From 7fdbcf66592dfec2b3c8704e6f43bdaeba708f0a Mon Sep 17 00:00:00 2001
From: Thierry Vignaud <tv@mandriva.org>
Date: Mon, 12 Oct 2009 16:55:29 +0000
Subject: (raw) introduce new 'as_user' parameter which tries harder to get
 user ID in order to drop privileges ; also keep a copy of the X11 cookie
 (enable to fix #53999)

---
 perl-install/NEWS           |  3 +++
 perl-install/run_program.pm | 21 ++++++++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/perl-install/NEWS b/perl-install/NEWS
index 6be13831a..ef42fdd97 100644
--- a/perl-install/NEWS
+++ b/perl-install/NEWS
@@ -1,3 +1,6 @@
+- run_program layer:
+  o keep a copy of the X11 cookie
+  o try harder to drop privileges
 - partitioning wizard:
   o put back "previous" button on actions (#54475)
   o fix typo in message
diff --git a/perl-install/run_program.pm b/perl-install/run_program.pm
index e1a6f7f04..a59f7a08b 100644
--- a/perl-install/run_program.pm
+++ b/perl-install/run_program.pm
@@ -5,6 +5,7 @@ use strict;
 use c;
 
 use MDK::Common;
+use common; # for get_parent_uid()
 use log;
 
 1;
@@ -47,6 +48,13 @@ sub raw {
     ($stdout_mode, $stdout_raw, @args) = @args if $args[0] =~ /^>>?$/;
     ($stderr_mode, $stderr_raw, @args) = @args if $args[0] =~ /^2>>?$/;
 
+    if ($options->{as_user}) {
+        my $user;
+        $user = $ENV{USERHELPER_UID} && getpwuid($ENV{USERHELPER_UID});
+        $user ||= common::get_parent_uid();
+        $options->{setuid} = getpwnam($user) if $user;
+    }
+
     my $args = $options->{sensitive_arguments} ? '<hidden arguments>' : join(' ', @args);
     log::explanations("running: $real_name $args" . ($root ? " with root $root" : ""));
 
@@ -111,7 +119,18 @@ sub raw {
     } else {
         if ($options->{setuid}) {
             require POSIX;
-            $ENV{LOGNAME} = getpwuid($options->{setuid}) || $ENV{LOGNAME};
+            my ($logname, $home) = (getpwuid(501))[0,7];
+            $ENV{LOGNAME} = $logname if $logname;
+
+            # if we were root and are going to drop privilege, keep a copy of the X11 cookie:
+            if (!$> && $home) {
+                # FIXME: it would be better to remove this but most callers are using 'detach => 1'...
+                my $xauth = chomp_(`mktemp $home/.Xauthority.XXXXX`);
+                system('cp', '-a', $ENV{XAUTHORITY}, $xauth);
+                system('chown', $logname, $xauth);
+                $ENV{XAUTHORITY} = $xauth;
+            }
+
             # drop privileges:
             POSIX::setuid($options->{setuid});
         }
-- 
cgit v1.2.1