Bug 479677 - gnome-screensaver never propagates the environment to its helper dialog
gnome-screensaver never propagates the environment to its helper dialog
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gnome-screensaver (Show other bugs)
5.4
All Linux
high Severity medium
: rc
: ---
Assigned To: Ray Strode [halfline]
desktop-bugs@redhat.com
: Patch
Depends On:
Blocks: 743405 807971
  Show dependency treegraph
 
Reported: 2009-01-12 08:32 EST by ritz
Modified: 2012-07-05 18:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-05 18:25:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch based on upstream code (3.76 KB, patch)
2009-01-12 08:32 EST, ritz
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 327602 None None None Never

  None (edit)
Description ritz 2009-01-12 08:32:26 EST
Created attachment 328732 [details]
patch based on upstream code

Description of problem:
"When a user attempts to unlock the screen, the gnome-screensaver session
daemon spawns gnome-screensaver-dialog to authenticate the user.  On systems where shadow passwords are in use, and on which PAM (which it is assumed can check passwords without elevated privileges), the dialog is setuid.

For the sake of these cases, gnome-screensaver starts the dialog with only a
handful of variables copied from the user's environment (PATH, SESSION_MANAGER,
XAUTHORITY, XAUTHLOCALHOSTNAME, LANG, LANGUAGE).

While this does nothing to prevent the user from doing the same thing and
attempting to exploit any bugs which might be present in a setuid installation
of gnome-screensaver-dialog, it also penalizes the non-setuid case by breaking
themes and any other user-interface customizations which are specified through
the environment."


Additional info:
Comment 1 jmccann 2009-01-13 17:04:12 EST
dev_ack+ patch is available
Comment 3 RHEL Product and Program Management 2009-03-26 12:57:31 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 9 RHEL Product and Program Management 2010-08-09 14:46:25 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 11 RHEL Product and Program Management 2011-05-31 09:54:59 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 16 RHEL Product and Program Management 2012-04-02 10:17:41 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 25 RHEL Product and Program Management 2012-07-05 18:25:02 EDT
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.