From 11394aecd1f906fee2ebd2b90412aeba4651fbff Mon Sep 17 00:00:00 2001 From: Michele Calgaro Date: Wed, 3 Apr 2019 22:56:40 +0900 Subject: DEB: use _base folder for a distro instead of specific distros (squeeze and maverick). Signed-off-by: Michele Calgaro --- .../tdeutils/debian/klaptopdaemon.README.Debian | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 ubuntu/_base/tdeutils/debian/klaptopdaemon.README.Debian (limited to 'ubuntu/_base/tdeutils/debian/klaptopdaemon.README.Debian') diff --git a/ubuntu/_base/tdeutils/debian/klaptopdaemon.README.Debian b/ubuntu/_base/tdeutils/debian/klaptopdaemon.README.Debian new file mode 100644 index 000000000..04c3e1b4e --- /dev/null +++ b/ubuntu/_base/tdeutils/debian/klaptopdaemon.README.Debian @@ -0,0 +1,28 @@ +klaptopdaemon and SUID permissions +---------------------------------- + +To allow ordinary users to control certain power management features, +klaptopdaemon's panel in the Trinity Control Center has a button which prompts +the user to enter the root password (Trinity Control Center --> Power Control +--> Laptop Battery, then the ACPI Config tab, then the Setup Helper +Application button). This button changes the permissions of +/usr/bin/klaptop_acpi_helper from "0755 root.root" to "6755 root.root", +and therefore grants all regular users extra power management abilities. +This has obvious security implications, and should not be done on any +system where all users are not trusted absolutely. + +The standard klaptopdaemon changes the binary's permissions using chmod. +However, if an updated version of the Debian klaptopdaemon package +were then to be installed, it would reset the permissions, forcing the +sysadmin to reconfigure after each upgrade. + +The Debian package has therefore been patched to use dpkg-statoverride to +permanently change the permissions of /usr/bin/klaptop_acpi_helper. The +override is removed and permissions reset if the package is removed or +purged. However, if the sysadmin wishes to remove the special permissions +of /usr/bin/klaptop_acpi_helper, they can do so at any time by issuing, +as root, the following commands: + +dpkg-statoverride --remove /usr/bin/klaptop_acpi_helper +chown root:root /usr/bin/klaptop_acpi_helper +chmod 0755 /usr/bin/klaptop_acpi_helper -- cgit v1.2.1