From 07992d129ae9671aa1695eedcdaf7fa4e2875470 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 1 Apr 2026 11:03:58 +0000 Subject: [PATCH] Fix session guard bypass, missing stderr redirects, and uninitialized variables - X11_Xsession.d_15_sysmaint_no_desktop: Fix always-false session check that compared hardcoded 'sysmaint-session' against itself instead of checking $DESKTOP_SESSION, completely bypassing the safety guard - sysmaint-boot: Add missing >&2 redirects to printf statements in remove_sysmaint_qubes() so diagnostic messages go to stderr like all other messages in the script - sysmaint-session, sysmaint-session-wayland: Initialize selected_system_tray and selected_system_tray_args to empty strings before the search loop to avoid referencing uninitialized variables - grub.d_10_10_linux_sysmaint: Remove redundant if/elif/else where all branches assigned the same value https://claude.ai/code/session_01QxHdBF7NnawVe5KW5cwttV --- usr/libexec/user-sysmaint-split/sysmaint-boot | 8 ++++---- usr/libexec/user-sysmaint-split/sysmaint-session | 2 ++ .../user-sysmaint-split/sysmaint-session-wayland | 2 ++ .../conf/X11_Xsession.d_15_sysmaint_no_desktop | 2 +- .../conf/grub.d_10_10_linux_sysmaint | 10 +--------- 5 files changed, 10 insertions(+), 14 deletions(-) diff --git a/usr/libexec/user-sysmaint-split/sysmaint-boot b/usr/libexec/user-sysmaint-split/sysmaint-boot index 8347b66..b16c99c 100755 --- a/usr/libexec/user-sysmaint-split/sysmaint-boot +++ b/usr/libexec/user-sysmaint-split/sysmaint-boot @@ -387,12 +387,12 @@ parse_user_sysmaint_split_config() { } remove_sysmaint_qubes() { - printf "%s\n" "INFO: Qubes unrestricted mode detected. Removing user-sysmaint-split." - printf "%s\n" "INFO: (kernel parameter 'remove-sysmaint-qubes' is present, ok.)" + printf "%s\n" "INFO: Qubes unrestricted mode detected. Removing user-sysmaint-split." >&2 + printf "%s\n" "INFO: (kernel parameter 'remove-sysmaint-qubes' is present, ok.)" >&2 dummy-dependency --yes --purge user-sysmaint-split if accountctl user is-pass-locked 2>/dev/null; then - printf "%s\n" "INFO: Account 'user' has a locked password. Running /usr/bin/passwordless-root to enable passwordless root escalation." - printf "%s\n" "INFO: (kernel parameter 'remove-sysmaint-qubes' is present, ok.)" + printf "%s\n" "INFO: Account 'user' has a locked password. Running /usr/bin/passwordless-root to enable passwordless root escalation." >&2 + printf "%s\n" "INFO: (kernel parameter 'remove-sysmaint-qubes' is present, ok.)" >&2 /usr/bin/passwordless-root fi } diff --git a/usr/libexec/user-sysmaint-split/sysmaint-session b/usr/libexec/user-sysmaint-split/sysmaint-session index df5b9ec..f36767f 100755 --- a/usr/libexec/user-sysmaint-split/sysmaint-session +++ b/usr/libexec/user-sysmaint-split/sysmaint-session @@ -38,6 +38,8 @@ system_tray_list=( system_tray_arg_list=( '--edge top --align right --SetPartialStrut true' ) +selected_system_tray='' +selected_system_tray_args='' for (( idx = 0; idx < ${#system_tray_list[@]}; idx++ )); do if [ -e "${system_tray_list[idx]}" ]; then diff --git a/usr/libexec/user-sysmaint-split/sysmaint-session-wayland b/usr/libexec/user-sysmaint-split/sysmaint-session-wayland index 2061ceb..1d5ac1c 100755 --- a/usr/libexec/user-sysmaint-split/sysmaint-session-wayland +++ b/usr/libexec/user-sysmaint-split/sysmaint-session-wayland @@ -80,6 +80,8 @@ system_tray_list=( system_tray_arg_list=( '' ) +selected_system_tray='' +selected_system_tray_args='' for (( idx = 0; idx < ${#system_tray_list[@]}; idx++ )); do if [ -e "${system_tray_list[idx]}" ]; then diff --git a/usr/share/user-sysmaint-split/conf/X11_Xsession.d_15_sysmaint_no_desktop b/usr/share/user-sysmaint-split/conf/X11_Xsession.d_15_sysmaint_no_desktop index 79098e8..4d18569 100755 --- a/usr/share/user-sysmaint-split/conf/X11_Xsession.d_15_sysmaint_no_desktop +++ b/usr/share/user-sysmaint-split/conf/X11_Xsession.d_15_sysmaint_no_desktop @@ -4,7 +4,7 @@ ## See the file COPYING for copying conditions. if [ "$(id -un)" = 'sysmaint' ] \ - && ! printf '%s\n' 'sysmaint-session' | grep -- '^sysmaint-session' >/dev/null 2>/dev/null \ + && ! printf '%s\n' "$DESKTOP_SESSION" | grep -- '^sysmaint-session' >/dev/null 2>/dev/null \ && [ ! -f '/usr/share/qubes/marker-vm' ]; then TERMINAL_WRAPPER_NO_COMMAND_ECHO='true' export TERMINAL_WRAPPER_NO_COMMAND_ECHO diff --git a/usr/share/user-sysmaint-split/conf/grub.d_10_10_linux_sysmaint b/usr/share/user-sysmaint-split/conf/grub.d_10_10_linux_sysmaint index d687985..9d9a1dc 100755 --- a/usr/share/user-sysmaint-split/conf/grub.d_10_10_linux_sysmaint +++ b/usr/share/user-sysmaint-split/conf/grub.d_10_10_linux_sysmaint @@ -16,15 +16,7 @@ make_boot_entry='true' : "${session_detail:="system maintenance tasks"}" grub_distributor_appendix="$persistence_type Mode | SYSMAINT Session | $session_detail" -if [ -e '/usr/share/kicksecure/marker' ]; then - GRUB_DISTRIBUTOR="$grub_distributor_appendix" -elif [ -e '/usr/share/anon-ws-base-files/workstation' ]; then - GRUB_DISTRIBUTOR="$grub_distributor_appendix" -elif [ -e '/usr/share/anon-gw-base-files/gateway' ]; then - GRUB_DISTRIBUTOR="$grub_distributor_appendix" -else - GRUB_DISTRIBUTOR="$grub_distributor_appendix" -fi +GRUB_DISTRIBUTOR="$grub_distributor_appendix" GRUB_DISABLE_RECOVERY="true" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX boot-role=sysmaint systemd.unit=sysmaint-boot.target"