Bug 479677 - gnome-screensaver never propagates the environment to its helper dialog
Summary: gnome-screensaver never propagates the environment to its helper dialog
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gnome-screensaver
Version: 5.4
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact: desktop-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 743405 807971
TreeView+ depends on / blocked
 
Reported: 2009-01-12 13:32 UTC by ritz
Modified: 2018-10-27 13:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-05 22:25:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
patch based on upstream code (3.76 KB, patch)
2009-01-12 13:32 UTC, ritz 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 327602 0 None None None Never

Description ritz 2009-01-12 13:32:26 UTC 
Created attachment 328732 [details]
patch based on upstream code

Description of problem:
"When a user attempts to unlock the screen, the gnome-screensaver session
daemon spawns gnome-screensaver-dialog to authenticate the user.  On systems where shadow passwords are in use, and on which PAM (which it is assumed can check passwords without elevated privileges), the dialog is setuid.

For the sake of these cases, gnome-screensaver starts the dialog with only a
handful of variables copied from the user's environment (PATH, SESSION_MANAGER,
XAUTHORITY, XAUTHLOCALHOSTNAME, LANG, LANGUAGE).

While this does nothing to prevent the user from doing the same thing and
attempting to exploit any bugs which might be present in a setuid installation
of gnome-screensaver-dialog, it also penalizes the non-setuid case by breaking
themes and any other user-interface customizations which are specified through
the environment."


Additional info:
Comment 1 jmccann 2009-01-13 22:04:12 UTC 
dev_ack+ patch is available
Comment 3 RHEL Program Management 2009-03-26 16:57:31 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 9 RHEL Program Management 2010-08-09 18:46:25 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 11 RHEL Program Management 2011-05-31 13:54:59 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 16 RHEL Program Management 2012-04-02 14:17:41 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 25 RHEL Program Management 2012-07-05 22:25:02 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Note You need to log in before you can comment on or make changes to this bug.