Description of problem: The liveusb-creator uses PyQt4, which is supposed to use the GTK style when run on GNOME, but it currently looks like this: http://lewk.org/img/liveusb-creator-3.13.png Version-Release number of selected component (if applicable): qt-4.8.6-18.fc21.x86_64 PyQt4-4.11.3-1.fc21.x86_64
Kevin clued me in on irc: src/gui/kernel/qapplication_x11.cpp contains checks: if (!qgetenv("KDE_FULL_SESSION").isEmpty()) { X11->desktopEnvironment = DE_KDE; X11->desktopVersion = qgetenv("KDE_SESSION_VERSION").toInt(); break; } if (qgetenv("DESKTOP_SESSION") == "gnome") { X11->desktopEnvironment = DE_GNOME; break; } // GNOME_DESKTOP_SESSION_ID is deprecated for some reason, but still check it if (!qgetenv("GNOME_DESKTOP_SESSION_ID").isEmpty()) { X11->desktopEnvironment = DE_GNOME; break; } So looks like this may be a consequence of running liveusb-creator fully through pkexec , and loosing the user environment. And also from irc: <lmacken> rdieter: not a big deal. someday I'll decouple the gui from the backend ^^ getting proper policykit integration should naturally fix this too
IMHO, this is a bug in pkexec: It really shouldn't be removing those environment variables for GUI apps. They are needed for proper look&feel integration. I also have this problem with Calamares. IMHO, the whitelist approach is a very bad idea, a blacklist would probably work better, but at the very least, GUI applications need the following environment variables forwarded: KDE_FULL_SESSION KDE_SESSION_VERSION DESKTOP_SESSION GNOME_DESKTOP_SESSION_ID XDG_CURRENT_DESKTOP QT_STYLE_OVERRIDE QT_XCB_FORCE_SOFTWARE_OPENGL There are some more that may make sense to forward, such as KDE_IS_PRELINKED, QT_PLUGIN_PATH, XDG_DATA_DIRS etc., but some of those may be considered security issues. The ones in my list above are perfectly safe though.
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
The trivial patch is now attached to the upstream bug that Philip Müller from Manjaro filed. Can we PLEASE get this applied? As it stands (i.e., without the patch), pkexec is very broken for Qt apps.
(Philip's report also adds QT_QPA_PLATFORMTHEME to the list of needed environment variables, which is correct.)
Any comment or objections from polkit maintainers? If not, I'll consider applying the proposed patch next week and issue updates.
(In reply to Rex Dieter from comment #6) > Any comment or objections from polkit maintainers? > > If not, I'll consider applying the proposed patch next week and issue > updates. Considering https://bugs.freedesktop.org/show_bug.cgi?id=96713#c3 , please don’t. If $KDE_SESSION_VERSION is obviously unsafe, and used just in simple shell scripts, I don’t feel comfortable assuming that the other ones used for plugin loading in several layers deep stack of QApplication code are safe. Also, I can’t find any documentation for several of the variables, and those documented in QApplication have no documented safety properties.
Pardon my ignorance, but how is KDE_SESSION_VERSION obviously unsafe?
e.g. with > KDE_SESSION_VERSION='passwd -- root "abc def"' running > xdg-desktop-icon uninstall /dev/null causes execution of > kdepasswd -- root '"abc' 'def"-config' --userpath desktop (See with (bash -x xdg-desktop-icon …), create a ~/bin/kde$something which prints confirmation to /dev/tty and run KDE_SESSIoN_VERSION='$something $other_args' I don’t know whether this can be weaponized into arbitrary command execution; this should be enough for a demonstration.
Ah thanks. I guess I naively assumed/hoped that PATH would be sanitized, which appears to not be the case.
PATH is supposed to be sanitized (set to the standard plus ~destination_user/bin), but when the user is authorized to run $specific_command, running /usr/bin/kde$other_command is also unauthorized.
The problem is, Qt needs access to KDE_SESSION_VERSION to know how to adapt to Plasma theming. We are asking for those environment variables for a reason.
(In reply to Kevin Kofler from comment #12) > The problem is, Qt needs access to KDE_SESSION_VERSION to know how to adapt > to Plasma theming. We are asking for those environment variables for a > reason. Sorry, “I need to pass these values to keep my themes, and I hope that nothing will become insecure” is not an acceptable way to change privilege escalation systems. (I apologize if you have actually done research on this, it’s just that there is no way to tell, and no way to follow up on that research. You definitely know more about Qt and KDE than I do.) See https://bugs.freedesktop.org/show_bug.cgi?id=96713#c7 for a possible way forward. I’m afraid I can’t spare weeks to make the security argument against the thousands of FOSS packages in general; perhaps we can find ways to simplify to make things obviously correct.
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.