[neon/neon/calamares-settings/Neon/release-lts] oem-prepare/calamares/oem-prepare: move to pkexec calamares

Mon Mar 15 13:59:47 GMT 2021

Git commit 1adb1c3d93947c7cbd0575ae6c816227f13c7ab1 by Harald Sitter.
Committed on 15/03/2021 at 13:36.
Pushed by sitter into branch 'Neon/release-lts'.

move to pkexec calamares

instead of sudo, calamares now uses pkexec starting with 3.2.38.1

to embrace this change we'll now install a polkit authority file to
replace the old sudo change

this also introduces some safe guards against unexpected calamares
states (not using pkexec, or the pkaction is missing)

also, use -f in cleanup lest we fail

M  +11   -2    oem-prepare/calamares/oem-prepare/prepare-system/calamares-oem-prepare-root
M  +6    -2    oem-prepare/calamares/oem-prepare/prepare-system/oem-cleanup
M  +18   -8    oem-prepare/calamares/oem-prepare/prepare-user/calamares-oem-prepare2

https://invent.kde.org/neon/neon/calamares-settings/commit/1adb1c3d93947c7cbd0575ae6c816227f13c7ab1

diff --git a/oem-prepare/calamares/oem-prepare/prepare-system/calamares-oem-prepare-root b/oem-prepare/calamares/oem-prepare/prepare-system/calamares-oem-prepare-root
index efbb13c..d067fc1 100755
--- a/oem-prepare/calamares/oem-prepare/prepare-system/calamares-oem-prepare-root
+++ b/oem-prepare/calamares/oem-prepare/prepare-system/calamares-oem-prepare-root
@@ -49,6 +49,17 @@ cp -a oem-cleanup.service /lib/systemd/system
 cp -a /lib/systemd/system/sddm.service /lib/systemd/system/calamares-sddm.service
 /bin/systemctl enable calamares-sddm.service
 
+# NB: Mind the check in calamares-oem-prepare2 when changing this!
+cat << CONF >>/etc/polkit-1/localauthority/10-vendor.d/10-calamares-oem-config.pkla
+[Allow Calamares OEM Config]
+Identity=unix-user:oem
+Action=com.github.calamares.calamares.pkexec.run
+ResultAny=no
+ResultInactive=no
+ResultActive=yes
+CONF
+chmod 600 /etc/polkit-1/localauthority/10-vendor.d/10-calamares-oem-config.pkla
+
 ### from oem-config
 # Machine-specific, so remove in case this system is going to be
 # cloned.  These will be regenerated on the first boot.
@@ -66,5 +77,3 @@ cp -a oem-config.target /lib/systemd/system
 /bin/systemctl enable oem-config.target
 /bin/systemctl set-default oem-config.target
 ### end from oem-config
-
-echo 'oem ALL = (root) NOPASSWD: /usr/bin/calamares' >> /etc/sudoers.d/10-oem-config
diff --git a/oem-prepare/calamares/oem-prepare/prepare-system/oem-cleanup b/oem-prepare/calamares/oem-prepare/prepare-system/oem-cleanup
index dd9f9a5..1d116a3 100755
--- a/oem-prepare/calamares/oem-prepare/prepare-system/oem-cleanup
+++ b/oem-prepare/calamares/oem-prepare/prepare-system/oem-cleanup
@@ -23,13 +23,17 @@ rm -f /lib/systemd/system/oem-config.* || true
 
 # Additions for neon
 
+rm -f /etc/polkit-1/localauthority/10-vendor.d/10-calamares-oem-config.pkla
+
 /bin/systemctl disable calamares-sddm.service || true
 rm -f /lib/systemd/system/calamares-sddm.service
 
 /bin/systemctl disable oem-cleanup.service || true
 rm -f /lib/systemd/system/oem-cleanup.service
 
+# We aren't managed by the calamares package but rather copied into place.
+# This means we are around after calamares already cleaned itself up and
+# allows us to not have to deal with apt (and its exclusive locking) to
+# finalize the cleanup. On the flip side we need to manually rm.
 rm -rf /usr/bin/calmares-oem
 rm -rf /usr/share/calmares-oem
-
-rm /etc/sudoers.d/10-oem-*
diff --git a/oem-prepare/calamares/oem-prepare/prepare-user/calamares-oem-prepare2 b/oem-prepare/calamares/oem-prepare/prepare-user/calamares-oem-prepare2
index 93af733..d94d81e 100755
--- a/oem-prepare/calamares/oem-prepare/prepare-user/calamares-oem-prepare2
+++ b/oem-prepare/calamares/oem-prepare/prepare-user/calamares-oem-prepare2
@@ -1,10 +1,24 @@
 #!/bin/sh
-# SPDX-FileCopyrightText: 2018-2019 Harald Sitter <sitter at kde.org>
+# SPDX-FileCopyrightText: 2018-2021 Harald Sitter <sitter at kde.org>
 # SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
 
 set -ex
 
-dir=$(dirname $(realpath $0))
+PREPARE_DIR=$(dirname $(realpath $0))
+CALAMARES_DESKTOPFILE="/usr/share/applications/calamares.desktop"
+
+# Consistency check. The root portion will allow the oem user to run calamares via pkexec.
+# Ensure the relevant action is actually available on the system.
+# Otherwise there was a change in calamares that we need to adapt to.
+if ! pkaction | grep --quiet 'com.github.calamares.calamares.pkexec.run'; then
+  kdialog --error "Failed to find installer polkit action. Please file a bug!"
+  exit 1
+fi
+
+if ! grep --quiet --extended-regexp '^Exce=.*pkexec' $CALAMARES_DESKTOPFILE; then
+  kdialog --error "Calamares is not using pkexec? Please file a bug!"
+  exit 1
+fi
 
 MSG="This will finalize the system preparation and prepare for shipping. This cannot be undone. The system will automatically power off once preparations are complete. Are you sure you want to do this?"
 
@@ -17,11 +31,7 @@ fi
 pkexec /calamares/oem-prepare/prepare-system/calamares-oem-prepare-root
 
 mkdir -p ~/.config/autostart
-cp /usr/share/applications/calamares.desktop ~/.config/autostart
-# HACK
-# FIXME pkexec during autostart falls over because of 'pkexec must be setuid root' I don't understand why.
-# FIXME need a localauthority config instead of the sudo dance to work with pkexec
-sed -i 's/Exec=.*pkexec /Exec=sudo /g' ~/.config/autostart/calamares.desktop
+cp $CALAMARES_DESKTOPFILE ~/.config/autostart
 
 # Drop anything on the desktop. It'd show up in the oem-config session.
 rm -r ~/Desktop/*
@@ -60,7 +70,7 @@ count=1
 EOT
 
 plasmapkg2 -t Plasma/LookAndFeel -r OEM || true
-plasmapkg2 -t Plasma/LookAndFeel -i $dir/oem-lnf
+plasmapkg2 -t Plasma/LookAndFeel -i $PREPARE_DIR/oem-lnf
 
 qdbus org.kde.plasmashell /PlasmaShell org.kde.PlasmaShell.loadLookAndFeelDefaultLayout OEM
 

