588840 – sys-auth/consolekit-1.1.0's XDG_RUNTIME_DIR restriction to UID 0 causes ck-launch-session to crash, and pam_ck_connector.so to set value of XDG_RUNTIME_DIR to "(null)"; causing multiple directories having the name of "(null)" to be created

Bug 588840 - sys-auth/consolekit-1.1.0's XDG_RUNTIME_DIR restriction to UID 0 causes ck-launch-session to crash, and pam_ck_connector.so to set value of XDG_RUNTIME_DIR to "(null)"; causing multiple directories having the name of "(null)" to be created

Summary: sys-auth/consolekit-1.1.0's XDG_RUNTIME_DIR restriction to UID 0 causes ck-la...

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Jason Zaman

URL:	https://github.com/ConsoleKit2/Consol...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-07-14 17:35 UTC by konsolebox
Modified:	2016-08-03 03:34 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
consolekit-1.1.0-remove-xdg-runtime-dir-root-restriction.patch (consolekit-1.1.0-remove-xdg-runtime-dir-root-restriction.patch,1.26 KB, patch) 2016-07-14 17:35 UTC, konsolebox	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description konsolebox 2016-07-14 17:35:43 UTC

Created attachment 440724 [details, diff]
consolekit-1.1.0-remove-xdg-runtime-dir-root-restriction.patch

This has somewhat been fixed in this commit: https://github.com/ConsoleKit2/ConsoleKit2/commit/664d2fdbd966764836b1f4da2dbc5750c7f01f0f.  Although I think the functions that call ck_connector_get_runtime_dir() still needs to check if it returns NULL or not; perhaps write some error messages to stderr or syslog, etc.

The problem is that, the function in the service side of consolekit which is responsible for generating the name of the directory that is set for XDG_RUNTIME_DIR ck_generate_runtime_dir_for_user() returns NULL when called by a user with UID of 0:

    if (uid < 1) {
        g_debug ("We do not create runtime dirs for root");
        return NULL;
    }

This also make the function in the client side that makes the request ck_connector_get_runtime_dir() (which is used by ck-launch-session and pam_ck_connector.so) to return NULL.

But both tools don't check whether the function returns NULL and seems to always expect that the return value would be a valid string:

ck-launch-session.c: setenv ("XDG_RUNTIME_DIR", ck_connector_get_runtime_dir (ckc, &error), 1);

pam-ck-connector.c: snprintf (buf, sizeof (buf) - 1, "XDG_RUNTIME_DIR=%s", ck_connector_get_runtime_dir (ckc, &error));

This causes setenv to crash when the second argument is NULL.

And snprintf() to "(null)" as the value for '%s', which also sets the value of XDG_RUNTIME_DIR to it.  Various directories in the filesystem having the name of "(null)" are created due to this.

This issue doesn't show in 0.4.6, 1.0.x, and 9999.

Comment 1 Jason Zaman gentoo-dev

2016-08-02 15:22:30 UTC

I added that patch to 1.1.0-r1. If there are more things required, can you file a bug upstream for it?

Comment 2 konsolebox 2016-08-02 17:06:09 UTC

(In reply to Jason Zaman from comment #1)
> I added that patch to 1.1.0-r1. If there are more things required, can you
> file a bug upstream for it?

I already created an issue report for it: https://github.com/ConsoleKit2/ConsoleKit2/issues/74