend
 #%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate
--- a/usr/bin/pkexec.security-misc
+++ b/usr/bin/pkexec.security-misc
@ -10,8 +10,18 @@
 set -e
 my_real_path="$(realpath "$0")" || true
 identifier="$my_real_path wrapper"
 exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1
 log_to_journal() {
   echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true
 }
 log_to_journal "$0 $@"
 log_to_journal "DISPLAY: '$DISPLAY'"
 my_pstree="$(pstree -p $$)" || true
-echo "my_pstree: '$my_pstree' | $0 $@" | systemd-cat --identifier="$0" || true
+log_to_journal "my_pstree: '$my_pstree'"
 ## If hidepid is not in use, just use pkexec normally.
 if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
@ -19,8 +29,7 @@ if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then
   exit $?
 fi
-## Prefer lxqt-sudo.
+switch_user=false
 use_sudo=false
 original_args="$@"
@ -58,7 +67,8 @@ do
            else
               shift 2
            fi
-            use_sudo=true
+            switch_user=true
            maybe_switch_to_user="--user $user_pkexec_wrapper"
            ;;
         --)
            shift
@ -73,6 +83,17 @@ done
 ## If there are input files (for example) that follow the options, they
 ## will remain in the "$@" positional parameters.
 if [ "$PKEXEC_UID" = "" ]; then
   if [ ! "$user_pkexec_wrapper" = "" ]; then
      PKEXEC_UID="$user_pkexec_wrapper"
   elif [ ! "$SUDO_USER" = "" ]; then
      PKEXEC_UID="$SUDO_USER"
   else
      PKEXEC_UID="$(whoami)"
   fi
 fi
 export PKEXEC_UID
 if [[ "$@" = "" ]]; then
   ## Call original pkexec in case there are no arguments.
   pkexec.security-misc-orig $original_args
@ -80,19 +101,31 @@ if [[ "$@" = "" ]]; then
 fi
 exit_code=0
-if [ "$use_sudo" = "true" ]; then
+
-   ## 'sudo --user user' environment variables such as PATH.
+## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions.
-   lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@" || { exit_code=$? ; true; };
+## Therefore use 'sudo -l' to see if there is any already existing sudoers exception.
 if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then
   log_to_journal "sudoers exception: yes"
   sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
   log_to_journal "sudo --user | exit_code: '$exit_code'"
   exit "$exit_code"
 fi
 log_to_journal "sudoers exception: no"
 if [ "$switch_user" = "true" ]; then
   ## 'sudo --user user' clears environment variables such as PATH.
   lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; };
 else
   ## set PATH same as root
   ## This is required for gdebi.
   ## REVIEW: is it ok that users can find out the PATH setting of root?
-   ## lxqt-sudo does not clear environment variables such as PATH.
+   ## lxqt-sudo does not clear environment variable PATH.
   PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)"
   export PATH
   lxqt-sudo "$@" || { exit_code=$? ; true; };
 fi
-echo "exit_code: '$exit_code'" | systemd-cat --identifier="$0" || true
+log_to_journal "exit_code: '$exit_code'"
 exit "$exit_code"