cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to polkit-0.101.

Browse Source 
Merge several patches from upstream to fix CVE-2011-1485.

ok jasper@
This commit is contained in:
ajacoutot 2011-04-28 13:09:07 +00:00
parent 03b8f5bd01
commit af6b7de546
30 changed files with 975 additions and 822 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
sysutils/polkit/Makefile
View File

@ -1,13 +1,12 @@
# $OpenBSD: Makefile,v 1.16 2011/04/07 11:12:12 ajacoutot Exp $
# $OpenBSD: Makefile,v 1.17 2011/04/28 13:09:07 ajacoutot Exp $
COMMENT= framework for granting privileged operations to users
DISTNAME= polkit-0.97
REVISION= 6
DISTNAME= polkit-0.101
SHARED_LIBS += polkit-gobject-1 0.0 # .0.0
SHARED_LIBS += polkit-backend-1 0.0 # .0.0
SHARED_LIBS += polkit-agent-1 0.0 # .0.0
SHARED_LIBS += polkit-gobject-1 1.0 # .0.0
SHARED_LIBS += polkit-backend-1 1.0 # .0.0
SHARED_LIBS += polkit-agent-1 1.0 # .0.0
CATEGORIES= sysutils
@ -21,11 +20,10 @@ PERMIT_DISTFILES_FTP= Yes
PERMIT_PACKAGE_CDROM= Yes
PERMIT_PACKAGE_FTP= Yes
WANTLIB += c dbus-1 dbus-glib-1 expat gio-2.0 glib-2.0 gmodule-2.0
WANTLIB += gobject-2.0 gthread-2.0 pcre pthread z eggdbus-1
WANTLIB += c expat gio-2.0 glib-2.0 gmodule-2.0 gobject-2.0 gthread-2.0
WANTLIB += pcre pthread z
#MASTER_SITES= http://hal.freedesktop.org/releases/
MASTER_SITES= http://distfiles.bsdfrog.org/
MASTER_SITES= http://hal.freedesktop.org/releases/
MODULES= textproc/intltool \
devel/gettext
@ -34,7 +32,7 @@ BUILD_DEPENDS= ${MODGNU_AUTOMAKE_DEPENDS} \
${MODGNU_AUTOCONF_DEPENDS} \
devel/gobject-introspection
# needs libtoolize
# needs AM_PROG_LIBTOOL
BUILD_DEPENDS+= devel/libtool
# We do no want to depends on gtk-doc as it creates a dependency loop:
@ -42,23 +40,22 @@ BUILD_DEPENDS+= devel/libtool
BUILD_DEPENDS+= textproc/libxslt \
textproc/docbook-xsl
LIB_DEPENDS= devel/eggdbus
LIB_DEPENDS= devel/glib2
AUTOCONF_VERSION= 2.62
AUTOMAKE_VERSION=1.9
AUTOCONF_VERSION= 2.64
AUTOMAKE_VERSION=1.10
CONFIGURE_STYLE= gnu
CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="-L${LOCALBASE}/lib" \
CC=${CC} CFLAGS="${CFLAGS}"
LDFLAGS="-L${LOCALBASE}/lib"
CONFIGURE_ARGS= ${CONFIGURE_SHARED} \
--disable-gtk-doc \
--localstatedir=/var \
--mandir=${PREFIX}/man \
--enable-introspection \
--enable-man-pages \
--enable-verbose-mode \
--enable-examples \
--disable-gtk-doc \
--enable-introspection \
--with-os-type=openbsd \
--with-authfw=bsdauth
@ -75,11 +72,10 @@ pre-configure:
${SUBST_CMD} ${WRKSRC}/docs/man/pkexec.xml \
${WRKSRC}/actions/org.freedesktop.policykit.policy.in \
${WRKSRC}/src/examples/org.freedesktop.policykit.examples.pkexec.policy.in
do-configure:
cd ${WRKSRC} && env AUTOCONF_VERSION=${AUTOCONF_VERSION} \
cd ${WRKSRC} && \
AUTOMAKE_VERSION=${AUTOMAKE_VERSION} \
${CONFIGURE_ENV} ./autogen.sh ${CONFIGURE_ARGS}
AUTOCONF_VERSION=${AUTOCONF_VERSION} \
${LOCALBASE}/bin/autoreconf
post-install:
${INSTALL_DATA_DIR} \

10
sysutils/polkit/distinfo
View File

@ -1,5 +1,5 @@
MD5 (polkit-0.97.tar.gz) = 3Bdpry1AnUcAqPwvm6eunw==
RMD160 (polkit-0.97.tar.gz) = PojZiPZOvTBCQl9paViDgI4sn/o=
SHA1 (polkit-0.97.tar.gz) = QJji7cEdA5ceUiqIp0dsq9OCTvg=
SHA256 (polkit-0.97.tar.gz) = thjuv0wWOYRUB8rzAkgY3+BGA/BtqGX1bAEAIUfQpKk=
SIZE (polkit-0.97.tar.gz) = 340363
MD5 (polkit-0.101.tar.gz) = +SWsk6ujwHKXc3DB4n/rfw==
RMD160 (polkit-0.101.tar.gz) = aS37zCdcBxGUDym4x9UAFEtrkho=
SHA1 (polkit-0.101.tar.gz) = nR9YqZ1AiJzuu94UL5PDBUcfwVE=
SHA256 (polkit-0.101.tar.gz) = kn9ldg5PziPXzerpAkXCKYbrCjkzWjRJFTAhWPc/nxs=
SIZE (polkit-0.101.tar.gz) = 1066155

30
sysutils/polkit/patches/patch-autogen_sh
View File

@ -1,30 +0,0 @@
$OpenBSD: patch-autogen_sh,v 1.1 2010/07/08 15:20:45 ajacoutot Exp $
Force disabling gtk-doc.
--- autogen.sh.orig Thu Jul 8 16:47:39 2010
+++ autogen.sh Thu Jul 8 16:47:54 2010
@@ -31,14 +31,6 @@ DIE=0
}
}
-(gtkdocize --flavour no-tmpl) < /dev/null > /dev/null 2>&1 || {
- echo
- echo "You must have gtk-doc installed to compile $PROJECT."
- echo "Install the appropriate package for your distribution,"
- echo "or get the source tarball at http://ftp.gnome.org/pub/GNOME/sources/gtk-doc/"
- DIE=1
-}
-
(automake --version) < /dev/null > /dev/null 2>&1 || {
echo
echo "**Error**: You must have automake installed."
@@ -93,8 +85,6 @@ esac
autoconf
intltoolize --copy --force --automake || exit 1
-
-conf_flags="--enable-maintainer-mode --enable-gtk-doc"
if test x$NOCONFIGURE = x; then
echo "Running $srcdir/configure $conf_flags $@ ..."

14
sysutils/polkit/patches/patch-configure_ac
View File

@ -1,10 +1,10 @@
$OpenBSD: patch-configure_ac,v 1.2 2010/07/08 15:20:45 ajacoutot Exp $
$OpenBSD: patch-configure_ac,v 1.3 2011/04/28 13:09:07 ajacoutot Exp $
Force disabling gtk-doc.
Add bsd_auth(3) support.
--- configure.ac.orig Wed Mar 10 18:46:19 2010
+++ configure.ac Thu Jul 8 16:49:51 2010
--- configure.ac.orig Thu Mar 3 19:26:20 2011
+++ configure.ac Wed Apr 27 16:07:00 2011
@@ -45,8 +45,6 @@ AC_PATH_PROG([XSLTPROC], [xsltproc])
fi
AM_CONDITIONAL(MAN_PAGES_ENABLED, test x$enable_man_pages = xyes)
@ -14,7 +14,7 @@ Add bsd_auth(3) support.
#### gcc warning flags
if test "x$GCC" = "xyes"; then
@@ -145,7 +143,7 @@ AC_SUBST(EXPAT_LIBS)
@@ -141,7 +139,7 @@ AC_SUBST(EXPAT_LIBS)
AC_CHECK_FUNCS(clearenv)
if test "x$GCC" = "xyes"; then
@ -23,7 +23,7 @@ Add bsd_auth(3) support.
fi
dnl ---------------------------------------------------------------------------
@@ -194,6 +192,11 @@ case $POLKIT_AUTHFW in
@@ -190,6 +188,11 @@ case $POLKIT_AUTHFW in
AC_DEFINE(POLKIT_AUTHFW_SHADOW, 1, [If using the Shadow authentication framework])
;;
@ -35,7 +35,7 @@ Add bsd_auth(3) support.
*)
AC_MSG_ERROR([Unknown Authentication Framework: $POLKIT_AUTHFW])
;;
@@ -202,6 +205,7 @@ esac
@@ -198,6 +201,7 @@ esac
AM_CONDITIONAL(POLKIT_AUTHFW_NONE, [test x$POLKIT_AUTHFW = xnone], [Using no authfw])
AM_CONDITIONAL(POLKIT_AUTHFW_PAM, [test x$POLKIT_AUTHFW = xpam], [Using PAM authfw])
AM_CONDITIONAL(POLKIT_AUTHFW_SHADOW, [test x$POLKIT_AUTHFW = xshadow], [Using Shadow authfw])
@ -43,7 +43,7 @@ Add bsd_auth(3) support.
dnl ---------------------------------------------------------------------------
@@ -488,7 +492,7 @@ echo "NOTE: The directory ${sysconfdir}/polkit-1/local
@@ -467,7 +471,7 @@ echo "NOTE: The directory ${sysconfdir}/polkit-1/local
echo " by root and have mode 700"
echo

22
sysutils/polkit/patches/patch-docs_man_pkexec_xml
View File

@ -1,7 +1,7 @@
$OpenBSD: patch-docs_man_pkexec_xml,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- docs/man/pkexec.xml.orig Sun Jun 27 19:09:16 2010
+++ docs/man/pkexec.xml Sun Jun 27 19:12:38 2010
@@ -131,14 +131,14 @@
$OpenBSD: patch-docs_man_pkexec_xml,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
--- docs/man/pkexec.xml.orig Thu Mar 3 18:22:50 2011
+++ docs/man/pkexec.xml Wed Apr 27 16:10:43 2011
@@ -146,14 +146,14 @@
<refsect1 id="pkexec-example"><title>EXAMPLE</title>
<para>
To specify what kind of authorization is needed to execute the
@ -12,13 +12,13 @@ $OpenBSD: patch-docs_man_pkexec_xml,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp
<programlisting>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" parse="text" href="../../src/examples/org.freedesktop.policykit.examples.pkexec.policy"><xi:fallback>FIXME: MISSING XINCLUDE CONTENT</xi:fallback></xi:include></programlisting>
<para>
and drop it in
- the <filename>/usr/share/polkit-1/actions</filename> directory
+ the <filename>${PREFIX}/share/polkit-1/actions</filename> directory
under a suitable name (e.g. matching the namespace of the
action). Note that in addition to specifying the program, the
and drop it in the
- <filename>/usr/share/polkit-1/actions</filename> directory under
+ <filename>${PREFIX}/share/polkit-1/actions</filename> directory under
a suitable name (e.g. matching the namespace of the action).
Note that in addition to specifying the program, the
authentication message, description, icon and defaults can be
@@ -165,7 +165,7 @@
@@ -188,7 +188,7 @@
| Password: [__________________________________] |
| |
| [V] Details: |
@ -27,7 +27,7 @@ $OpenBSD: patch-docs_man_pkexec_xml,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp
| Run As: Super User (root) |
| Action: org.fd.pk.example.pkexec.run-frobnicate |
| Vendor: Examples for the PolicyKit Project |
@@ -199,7 +199,7 @@
@@ -222,7 +222,7 @@
| |
| [V] Detaljer: |
| Bruger: Super User (root) |

48
sysutils/polkit/patches/patch-docs_polkit_html_pklocalauthority_8_html Normal file
View File

@ -0,0 +1,48 @@
$OpenBSD: patch-docs_polkit_html_pklocalauthority_8_html,v 1.1 2011/04/28 13:09:07 ajacoutot Exp $
--- docs/polkit/html/pklocalauthority.8.html.orig Tue Nov 30 13:30:28 2010
+++ docs/polkit/html/pklocalauthority.8.html Tue Nov 30 13:30:53 2010
@@ -98,7 +98,7 @@
The Local Authority reads files with <code class="filename">.pkla</code>
extension from all directories located inside the
<code class="filename">/etc/polkit-1/localauthority</code>
- and <code class="filename">/var/lib/polkit-1/localauthority</code>
+ and <code class="filename">/var/db/polkit-1/localauthority</code>
directories. By default, the following sub-directories are installed.
</p>
<pre class="programlisting">
@@ -114,7 +114,7 @@
and
</p>
<pre class="programlisting">
-/var/lib/polkit-1/
+/var/db/polkit-1/
`-- localauthority
|-- 10-vendor.d
|-- 20-org.d
@@ -125,7 +125,7 @@
<p>
The <code class="filename">/etc/polkit-1/localauthority</code> hierarchy
is inteded for local configuration and
- the <code class="filename">/var/lib/polkit-1/localauthority</code> is
+ the <code class="filename">/var/db/polkit-1/localauthority</code> is
intended for 3rd party packages.
</p>
<p>
@@ -277,7 +277,7 @@
the following rules. First all the basename of all
sub-directories (e.g. <span class="emphasis"><em>30-site.d</em></span>) from both
the <code class="filename">/etc/polkit-1/localauthority</code>
- and <code class="filename">/var/lib/polkit-1/localauthority</code>
+ and <code class="filename">/var/db/polkit-1/localauthority</code>
directories are enumerated and sorted (using the C locale). If a
name exists in both <code class="filename">/etc</code>
and <code class="filename">/var</code>, the one
@@ -291,7 +291,7 @@
For example, given the following files
</p>
<pre class="programlisting">
-/var/lib/polkit-1
+/var/db/polkit-1
└── localauthority
├── 10-vendor.d
│ └── 10-desktop-policy.pkla

25
sysutils/polkit/patches/patch-docs_polkit_polkit-1-sections_txt Normal file
View File

@ -0,0 +1,25 @@
$OpenBSD: patch-docs_polkit_polkit-1-sections_txt,v 1.1 2011/04/28 13:09:07 ajacoutot Exp $
From 129b6223a19e7fb2753f8cad7957ac5402394076 Mon Sep 17 00:00:00 2001
From: David Zeuthen <davidz@redhat.com>
Date: Fri, 01 Apr 2011 16:09:45 +0000
Subject: Make PolkitUnixProcess also record the uid of the process
--- docs/polkit/polkit-1-sections.txt.orig Thu Mar 3 19:47:45 2011
+++ docs/polkit/polkit-1-sections.txt Wed Apr 27 19:19:15 2011
@@ -145,10 +145,13 @@ POLKIT_UNIX_SESSION_GET_CLASS
PolkitUnixProcess
polkit_unix_process_new
polkit_unix_process_new_full
+polkit_unix_process_new_for_owner
+polkit_unix_process_set_pid
polkit_unix_process_get_pid
+polkit_unix_process_set_start_time
polkit_unix_process_get_start_time
-polkit_unix_process_set_pid
-polkit_unix_process_get_owner
+polkit_unix_process_set_uid
+polkit_unix_process_get_uid
<SUBSECTION Standard>
PolkitUnixProcessClass
POLKIT_UNIX_PROCESS

4
sysutils/polkit/patches/patch-src_nullbackend_50-nullbackend_conf
View File

@ -1,4 +1,4 @@
$OpenBSD: patch-src_nullbackend_50-nullbackend_conf,v 1.1 2010/07/05 15:22:16 ajacoutot Exp $
$OpenBSD: patch-src_nullbackend_50-nullbackend_conf,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
--- src/nullbackend/50-nullbackend.conf.orig Mon Jul 5 16:51:53 2010
+++ src/nullbackend/50-nullbackend.conf Mon Jul 5 16:52:17 2010
@@ -1,10 +1,10 @@
@ -6,7 +6,7 @@ $OpenBSD: patch-src_nullbackend_50-nullbackend_conf,v 1.1 2010/07/05 15:22:16 aj
# Configuration file for the PolicyKit null backend.
#
-# DO NOT EDIT THIS FILE, it will be overwritten on update.
+# DO NOT EDIT THIS FILE
+# DO NOT EDIT THIS FILE.
#
# To change configuration, create another file in this directory with
-# a filename that is sorted after the 50-nullback.conf and make

33
sysutils/polkit/patches/patch-src_polkit_Makefile_am
View File

@ -1,12 +1,21 @@
$OpenBSD: patch-src_polkit_Makefile_am,v 1.1 2011/04/07 11:12:12 ajacoutot Exp $
--- src/polkit/Makefile.am.orig Thu Apr 7 11:42:24 2011
+++ src/polkit/Makefile.am Thu Apr 7 11:42:52 2011
@@ -154,7 +154,7 @@ Polkit-1.0.gir: libpolkit-gobject-1.la $(G_IR_SCANNER)
$(srcdir)/polkitauthorizationresult.h \
$(srcdir)/polkitcheckauthorizationflags.h \
$(srcdir)/polkitdetails.h \
- $(builddir)/polkitenumtypes.h \
+ $(srcdir)/polkitenumtypes.h \
$(srcdir)/polkiterror.h \
$(srcdir)/polkitidentity.h \
$(srcdir)/polkitimplicitauthorization.h \
$OpenBSD: patch-src_polkit_Makefile_am,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
src/polkit/tmp-introspect6TgxO1/.libs/Polkit-1.0: can't load library 'libpolkit-gobject-1.so.X.X'
From c29a6fd701df08e10e384cce65356af9a5a559f3 Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Fri, 11 Mar 2011 13:01:27 +0000
Subject: introspection: Add --c-include to the gir files
--- src/polkit/Makefile.am.orig Sat Feb 26 23:23:53 2011
+++ src/polkit/Makefile.am Wed Apr 27 20:29:34 2011
@@ -110,7 +110,9 @@ Polkit-1.0.gir: libpolkit-gobject-1.la $(INTROSPECTION
--pkg=gobject-2.0 \
--pkg=gio-2.0 \
--libtool=$(top_builddir)/libtool \
+ --c-include='polkit/polkit.h' \
-I$(top_srcdir)/src \
+ -L$(top_srcdir)/src/polkit/.libs \
-D_POLKIT_COMPILATION \
$(libpolkit_gobject_1_la_SOURCES) \
$(NULL)

20
sysutils/polkit/patches/patch-src_polkit_polkitcheckauthorizationflags_h
View File

@ -1,20 +0,0 @@
$OpenBSD: patch-src_polkit_polkitcheckauthorizationflags_h,v 1.1 2011/04/07 11:12:12 ajacoutot Exp $
From 920c40ef079fd2907f6c08d965d6d87eaf58f52a Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 10 Sep 2010 18:42:51 +0000
Subject: Remove duplicate definitions of enumeration types
--- src/polkit/polkitcheckauthorizationflags.h.orig Wed Mar 10 18:46:19 2010
+++ src/polkit/polkitcheckauthorizationflags.h Thu Apr 7 12:21:48 2011
@@ -30,10 +30,6 @@
G_BEGIN_DECLS
-GType polkit_check_authorization_flags_get_type (void) G_GNUC_CONST;
-
-#define POLKIT_TYPE_CHECK_AUTHORIZATION_FLAGS (polkit_check_authorization_flags_get_type ())
-
/**
* PolkitCheckAuthorizationFlags:
* @POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE: No flags set.

20
sysutils/polkit/patches/patch-src_polkit_polkiterror_h
View File

@ -1,20 +0,0 @@
$OpenBSD: patch-src_polkit_polkiterror_h,v 1.1 2011/04/07 11:12:12 ajacoutot Exp $
From 920c40ef079fd2907f6c08d965d6d87eaf58f52a Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 10 Sep 2010 18:42:51 +0000
Subject: Remove duplicate definitions of enumeration types
--- src/polkit/polkiterror.h.orig Wed Mar 10 18:46:19 2010
+++ src/polkit/polkiterror.h Thu Apr 7 12:21:48 2011
@@ -40,10 +40,6 @@ G_BEGIN_DECLS
GQuark polkit_error_quark (void);
-GType polkit_error_get_type (void) G_GNUC_CONST;
-
-#define POLKIT_TYPE_ERROR (polkit_error_get_type ())
-
/**
* PolkitError:
* @POLKIT_ERROR_FAILED: The operation failed.

20
sysutils/polkit/patches/patch-src_polkit_polkitimplicitauthorization_h
View File

@ -1,20 +0,0 @@
$OpenBSD: patch-src_polkit_polkitimplicitauthorization_h,v 1.1 2011/04/07 11:12:12 ajacoutot Exp $
From 920c40ef079fd2907f6c08d965d6d87eaf58f52a Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 10 Sep 2010 18:42:51 +0000
Subject: Remove duplicate definitions of enumeration types
--- src/polkit/polkitimplicitauthorization.h.orig Wed Mar 10 18:46:19 2010
+++ src/polkit/polkitimplicitauthorization.h Thu Apr 7 12:21:48 2011
@@ -30,10 +30,6 @@
G_BEGIN_DECLS
-GType polkit_implicit_authorization_get_type (void) G_GNUC_CONST;
-
-#define POLKIT_TYPE_IMPLICIT_AUTHORIZATION (polkit_implicit_authorization_get_type ())
-
/**
* PolkitImplicitAuthorization:
* @POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN: Unknown whether the subject is authorized, never returned in any public API.

67
sysutils/polkit/patches/patch-src_polkit_polkitsubject_c Normal file
View File

@ -0,0 +1,67 @@
$OpenBSD: patch-src_polkit_polkitsubject_c,v 1.1 2011/04/28 13:09:07 ajacoutot Exp $
From 129b6223a19e7fb2753f8cad7957ac5402394076 Mon Sep 17 00:00:00 2001
From: David Zeuthen <davidz@redhat.com>
Date: Fri, 01 Apr 2011 16:09:45 +0000
Subject: Make PolkitUnixProcess also record the uid of the process
--- src/polkit/polkitsubject.c.orig Sat Feb 26 23:23:53 2011
+++ src/polkit/polkitsubject.c Wed Apr 27 19:19:15 2011
@@ -238,13 +238,18 @@ polkit_subject_from_string (const gchar *str,
{
gint scanned_pid;
guint64 scanned_starttime;
- if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT, &scanned_pid, &scanned_starttime) == 2)
+ gint scanned_uid;
+ if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT ":%d", &scanned_pid, &scanned_starttime, &scanned_uid) == 3)
{
+ subject = polkit_unix_process_new_for_owner (scanned_pid, scanned_starttime, scanned_uid);
+ }
+ else if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT, &scanned_pid, &scanned_starttime) == 2)
+ {
subject = polkit_unix_process_new_full (scanned_pid, scanned_starttime);
}
else if (sscanf (str, "unix-process:%d", &scanned_pid) == 1)
{
- subject = polkit_unix_process_new_full (scanned_pid, 0);
+ subject = polkit_unix_process_new (scanned_pid);
if (polkit_unix_process_get_start_time (POLKIT_UNIX_PROCESS (subject)) == 0)
{
g_object_unref (subject);
@@ -297,6 +302,8 @@ polkit_subject_to_gvariant (PolkitSubject *subject)
g_variant_new_uint32 (polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject))));
g_variant_builder_add (&builder, "{sv}", "start-time",
g_variant_new_uint64 (polkit_unix_process_get_start_time (POLKIT_UNIX_PROCESS (subject))));
+ g_variant_builder_add (&builder, "{sv}", "uid",
+ g_variant_new_int32 (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject))));
}
else if (POLKIT_IS_UNIX_SESSION (subject))
{
@@ -395,6 +402,7 @@ polkit_subject_new_for_gvariant (GVariant *variant,
GVariant *v;
guint32 pid;
guint64 start_time;
+ gint32 uid;
v = lookup_asv (details_gvariant, "pid", G_VARIANT_TYPE_UINT32, error);
if (v == NULL)
@@ -414,7 +422,18 @@ polkit_subject_new_for_gvariant (GVariant *variant,
start_time = g_variant_get_uint64 (v);
g_variant_unref (v);
- ret = polkit_unix_process_new_full (pid, start_time);
+ v = lookup_asv (details_gvariant, "uid", G_VARIANT_TYPE_INT32, error);
+ if (v != NULL)
+ {
+ uid = g_variant_get_int32 (v);
+ g_variant_unref (v);
+ }
+ else
+ {
+ uid = -1;
+ }
+
+ ret = polkit_unix_process_new_for_owner (pid, start_time, uid);
}
else if (g_strcmp0 (kind, "unix-session") == 0)
{

549
sysutils/polkit/patches/patch-src_polkit_polkitunixprocess_c
View File

@ -1,73 +1,405 @@
$OpenBSD: patch-src_polkit_polkitunixprocess_c,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- src/polkit/polkitunixprocess.c.orig Wed Mar 10 18:46:19 2010
+++ src/polkit/polkitunixprocess.c Thu Jul 1 09:19:56 2010
@@ -24,8 +24,13 @@
$OpenBSD: patch-src_polkit_polkitunixprocess_c,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
From 129b6223a19e7fb2753f8cad7957ac5402394076 Mon Sep 17 00:00:00 2001
From: David Zeuthen <davidz@redhat.com>
Date: Fri, 01 Apr 2011 16:09:45 +0000
Subject: Make PolkitUnixProcess also record the uid of the process
From dd848a42a64a3b22a0cc60f6657b56ce9b6010ae Mon Sep 17 00:00:00 2001
From: David Zeuthen <davidz@redhat.com>
Date: Thu, 31 Mar 2011 16:59:09 +0000
Subject: PolkitUnixProcess: Clarify that the real uid is returned, not the effective one
--- src/polkit/polkitunixprocess.c.orig Sat Feb 26 23:23:53 2011
+++ src/polkit/polkitunixprocess.c Wed Apr 27 19:37:21 2011
@@ -24,16 +24,21 @@
#endif
#include <sys/types.h>
-#ifndef HAVE_FREEBSD
+#if !defined(HAVE_FREEBSD) && !defined(__OpenBSD__)
#include <sys/stat.h>
+#elif defined(__OpenBSD__)
-#include <sys/stat.h>
-#else
+#ifdef HAVE_FREEBSD
#include <sys/param.h>
#include <sys/sysctl.h>
#include <sys/user.h>
#endif
+#ifdef __OpenBSD__
+#include <kvm.h>
+#include <stdio.h>
+#include <sys/param.h>
+#include <sys/sysctl.h>
#else
#include <sys/param.h>
#include <sys/sysctl.h>
@@ -86,6 +91,10 @@ static guint64 get_start_time_for_pid (gint pid,
+#endif
#include <stdlib.h>
#include <string.h>
#include <errno.h>
+#include <stdio.h>
#include "polkitunixprocess.h"
#include "polkitsubject.h"
@@ -63,6 +68,7 @@ struct _PolkitUnixProcess
gint pid;
guint64 start_time;
+ gint uid;
};
struct _PolkitUnixProcessClass
@@ -75,6 +81,7 @@ enum
PROP_0,
PROP_PID,
PROP_START_TIME,
+ PROP_UID
};
static void subject_iface_init (PolkitSubjectIface *subject_iface);
@@ -82,7 +89,10 @@ static void subject_iface_init (PolkitSubjectIface *su
static guint64 get_start_time_for_pid (gint pid,
GError **error);
-#ifdef HAVE_FREEBSD
+static gint _polkit_unix_process_get_owner (PolkitUnixProcess *process,
+ GError **error);
+
+#if defined(HAVE_FREEBSD) || defined(__OpenBSD__)
static gboolean get_kinfo_proc (gint pid, struct kinfo_proc *p);
#endif
+#ifdef __OpenBSD__
+static gboolean get_kinfo_proc (pid_t pid, struct kinfo_proc2 *p);
+#endif
+
G_DEFINE_TYPE_WITH_CODE (PolkitUnixProcess, polkit_unix_process, G_TYPE_OBJECT,
G_IMPLEMENT_INTERFACE (POLKIT_TYPE_SUBJECT, subject_iface_init)
);
@@ -214,8 +223,10 @@ polkit_unix_process_get_owner (PolkitUnixProcess *pro
GError **error)
@@ -93,6 +103,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixProcess, polkit_uni
static void
polkit_unix_process_init (PolkitUnixProcess *unix_process)
{
gint result;
+ unix_process->uid = -1;
}
static void
@@ -109,6 +120,10 @@ polkit_unix_process_get_property (GObject *object,
g_value_set_int (value, unix_process->pid);
break;
+ case PROP_UID:
+ g_value_set_int (value, unix_process->uid);
+ break;
+
case PROP_START_TIME:
g_value_set_uint64 (value, unix_process->start_time);
break;
@@ -133,6 +148,14 @@ polkit_unix_process_set_property (GObject *object
polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
break;
+ case PROP_UID:
+ polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
+ break;
+
+ case PROP_START_TIME:
+ polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+ break;
+
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@@ -140,12 +163,39 @@ polkit_unix_process_set_property (GObject *object
}
static void
+polkit_unix_process_constructed (GObject *object)
+{
+ PolkitUnixProcess *process = POLKIT_UNIX_PROCESS (object);
+
+ /* sets start_time and uid in case they are unset */
+
+ if (process->start_time == 0)
+ process->start_time = get_start_time_for_pid (process->pid, NULL);
+
+ if (process->uid == -1)
+ {
+ GError *error;
+ error = NULL;
+ process->uid = _polkit_unix_process_get_owner (process, &error);
+ if (error != NULL)
+ {
+ process->uid = -1;
+ g_error_free (error);
+ }
+ }
+
+ if (G_OBJECT_CLASS (polkit_unix_process_parent_class)->constructed != NULL)
+ G_OBJECT_CLASS (polkit_unix_process_parent_class)->constructed (object);
+}
+
+static void
polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
{
GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
gobject_class->get_property = polkit_unix_process_get_property;
gobject_class->set_property = polkit_unix_process_set_property;
+ gobject_class->constructed = polkit_unix_process_constructed;
/**
* PolkitUnixProcess:pid:
@@ -157,7 +207,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass
g_param_spec_int ("pid",
"Process ID",
"The UNIX process ID",
- -1,
+ 0,
G_MAXINT,
0,
G_PARAM_CONSTRUCT |
@@ -167,6 +217,27 @@ polkit_unix_process_class_init (PolkitUnixProcessClass
G_PARAM_STATIC_NICK));
/**
+ * PolkitUnixProcess:uid:
+ *
+ * The UNIX user id of the process or -1 if unknown.
+ *
+ * Note that this is the real user-id, not the effective user-id.
+ */
+ g_object_class_install_property (gobject_class,
+ PROP_UID,
+ g_param_spec_int ("uid",
+ "User ID",
+ "The UNIX user ID",
+ -1,
+ G_MAXINT,
+ -1,
+ G_PARAM_CONSTRUCT |
+ G_PARAM_READWRITE |
+ G_PARAM_STATIC_NAME |
+ G_PARAM_STATIC_BLURB |
+ G_PARAM_STATIC_NICK));
+
+ /**
* PolkitUnixProcess:start-time:
*
* The start time of the process.
@@ -179,7 +250,8 @@ polkit_unix_process_class_init (PolkitUnixProcessClass
0,
G_MAXUINT64,
0,
- G_PARAM_READABLE |
+ G_PARAM_CONSTRUCT |
+ G_PARAM_READWRITE |
G_PARAM_STATIC_NAME |
G_PARAM_STATIC_BLURB |
G_PARAM_STATIC_NICK));
@@ -187,78 +259,50 @@ polkit_unix_process_class_init (PolkitUnixProcessClass
}
/**
- * polkit_unix_process_get_pid:
+ * polkit_unix_process_get_uid:
* @process: A #PolkitUnixProcess.
*
- * Gets the process id for @process.
+ * Gets the user id for @process. Note that this is the real user-id,
+ * not the effective user-id.
*
- * Returns: The process id for @process.
+ * Returns: The user id for @process or -1 if unknown.
*/
gint
-polkit_unix_process_get_pid (PolkitUnixProcess *process)
+polkit_unix_process_get_uid (PolkitUnixProcess *process)
{
- g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), 0);
- return process->pid;
+ g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), -1);
+ return process->uid;
}
/**
- * polkit_unix_process_get_owner:
+ * polkit_unix_process_set_uid:
* @process: A #PolkitUnixProcess.
- * @error: (allow-none): Return location for error or %NULL.
+ * @uid: The user id to set for @process or -1 to unset it.
*
- * Gets the uid of the owner of @process.
+ * Sets the (real, not effective) user id for @process.
+ */
+void
+polkit_unix_process_set_uid (PolkitUnixProcess *process,
+ gint uid)
+{
+ g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
+ g_return_if_fail (uid >= -1);
+ process->uid = uid;
+}
+
+/**
+ * polkit_unix_process_get_pid:
+ * @process: A #PolkitUnixProcess.
*
- * Returns: The UNIX user id of the owner for @process or 0 if @error is set.
- **/
+ * Gets the process id for @process.
+ *
+ * Returns: The process id for @process.
+ */
gint
-polkit_unix_process_get_owner (PolkitUnixProcess *process,
- GError **error)
+polkit_unix_process_get_pid (PolkitUnixProcess *process)
{
- gint result;
-#ifdef HAVE_FREEBSD
+#if defined(HAVE_FREEBSD)
struct kinfo_proc p;
+#elif defined(__OpenBSD__)
+ struct kinfo_proc2 p;
#else
struct stat statbuf;
char procbuf[32];
@@ -223,7 +234,7 @@ polkit_unix_process_get_owner (PolkitUnixProcess *pro
result = 0;
- struct kinfo_proc p;
-#else
- struct stat statbuf;
- char procbuf[32];
-#endif
-
g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), 0);
- g_return_val_if_fail (error == NULL || *error == NULL, 0);
-
- result = 0;
-
-#ifdef HAVE_FREEBSD
+#if defined(HAVE_FREEBSD) || defined(__OpenBSD__)
if (get_kinfo_proc (process->pid, &p) == 0)
{
g_set_error (error,
@@ -235,8 +246,12 @@ polkit_unix_process_get_owner (PolkitUnixProcess *pro
goto out;
}
- if (get_kinfo_proc (process->pid, &p) == 0)
- {
- g_set_error (error,
- POLKIT_ERROR,
- POLKIT_ERROR_FAILED,
- "get_kinfo_proc() failed for pid %d: %s",
- process->pid,
- g_strerror (errno));
- goto out;
- }
-
- result = p.ki_uid;
-#else
- g_snprintf (procbuf, sizeof procbuf, "/proc/%d", process->pid);
- if (stat (procbuf, &statbuf) != 0)
- {
- g_set_error (error,
- POLKIT_ERROR,
- POLKIT_ERROR_FAILED,
- "stat() failed for /proc/%d: %s",
- process->pid,
- g_strerror (errno));
- goto out;
- }
-
- result = statbuf.st_uid;
-#endif
-
- out:
-
- return result;
+ return process->pid;
}
+#if defined(HAVE_FREEBSD)
result = p.ki_uid;
#else
+ result = p.p_uid;
+#endif
+#else
g_snprintf (procbuf, sizeof procbuf, "/proc/%d", process->pid);
if (stat (procbuf, &statbuf) != 0)
{
@@ -476,12 +491,38 @@ get_kinfo_proc (pid_t pid, struct kinfo_proc *p)
/**
@@ -277,6 +321,21 @@ polkit_unix_process_get_start_time (PolkitUnixProcess
}
/**
+ * polkit_unix_process_set_start_time:
+ * @process: A #PolkitUnixProcess.
+ * @start_time: The start time for @pid.
+ *
+ * Set the start time of @process.
+ */
+void
+polkit_unix_process_set_start_time (PolkitUnixProcess *process,
+ guint64 start_time)
+{
+ g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
+ process->start_time = start_time;
+}
+
+/**
* polkit_unix_process_set_pid:
* @process: A #PolkitUnixProcess.
* @pid: A process id.
@@ -289,19 +348,18 @@ polkit_unix_process_set_pid (PolkitUnixProcess *proces
{
g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
process->pid = pid;
- if (pid != (gint) -1)
- process->start_time = get_start_time_for_pid (pid, NULL);
}
/**
* polkit_unix_process_new:
* @pid: The process id.
*
- * Creates a new #PolkitUnixProcess for @pid. The start time of the
- * process will be looked up in using e.g. the
- * <filename>/proc</filename> filesystem depending on the platform in
- * use.
+ * Creates a new #PolkitUnixProcess for @pid.
*
+ * The uid and start time of the process will be looked up in using
+ * e.g. the <filename>/proc</filename> filesystem depending on the
+ * platform in use.
+ *
* Returns: (transfer full): A #PolkitSubject. Free with g_object_unref().
*/
PolkitSubject *
@@ -319,22 +377,42 @@ polkit_unix_process_new (gint pid)
*
* Creates a new #PolkitUnixProcess object for @pid and @start_time.
*
+ * The uid of the process will be looked up in using e.g. the
+ * <filename>/proc</filename> filesystem depending on the platform in
+ * use.
+ *
* Returns: (transfer full): A #PolkitSubject. Free with g_object_unref().
*/
PolkitSubject *
polkit_unix_process_new_full (gint pid,
guint64 start_time)
{
- PolkitUnixProcess *process;
+ return POLKIT_SUBJECT (g_object_new (POLKIT_TYPE_UNIX_PROCESS,
+ "pid", pid,
+ "start_time", start_time,
+ NULL));
+}
- process = POLKIT_UNIX_PROCESS (polkit_unix_process_new ((gint) -1));
- process->pid = pid;
- if (start_time != 0)
- process->start_time = start_time;
- else
- process->start_time = get_start_time_for_pid (pid, NULL);
-
- return POLKIT_SUBJECT (process);
+/**
+ * polkit_unix_process_new_for_owner:
+ * @pid: The process id.
+ * @start_time: The start time for @pid or 0 to look it up in e.g. <filename>/proc</filename>.
+ * @uid: The (real, not effective) uid of the owner of @pid or -1 to look it up in e.g. <filename>/proc</filename>.
+ *
+ * Creates a new #PolkitUnixProcess object for @pid, @start_time and @uid.
+ *
+ * Returns: (transfer full): A #PolkitSubject. Free with g_object_unref().
+ */
+PolkitSubject *
+polkit_unix_process_new_for_owner (gint pid,
+ guint64 start_time,
+ gint uid)
+{
+ return POLKIT_SUBJECT (g_object_new (POLKIT_TYPE_UNIX_PROCESS,
+ "pid", pid,
+ "start_time", start_time,
+ "uid", uid,
+ NULL));
}
static guint
@@ -482,12 +560,38 @@ get_kinfo_proc (pid_t pid, struct kinfo_proc *p)
}
#endif
+#ifdef __OpenBSD__
+get_kinfo_proc (pid_t pid,
+ struct kinfo_proc2 *p)
+ struct kinfo_proc *p)
+{
+ int name[6];
+ u_int namelen;
@ -76,14 +408,14 @@ $OpenBSD: patch-src_polkit_polkitunixprocess_c,v 1.1.1.1 2010/07/01 07:46:21 aja
+ sz = sizeof(*p);
+ namelen = 0;
+ name[namelen++] = CTL_KERN;
+ name[namelen++] = KERN_PROC2;
+ name[namelen++] = KERN_PROC;
+ name[namelen++] = KERN_PROC_PID;
+ name[namelen++] = pid;
+ name[namelen++] = sz;
+ name[namelen++] = 1;
+
+ if (sysctl (name, namelen, p, &sz, NULL, 0) == -1) {
+ perror("sysctl kern.proc2.pid");
+ perror("sysctl kern.proc.pid");
+ return FALSE;
+ }
+
@ -101,19 +433,7 @@ $OpenBSD: patch-src_polkit_polkitunixprocess_c,v 1.1.1.1 2010/07/01 07:46:21 aja
gchar *filename;
gchar *contents;
size_t length;
@@ -554,7 +595,11 @@ get_start_time_for_pid (pid_t pid,
g_free (filename);
g_free (contents);
#else
+#if defined(HAVE_FREEBSD)
struct kinfo_proc p;
+#else
+ struct kinfo_proc2 p;
+#endif
start_time = 0;
@@ -569,7 +614,11 @@ get_start_time_for_pid (pid_t pid,
@@ -575,10 +679,110 @@ get_start_time_for_pid (pid_t pid,
goto out;
}
@ -125,3 +445,102 @@ $OpenBSD: patch-src_polkit_polkitunixprocess_c,v 1.1.1.1 2010/07/01 07:46:21 aja
out:
#endif
return start_time;
+}
+
+static gint
+_polkit_unix_process_get_owner (PolkitUnixProcess *process,
+ GError **error)
+{
+ gint result;
+ gchar *contents;
+ gchar **lines;
+#if defined(HAVE_FREEBSD) || defined(__OpenBSD__)
+ struct kinfo_proc p;
+#else
+ gchar filename[64];
+ guint n;
+#endif
+
+ g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), 0);
+ g_return_val_if_fail (error == NULL || *error == NULL, 0);
+
+ result = 0;
+ lines = NULL;
+ contents = NULL;
+
+#if defined(HAVE_FREEBSD) || defined(__OpenBSD__)
+ if (get_kinfo_proc (process->pid, &p) == 0)
+ {
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "get_kinfo_proc() failed for pid %d: %s",
+ process->pid,
+ g_strerror (errno));
+ goto out;
+ }
+
+#if defined(HAVE_FREEBSD)
+ result = p.ki_uid;
+#else
+ result = p.p_uid;
+#endif
+#else
+
+ /* see 'man proc' for layout of the status file
+ *
+ * Uid, Gid: Real, effective, saved set, and file system UIDs (GIDs).
+ */
+ g_snprintf (filename, sizeof filename, "/proc/%d/status", process->pid);
+ if (!g_file_get_contents (filename,
+ &contents,
+ NULL,
+ error))
+ {
+ goto out;
+ }
+ lines = g_strsplit (contents, "\n", -1);
+ for (n = 0; lines != NULL && lines[n] != NULL; n++)
+ {
+ gint real_uid, effective_uid;
+ if (!g_str_has_prefix (lines[n], "Uid:"))
+ continue;
+ if (sscanf (lines[n] + 4, "%d %d", &real_uid, &effective_uid) != 2)
+ {
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Unexpected line `%s' in file %s",
+ lines[n],
+ filename);
+ goto out;
+ }
+ else
+ {
+ result = real_uid;
+ goto out;
+ }
+ }
+
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Didn't find any line starting with `Uid:' in file %s",
+ filename);
+#endif
+
+out:
+ g_strfreev (lines);
+ g_free (contents);
+ return result;
+}
+
+/* deprecated public method */
+gint
+polkit_unix_process_get_owner (PolkitUnixProcess *process,
+ GError **error)
+{
+ return _polkit_unix_process_get_owner (process, error);
}

39
sysutils/polkit/patches/patch-src_polkit_polkitunixprocess_h Normal file
View File

@ -0,0 +1,39 @@
$OpenBSD: patch-src_polkit_polkitunixprocess_h,v 1.1 2011/04/28 13:09:07 ajacoutot Exp $
From 129b6223a19e7fb2753f8cad7957ac5402394076 Mon Sep 17 00:00:00 2001
From: David Zeuthen <davidz@redhat.com>
Date: Fri, 01 Apr 2011 16:09:45 +0000
Subject: Make PolkitUnixProcess also record the uid of the process
--- src/polkit/polkitunixprocess.h.orig Sat Feb 26 23:23:53 2011
+++ src/polkit/polkitunixprocess.h Wed Apr 27 19:19:15 2011
@@ -47,16 +47,24 @@ typedef struct _PolkitUnixProcess PolkitUnixProcess;
typedef struct _PolkitUnixProcessClass PolkitUnixProcessClass;
GType polkit_unix_process_get_type (void) G_GNUC_CONST;
-PolkitSubject *polkit_unix_process_new (gint pid);
-PolkitSubject *polkit_unix_process_new_full (gint pid,
- guint64 start_time);
-
+PolkitSubject *polkit_unix_process_new (gint pid);
+PolkitSubject *polkit_unix_process_new_full (gint pid,
+ guint64 start_time);
+PolkitSubject *polkit_unix_process_new_for_owner (gint pid,
+ guint64 start_time,
+ gint uid);
gint polkit_unix_process_get_pid (PolkitUnixProcess *process);
guint64 polkit_unix_process_get_start_time (PolkitUnixProcess *process);
+gint polkit_unix_process_get_uid (PolkitUnixProcess *process);
void polkit_unix_process_set_pid (PolkitUnixProcess *process,
gint pid);
+void polkit_unix_process_set_uid (PolkitUnixProcess *process,
+ gint uid);
+void polkit_unix_process_set_start_time (PolkitUnixProcess *process,
+ guint64 start_time);
+
gint polkit_unix_process_get_owner (PolkitUnixProcess *process,
- GError **error);
+ GError **error) G_GNUC_DEPRECATED_FOR (polkit_unix_process_get_uid);
G_END_DECLS

39
sysutils/polkit/patches/patch-src_polkitagent_Makefile_am
View File

@ -1,24 +1,27 @@
$OpenBSD: patch-src_polkitagent_Makefile_am,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- src/polkitagent/Makefile.am.orig Wed Mar 10 18:46:19 2010
+++ src/polkitagent/Makefile.am Sun Jun 27 17:49:46 2010
@@ -68,8 +68,18 @@ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '
libexec_PROGRAMS = polkit-agent-helper-1
polkit_agent_helper_1_SOURCES = \
- polkitagenthelper.c \
- $(NULL)
+ polkitagenthelperprivate.c polkitagenthelperprivate.h
+
+if POLKIT_AUTHFW_PAM
+polkit_agent_helper_1_SOURCES += polkitagenthelper-pam.c
+endif
+if POLKIT_AUTHFW_SHADOW
+polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c
+endif
$OpenBSD: patch-src_polkitagent_Makefile_am,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
From c29a6fd701df08e10e384cce65356af9a5a559f3 Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Fri, 11 Mar 2011 13:01:27 +0000
Subject: introspection: Add --c-include to the gir files
--- src/polkitagent/Makefile.am.orig Sat Feb 26 23:23:53 2011
+++ src/polkitagent/Makefile.am Wed Apr 27 19:10:36 2011
@@ -89,6 +89,9 @@ endif
if POLKIT_AUTHFW_SHADOW
polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c
endif
+if POLKIT_AUTHFW_BSDAUTH
+polkit_agent_helper_1_SOURCES += polkitagenthelper-bsdauth.c
+endif
+polkit_agent_helper_1_SOURCES += $(NULL)
polkit_agent_helper_1_CFLAGS = \
-D_POLKIT_COMPILATION \
@@ -120,6 +123,7 @@ PolkitAgent-1.0.gir: libpolkit-agent-1.la $(INTROSPECT
--pkg=glib-2.0 \
--pkg=gobject-2.0 \
--pkg=gio-2.0 \
+ --c-include='polkitagent/polkitagent.h' \
--libtool=$(top_builddir)/libtool \
-I$(top_srcdir)/src \
-D_POLKIT_COMPILATION \

80
sysutils/polkit/patches/patch-src_polkitagent_polkitagenthelper-bsdauth_c
View File

@ -1,10 +1,11 @@
$OpenBSD: patch-src_polkitagent_polkitagenthelper-bsdauth_c,v 1.3 2010/07/16 10:04:10 ajacoutot Exp $
--- src/polkitagent/polkitagenthelper-bsdauth.c.orig Fri Jul 16 11:22:22 2010
+++ src/polkitagent/polkitagenthelper-bsdauth.c Fri Jul 16 11:22:10 2010
@@ -0,0 +1,204 @@
$OpenBSD: patch-src_polkitagent_polkitagenthelper-bsdauth_c,v 1.4 2011/04/28 13:09:07 ajacoutot Exp $
--- src/polkitagent/polkitagenthelper-bsdauth.c.orig Sat Dec 4 09:39:18 2010
+++ src/polkitagent/polkitagenthelper-bsdauth.c Sat Dec 4 09:40:52 2010
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2008 Red Hat, Inc.
+ * Copyright (C) 2009-2010 Andrew Psaltis <ampsaltis@gmail.com>
+ * Copyright (C) 2010 Antoine Jacoutot <ajacoutot@openbsd.org>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
@ -27,6 +28,8 @@ $OpenBSD: patch-src_polkitagent_polkitagenthelper-bsdauth_c,v 1.3 2010/07/16 10:
+ */
+
+#include "config.h"
+#include "polkitagenthelperprivate.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
@ -40,34 +43,20 @@ $OpenBSD: patch-src_polkitagent_polkitagenthelper-bsdauth_c,v 1.3 2010/07/16 10:
+#include <bsd_auth.h>
+
+#include <polkit/polkit.h>
+#include "polkitagenthelperprivate.h"
+
+
+static int bsdauth_authenticate(const char *user_to_auth);
+
+#ifndef HAVE_CLEARENV
+extern char **environ;
+
+static int
+clearenv (void)
+{
+ if (environ != NULL)
+ environ[0] = NULL;
+ return 0;
+}
+#endif
+static gboolean bsdauth_authenticate (const char *user_to_auth);
+
+int
+main (int argc, char *argv[])
+{
+ struct passwd *shadow;
+ struct passwd *pw;
+ const char *user_to_auth;
+ const char *cookie;
+// time_t tm;
+
+ /* clear the entire environment to avoid attacks with
+ libraries honoring environment variables */
+ if (clearenv () != 0)
+ if (_polkit_clearenv () != 0)
+ goto error;
+
+ /* set a minimal environment */
@ -108,54 +97,50 @@ $OpenBSD: patch-src_polkitagent_polkitagenthelper-bsdauth_c,v 1.3 2010/07/16 10:
+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
+#endif /* PAH_DEBUG */
+
+ /* Ask shadow about the user requesting authentication */
+ if ((shadow = getpwnam (user_to_auth)) == NULL)
+ /* Search the password database for the user requesting authentication */
+ if ((pw = getpwnam (user_to_auth)) == NULL)
+ {
+ syslog (LOG_NOTICE, "password database information request for user %s [uid=%d] failed", user_to_auth, getuid());
+ fprintf(stderr, "polkit-agent-helper-1: could not get shadow information for%.100s", user_to_auth);
+ fprintf(stderr, "polkit-agent-helper-1: could not get user information for '%s'", user_to_auth);
+ goto error;
+ }
+
+
+ /* Check the user's identity */
+ if(!bsdauth_authenticate (user_to_auth))
+ if (!bsdauth_authenticate (user_to_auth))
+ {
+ syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth);
+ fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n");
+ goto error;
+ }
+
+#if 0
+ /* Check whether the user's password has expired */
+/*
+ time(&tm);
+ if( shadow->sp_max >= 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 * 24 <= tm)
+ now = time (NULL);
+ if (shadow->sp_max >= 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 * 24 <= now)
+ {
+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () );
+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
+ goto error;
+ }
+*/
+
+ /* Check whether the user's password has aged (and account expired along
+ * with it)
+ */
+/*
+ if( shadow->sp_inact >= 0 && (shadow->sp_lstchg + shadow->sp_max + shadow->sp_inact) * 60 * 60 * 24 <= tm)
+ if (shadow->sp_inact >= 0 && (shadow->sp_lstchg + shadow->sp_max + shadow->sp_inact) * 60 * 60 * 24 <= now)
+ {
+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () );
+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
+ goto error;
+ }
+*/
+
+ /* Check whether the user's account has expired */
+/*
+ if(shadow->sp_expire >= 0 && shadow->sp_expire * 60 * 60 * 24 <= tm)
+ if (shadow->sp_expire >= 0 && shadow->sp_expire * 60 * 60 * 24 <= now)
+ {
+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () );
+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
+ goto error;
+ }
+*/
+#endif
+
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
@ -177,29 +162,30 @@ $OpenBSD: patch-src_polkitagent_polkitagenthelper-bsdauth_c,v 1.3 2010/07/16 10:
+#endif /* PAH_DEBUG */
+
+ fprintf (stdout, "SUCCESS\n");
+ flush_and_wait();
+ flush_and_wait ();
+ return 0;
+
+error:
+ fprintf (stdout, "FAILURE\n");
+ flush_and_wait();
+ flush_and_wait ();
+ return 1;
+}
+
+static int
+bsdauth_authenticate(const char *user_to_auth)
+static gboolean
+bsdauth_authenticate (const char *user_to_auth)
+{
+ /* Speak PAM to the daemon, thanks to David Zeuthen for the idea. */
+ char passwd[512];
+ fprintf(stdout, "PAM_PROMPT_ECHO_OFF password:\n");
+ flush_and_wait();
+
+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n");
+ fflush (stdout);
+ usleep (10 * 1000); /* since fflush(3) seems buggy */
+
+ if (fgets (passwd, sizeof (passwd), stdin) == NULL)
+ goto error;
+
+ if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n')
+ passwd[strlen (passwd) - 1] = '\0';
+
+
+ if (auth_userokay((char *)user_to_auth, NULL, "auth-polkit", passwd) == 0)
+ goto error;
+ return 1;

268
sysutils/polkit/patches/patch-src_polkitagent_polkitagenthelper-pam_c
View File

@ -1,268 +0,0 @@
$OpenBSD: patch-src_polkitagent_polkitagenthelper-pam_c,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- src/polkitagent/polkitagenthelper-pam.c.orig Sun Jun 27 17:34:45 2010
+++ src/polkitagent/polkitagenthelper-pam.c Sun Jun 27 17:34:45 2010
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2008, 2010 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+ * Boston, MA 02111-1307, USA.
+ *
+ * Author: David Zeuthen <davidz@redhat.com>
+ */
+
+#include "config.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <syslog.h>
+#include <security/pam_appl.h>
+
+#include <polkit/polkit.h>
+#include "polkitagenthelperprivate.h"
+
+static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
+
+int
+main (int argc, char *argv[])
+{
+ int rc;
+ const char *user_to_auth;
+ const char *cookie;
+ struct pam_conv pam_conversation;
+ pam_handle_t *pam_h;
+ const void *authed_user;
+
+ rc = 0;
+ pam_h = NULL;
+
+ /* clear the entire environment to avoid attacks using with libraries honoring environment variables */
+ if (clearenv () != 0)
+ goto error;
+
+ /* set a minimal environment */
+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
+
+ /* check that we are setuid root */
+ if (geteuid () != 0)
+ {
+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
+ goto error;
+ }
+
+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+
+ /* check for correct invocation */
+ if (argc != 3)
+ {
+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
+ goto error;
+ }
+
+ user_to_auth = argv[1];
+ cookie = argv[2];
+
+ if (getuid () != 0)
+ {
+ /* check we're running with a non-tty stdin */
+ if (isatty (STDIN_FILENO) != 0)
+ {
+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
+ goto error;
+ }
+ }
+
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
+#endif /* PAH_DEBUG */
+
+ pam_conversation.conv = conversation_function;
+ pam_conversation.appdata_ptr = NULL;
+
+ /* start the pam stack */
+ rc = pam_start ("polkit-1",
+ user_to_auth,
+ &pam_conversation,
+ &pam_h);
+ if (rc != PAM_SUCCESS)
+ {
+ fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc));
+ goto error;
+ }
+
+ /* set the requesting user */
+ rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth);
+ if (rc != PAM_SUCCESS)
+ {
+ fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc));
+ goto error;
+ }
+
+ /* is user really user? */
+ rc = pam_authenticate (pam_h, 0);
+ if (rc != PAM_SUCCESS)
+ {
+ fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
+ goto error;
+ }
+
+ /* permitted access? */
+ rc = pam_acct_mgmt (pam_h, 0);
+ if (rc != PAM_SUCCESS)
+ {
+ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
+ goto error;
+ }
+
+ /* did we auth the right user? */
+ rc = pam_get_item (pam_h, PAM_USER, &authed_user);
+ if (rc != PAM_SUCCESS)
+ {
+ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
+ goto error;
+ }
+
+ if (strcmp (authed_user, user_to_auth) != 0)
+ {
+ fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
+ user_to_auth, (const char *) authed_user);
+ goto error;
+ }
+
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth);
+#endif /* PAH_DEBUG */
+
+ pam_end (pam_h, rc);
+ pam_h = NULL;
+
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
+#endif /* PAH_DEBUG */
+
+ /* now send a D-Bus message to the PolicyKit daemon that
+ * includes a) the cookie; and b) the user we authenticated
+ */
+ if (!send_dbus_message (cookie, user_to_auth))
+ {
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
+#endif /* PAH_DEBUG */
+ goto error;
+ }
+
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
+#endif /* PAH_DEBUG */
+
+ fprintf (stdout, "SUCCESS\n");
+ flush_and_wait();
+ return 0;
+
+error:
+ if (pam_h != NULL)
+ pam_end (pam_h, rc);
+
+ fprintf (stdout, "FAILURE\n");
+ flush_and_wait();
+ return 1;
+}
+
+static int
+conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data)
+{
+ struct pam_response *aresp;
+ char buf[PAM_MAX_RESP_SIZE];
+ int i;
+
+ data = data;
+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ return PAM_CONV_ERR;
+
+ if ((aresp = calloc(n, sizeof *aresp)) == NULL)
+ return PAM_BUF_ERR;
+
+ for (i = 0; i < n; ++i)
+ {
+ aresp[i].resp_retcode = 0;
+ aresp[i].resp = NULL;
+ switch (msg[i]->msg_style)
+ {
+
+ case PAM_PROMPT_ECHO_OFF:
+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF ");
+ goto conv1;
+
+ case PAM_PROMPT_ECHO_ON:
+ fprintf (stdout, "PAM_PROMPT_ECHO_ON ");
+ conv1:
+ fputs (msg[i]->msg, stdout);
+ if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
+ fputc ('\n', stdout);
+ fflush (stdout);
+
+ if (fgets (buf, sizeof buf, stdin) == NULL)
+ goto error;
+
+ if (strlen (buf) > 0 &&
+ buf[strlen (buf) - 1] == '\n')
+ buf[strlen (buf) - 1] = '\0';
+
+ aresp[i].resp = strdup (buf);
+ if (aresp[i].resp == NULL)
+ goto error;
+ break;
+
+ case PAM_ERROR_MSG:
+ fprintf (stdout, "PAM_ERROR_MSG ");
+ goto conv2;
+
+ case PAM_TEXT_INFO:
+ fprintf (stdout, "PAM_TEXT_INFO ");
+ conv2:
+ fputs (msg[i]->msg, stdout);
+ if (strlen (msg[i]->msg) > 0 &&
+ msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
+ fputc ('\n', stdout);
+ fflush (stdout);
+ break;
+
+ default:
+ goto error;
+ }
+ }
+
+ *resp = aresp;
+ return PAM_SUCCESS;
+
+error:
+
+ for (i = 0; i < n; ++i)
+ {
+ if (aresp[i].resp != NULL) {
+ memset (aresp[i].resp, 0, strlen(aresp[i].resp));
+ free (aresp[i].resp);
+ }
+ }
+ memset (aresp, 0, n * sizeof *aresp);
+ *resp = NULL;
+ return PAM_CONV_ERR;
+}
+

114
sysutils/polkit/patches/patch-src_polkitagent_polkitagenthelperprivate_c
View File

@ -1,101 +1,13 @@
$OpenBSD: patch-src_polkitagent_polkitagenthelperprivate_c,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- src/polkitagent/polkitagenthelperprivate.c.orig Sun Jun 27 17:34:45 2010
+++ src/polkitagent/polkitagenthelperprivate.c Sun Jun 27 17:34:45 2010
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2009-2010 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ *
+ * Authors: David Zeuthen <davidz@redhat.com>,
+ * Andrew Psaltis <ampsaltis@gmail.com>
+ */
+
+#include "polkitagenthelperprivate.h"
+#include <stdio.h>
+
+#ifndef HAVE_CLEARENV
+extern char **environ;
+
+static int
+clearenv (void)
+{
+ if (environ != NULL)
+ environ[0] = NULL;
+ return 0;
+}
+#endif
+
+
+gboolean
+send_dbus_message (const char *cookie, const char *user)
+{
+ PolkitAuthority *authority;
+ PolkitIdentity *identity;
+ GError *error;
+ gboolean ret;
+
+ ret = FALSE;
+
+ error = NULL;
+
+ g_type_init ();
+
+ authority = polkit_authority_get ();
+
+ identity = polkit_unix_user_new_for_name (user, &error);
+ if (identity == NULL)
+ {
+ g_printerr ("Error constructing identity: %s\n", error->message);
+ g_error_free (error);
+ goto out;
+ }
+
+ if (!polkit_authority_authentication_agent_response_sync (authority,
+ cookie,
+ identity,
+ NULL,
+ &error))
+ {
+ g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message);
+ g_error_free (error);
+ goto out;
+ }
+
+ ret = TRUE;
+
+ out:
+
+ if (identity != NULL)
+ g_object_unref (identity);
+
+ if (authority != NULL)
+ g_object_unref (authority);
+
+ return ret;
+}
+
+/* fflush(3) stdin and stdout and wait a little bit.
+ * This replaces the three-line commands at the bottom of
+ * polkit-agent-helper-1's main() function.
+ */
+void
+flush_and_wait ()
+{
+ fflush (stdout);
+ fflush (stderr);
+ usleep (10 * 1000); /* since fflush(3) seems buggy */
+}
$OpenBSD: patch-src_polkitagent_polkitagenthelperprivate_c,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
--- src/polkitagent/polkitagenthelperprivate.c.orig Wed Apr 27 16:58:05 2011
+++ src/polkitagent/polkitagenthelperprivate.c Wed Apr 27 16:58:18 2011
@@ -103,7 +103,7 @@ flush_and_wait ()
{
fflush (stdout);
fflush (stderr);
- fdatasync (fileno(stdout));
- fdatasync (fileno(stderr));
+ fsync (fileno(stdout));
+ fsync (fileno(stderr));
usleep (100 * 1000);
}

46
sysutils/polkit/patches/patch-src_polkitagent_polkitagenthelperprivate_h
View File

@ -1,46 +0,0 @@
$OpenBSD: patch-src_polkitagent_polkitagenthelperprivate_h,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- src/polkitagent/polkitagenthelperprivate.h.orig Sun Jun 27 17:34:45 2010
+++ src/polkitagent/polkitagenthelperprivate.h Sun Jun 27 17:34:45 2010
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2009-2010 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ *
+ * Authors: David Zeuthen <davidz@redhat.com>,
+ * Andrew Psaltis <ampsalits@gmail.com>
+ */
+#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H
+#define __POLKIT_AGENT_HELPER_PRIVATE_H
+
+#include <polkit/polkit.h>
+
+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_
+ * enable this in production builds; it may leak passwords and other
+ * sensitive information.
+ */
+#undef PAH_DEBUG
+// #define PAH_DEBUG
+
+#ifdef HAVE_SOLARIS
+# define LOG_AUTHPRIV (10<<3)
+#endif
+
+gboolean send_dbus_message (const char *cookie, const char *user);
+
+void flush_and_wait ();
+
+#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */

4
sysutils/polkit/patches/patch-src_polkitbackend_50-localauthority_conf
View File

@ -1,11 +1,11 @@
$OpenBSD: patch-src_polkitbackend_50-localauthority_conf,v 1.1 2010/07/05 15:22:16 ajacoutot Exp $
$OpenBSD: patch-src_polkitbackend_50-localauthority_conf,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
--- src/polkitbackend/50-localauthority.conf.orig Mon Jul 5 16:52:24 2010
+++ src/polkitbackend/50-localauthority.conf Mon Jul 5 16:52:30 2010
@@ -1,6 +1,6 @@
# Configuration file for the PolicyKit Local Authority.
#
-# DO NOT EDIT THIS FILE, it will be overwritten on update.
+# DO NOT EDIT THIS FILE
+# DO NOT EDIT THIS FILE.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.

10
sysutils/polkit/patches/patch-src_polkitbackend_Makefile_am
View File

@ -1,8 +1,8 @@
$OpenBSD: patch-src_polkitbackend_Makefile_am,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- src/polkitbackend/Makefile.am.orig Sun Jun 27 18:26:49 2010
+++ src/polkitbackend/Makefile.am Sun Jun 27 18:27:49 2010
@@ -100,10 +100,4 @@ clean-local :
rm -f *~ $(ck_built_sources) $(BUILT_SOURCES)
$OpenBSD: patch-src_polkitbackend_Makefile_am,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
--- src/polkitbackend/Makefile.am.orig Mon Aug 9 20:49:57 2010
+++ src/polkitbackend/Makefile.am Tue Nov 30 12:31:18 2010
@@ -74,10 +74,4 @@ clean-local :
rm -f *~ $(BUILT_SOURCES)
install-exec-hook:
- mkdir -p $(DESTDIR)$(localstatedir)/lib/polkit-1

17
sysutils/polkit/patches/patch-src_polkitbackend_polkitbackendconfigsource_c
View File

@ -1,17 +0,0 @@
$OpenBSD: patch-src_polkitbackend_polkitbackendconfigsource_c,v 1.1 2010/07/18 15:41:22 ajacoutot Exp $
- Configuration reload on every query
779c0153fc0bd3c2e302dac1979d17638f054229
Set has_data to true after the data is loaded to prevent excessive
reloading of config files.
--- src/polkitbackend/polkitbackendconfigsource.c.orig Wed Mar 10 18:46:19 2010
+++ src/polkitbackend/polkitbackendconfigsource.c Sun Jul 18 17:28:52 2010
@@ -386,6 +386,7 @@ polkit_backend_config_source_ensure (PolkitBackendConf
}
source->priv->key_files = g_list_reverse (source->priv->key_files);
+ source->priv->has_data = TRUE;
out:
g_list_foreach (files, (GFunc) g_object_unref, NULL);

30
sysutils/polkit/patches/patch-src_polkitbackend_polkitbackendlocalauthority_c
View File

@ -1,30 +0,0 @@
$OpenBSD: patch-src_polkitbackend_polkitbackendlocalauthority_c,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- src/polkitbackend/polkitbackendlocalauthority.c.orig Sun Jun 27 18:27:56 2010
+++ src/polkitbackend/polkitbackendlocalauthority.c Sun Jun 27 18:28:13 2010
@@ -211,7 +211,7 @@ add_all_authorization_stores (PolkitBackendLocalAuthor
error = NULL;
if (n == 0)
- toplevel_path = PACKAGE_LOCALSTATE_DIR "/lib/polkit-1/localauthority";
+ toplevel_path = PACKAGE_LOCALSTATE_DIR "/db/polkit-1/localauthority";
else
toplevel_path = PACKAGE_SYSCONF_DIR "/polkit-1/localauthority";
@@ -321,7 +321,7 @@ polkit_backend_local_authority_init (PolkitBackendLoca
GError *error;
if (n == 0)
- toplevel_path = PACKAGE_LOCALSTATE_DIR "/lib/polkit-1/localauthority";
+ toplevel_path = PACKAGE_LOCALSTATE_DIR "/db/polkit-1/localauthority";
else
toplevel_path = PACKAGE_SYSCONF_DIR "/polkit-1/localauthority";
@@ -698,7 +698,7 @@ static gchar *
lockdown_get_filename (const gchar *action_id)
{
return g_strdup_printf (PACKAGE_LOCALSTATE_DIR
- "/lib/polkit-1/localauthority/90-mandatory.d/"
+ "/db/polkit-1/localauthority/90-mandatory.d/"
"org.freedesktop.policykit.localauthority.lockdown.action-%s.pkla",
action_id);
}

18
sysutils/polkit/patches/patch-src_polkitbackend_polkitbackendlocalauthorizationstore_c
View File

@ -1,18 +0,0 @@
$OpenBSD: patch-src_polkitbackend_polkitbackendlocalauthorizationstore_c,v 1.1 2010/07/18 15:41:22 ajacoutot Exp $
- Configuration reload on every query
779c0153fc0bd3c2e302dac1979d17638f054229
Set has_data to true after the data is loaded to prevent excessive
reloading of config files.
--- src/polkitbackend/polkitbackendlocalauthorizationstore.c.orig Wed Mar 10 18:46:19 2010
+++ src/polkitbackend/polkitbackendlocalauthorizationstore.c Sun Jul 18 17:28:52 2010
@@ -641,6 +641,8 @@ polkit_backend_local_authorization_store_ensure (Polki
g_free (filename);
}
+ store->priv->has_data = TRUE;
+
out:
g_list_foreach (files, (GFunc) g_object_unref, NULL);
g_list_free (files);

30
sysutils/polkit/patches/patch-src_polkitbackend_polkitbackendsessionmonitor_c Normal file
View File

@ -0,0 +1,30 @@
$OpenBSD: patch-src_polkitbackend_polkitbackendsessionmonitor_c,v 1.1 2011/04/28 13:09:07 ajacoutot Exp $
From c23d74447c7615dc74dae259f0fc3688ec988867 Mon Sep 17 00:00:00 2001
From: David Zeuthen <davidz@redhat.com>
Date: Fri, 01 Apr 2011 16:12:27 +0000
Subject: Use polkit_unix_process_get_uid() to get the owner of a process
--- src/polkitbackend/polkitbackendsessionmonitor.c.orig Sat Feb 26 23:23:53 2011
+++ src/polkitbackend/polkitbackendsessionmonitor.c Wed Apr 27 19:07:36 2011
@@ -293,14 +293,15 @@ polkit_backend_session_monitor_get_user_for_subject (P
if (POLKIT_IS_UNIX_PROCESS (subject))
{
- local_error = NULL;
- uid = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject), &local_error);
- if (local_error != NULL)
+ uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
+ if ((gint) uid == -1)
{
- g_propagate_prefixed_error (error, local_error, "Error getting user for process: ");
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Unix process subject does not have uid set");
goto out;
}
-
ret = polkit_unix_user_new (uid);
}
else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))

41
sysutils/polkit/patches/patch-src_polkitd_gposixsignal_c Normal file
View File

@ -0,0 +1,41 @@
$OpenBSD: patch-src_polkitd_gposixsignal_c,v 1.1 2011/04/28 13:09:07 ajacoutot Exp $
--- src/polkitd/gposixsignal.c.orig Sat Feb 26 23:23:53 2011
+++ src/polkitd/gposixsignal.c Wed Apr 27 16:07:00 2011
@@ -26,7 +26,13 @@
#if defined(__linux__)
#include <unistd.h>
+#if defined(__FreeBSD__) || defined(__OpenBSD__)
+#include <sys/types.h>
+#include <sys/event.h>
+#include <sys/time.h>
+#else
#include <sys/signalfd.h>
+#endif
#include <signal.h>
typedef struct
@@ -84,6 +90,9 @@ _g_posix_signal_source_new (gint signum)
gint fd;
GSource *_source;
_GPosixSignalSource *source;
+#if defined(__FreeBSD__) || defined(__OpenBSD__)
+ struct kevent ev;
+#endif
_source = NULL;
@@ -93,7 +102,13 @@ _g_posix_signal_source_new (gint signum)
if (sigprocmask (SIG_BLOCK, &sigset, NULL) == -1)
g_assert_not_reached ();
+#if defined(__FreeBSD__) || defined(__OpenBSD__)
+ fd = kqueue ();
+ EV_SET (&ev, signum, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL);
+ kevent (fd, &ev, 1, NULL, 0, NULL);
+#else
fd = signalfd (-1, &sigset, SFD_NONBLOCK | SFD_CLOEXEC);
+#endif
_source = g_source_new (&_g_posix_signal_source_funcs, sizeof (_GPosixSignalSource));
source = (_GPosixSignalSource *) _source;

141
sysutils/polkit/patches/patch-src_programs_pkexec_c
View File

@ -1,55 +1,104 @@
$OpenBSD: patch-src_programs_pkexec_c,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
--- src/programs/pkexec.c.orig Wed Mar 10 18:46:19 2010
+++ src/programs/pkexec.c Thu Jul 1 07:31:27 2010
@@ -34,7 +34,11 @@
#include <grp.h>
$OpenBSD: patch-src_programs_pkexec_c,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
From 3b12cfac29dddd27f1f166a7574d8374cc1dccf2 Mon Sep 17 00:00:00 2001
From: David Zeuthen <davidz@redhat.com>
Date: Fri, 01 Apr 2011 16:13:15 +0000
Subject: pkexec: Avoid TOCTTOU problems with parent process
--- src/programs/pkexec.c.orig Thu Mar 3 18:04:19 2011
+++ src/programs/pkexec.c Wed Apr 27 19:09:18 2011
@@ -35,6 +35,10 @@
#include <pwd.h>
#include <errno.h>
+#ifdef __linux__
+#include <sys/prctl.h>
+#endif
+
+#ifdef POLKIT_AUTHFW_PAM
#include <security/pam_appl.h>
+#endif /* POLKIT_AUTHFW_PAM */
+
#include <syslog.h>
#include <stdarg.h>
#include <glib/gi18n.h>
@@ -115,6 +119,7 @@ log_message (gint level,
#ifdef POLKIT_AUTHFW_PAM
@@ -423,7 +427,6 @@ main (int argc, char *argv[])
GPtrArray *saved_env;
gchar *opt_user;
pid_t pid_of_caller;
- uid_t uid_of_caller;
gpointer local_agent_handle;
/* ---------------------------------------------------------------------------------------------------- */
+#ifdef POLKIT_AUTHFW_PAM
static int
pam_conversation_function (int n,
const struct pam_message **msg,
@@ -167,6 +172,7 @@ out:
pam_end (pam_h, rc);
return ret;
}
+#endif /* POLKIT_AUTHFW_PAM */
/* ---------------------------------------------------------------------------------------------------- */
@@ -437,7 +443,7 @@ main (int argc, char *argv[])
goto out;
}
- original_cwd = g_strdup (get_current_dir_name ());
+ original_cwd = g_strdup (getcwd (NULL, 0));
if (original_cwd == NULL)
{
g_printerr ("Error getting cwd.\n");
@@ -741,11 +747,13 @@ main (int argc, char *argv[])
* TODO: The question here is whether we should clear the limits before applying them?
* As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
ret = 127;
@@ -598,40 +601,49 @@ main (int argc, char *argv[])
*/
+#ifdef POLKIT_AUTHW_PAM
if (!open_session (pw->pw_name))
g_type_init ();
- /* now check if the program that invoked us is authorized */
+ /* make sure we are nuked if the parent process dies */
+#ifdef __linux__
+ if (prctl (PR_SET_PDEATHSIG, SIGTERM) != 0)
+ {
+ g_printerr ("prctl(PR_SET_PDEATHSIG, SIGTERM) failed: %s\n", g_strerror (errno));
+ goto out;
+ }
+#else
+#warning "Please add OS specific code to catch when the parent dies"
+#endif
+
+ /* Figure out the parent process */
pid_of_caller = getppid ();
if (pid_of_caller == 1)
{
/* getppid() can return 1 if the parent died (meaning that we are reaped
- * by /sbin/init); get process group leader instead - for example, this
- * happens when launching via gnome-panel (alt+f2, then 'pkexec gedit').
+ * by /sbin/init); In that case we simpy bail.
*/
- pid_of_caller = getpgrp ();
- }
-
- subject = polkit_unix_process_new (pid_of_caller);
- if (subject == NULL)
- {
- g_printerr ("No such process for pid %d: %s\n", (gint) pid_of_caller, error->message);
- g_error_free (error);
+ g_printerr ("Refusing to render service to dead parents.\n");
goto out;
}
-
+#endif /* POLKIT_AUTHFW_PAM */
+
/* become the user */
if (setgroups (0, NULL) != 0)
{
- /* paranoia: check that the uid of pid_of_caller matches getuid() */
- error = NULL;
- uid_of_caller = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject),
- &error);
- if (error != NULL)
- {
- g_printerr ("Error determing pid of caller (pid %d): %s\n", (gint) pid_of_caller, error->message);
- g_error_free (error);
- goto out;
- }
- if (uid_of_caller != getuid ())
- {
- g_printerr ("User of caller (%d) does not match our uid (%d)\n", uid_of_caller, getuid ());
- goto out;
- }
+ /* This process we want to check an authorization for is the process
+ * that launched us - our parent process.
+ *
+ * At the time the parent process fork()'ed and exec()'ed us, the
+ * process had the same real-uid that we have now. So we use this
+ * real-uid instead of of looking it up to avoid TOCTTOU issues
+ * (consider the parent process exec()'ing a setuid helper).
+ *
+ * On the other hand, the monotonic process start-time is guaranteed
+ * to never change so it's safe to look that up given only the PID
+ * since we are guaranteed to be nuked if the parent goes away
+ * (cf. the prctl(2) call above).
+ */
+ subject = polkit_unix_process_new_for_owner (pid_of_caller,
+ 0, /* 0 means "look up start-time in /proc" */
+ getuid ());
+ /* really double-check the invariants guaranteed by the PolkitUnixProcess class */
+ g_assert (subject != NULL);
+ g_assert (polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject)) == pid_of_caller);
+ g_assert (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0);
+ g_assert (polkit_unix_process_get_start_time (POLKIT_UNIX_PROCESS (subject)) > 0);
error = NULL;
authority = polkit_authority_get_sync (NULL /* GCancellable* */, &error);

3
sysutils/polkit/pkg/PFRAG.shared
View File

@ -1,6 +1,5 @@
@comment $OpenBSD: PFRAG.shared,v 1.1.1.1 2010/07/01 07:46:21 ajacoutot Exp $
@comment $OpenBSD: PFRAG.shared,v 1.2 2011/04/28 13:09:07 ajacoutot Exp $
@lib lib/libpolkit-agent-1.so.${LIBpolkit-agent-1_VERSION}
@lib lib/libpolkit-backend-1.so.${LIBpolkit-backend-1_VERSION}
@lib lib/libpolkit-gobject-1.so.${LIBpolkit-gobject-1_VERSION}
lib/polkit-1/extensions/libnullbackend.so
lib/polkit-1/extensions/libpkexec-action-lookup.so

15
sysutils/polkit/pkg/PLIST
View File

@ -1,4 +1,4 @@
@comment $OpenBSD: PLIST,v 1.5 2011/04/07 11:12:12 ajacoutot Exp $
@comment $OpenBSD: PLIST,v 1.6 2011/04/28 13:09:07 ajacoutot Exp $
%%SHARED%%
@bin bin/pk-example-frobnicate
@bin bin/pkaction
@ -21,6 +21,7 @@ include/polkit-1/polkit/polkitenumtypes.h
include/polkit-1/polkit/polkiterror.h
include/polkit-1/polkit/polkitidentity.h
include/polkit-1/polkit/polkitimplicitauthorization.h
include/polkit-1/polkit/polkitpermission.h
include/polkit-1/polkit/polkitprivate.h
include/polkit-1/polkit/polkitsubject.h
include/polkit-1/polkit/polkitsystembusname.h
@ -32,22 +33,21 @@ include/polkit-1/polkit/polkitunixsession.h
include/polkit-1/polkit/polkitunixuser.h
include/polkit-1/polkitagent/
include/polkit-1/polkitagent/polkitagent.h
include/polkit-1/polkitagent/polkitagentenumtypes.h
include/polkit-1/polkitagent/polkitagentlistener.h
include/polkit-1/polkitagent/polkitagentsession.h
include/polkit-1/polkitagent/polkitagenttextlistener.h
include/polkit-1/polkitagent/polkitagenttypes.h
include/polkit-1/polkitbackend/
include/polkit-1/polkitbackend/polkitbackend.h
include/polkit-1/polkitbackend/polkitbackendactionlookup.h
include/polkit-1/polkitbackend/polkitbackendactionpool.h
include/polkit-1/polkitbackend/polkitbackendauthority.h
include/polkit-1/polkitbackend/polkitbackendconfigsource.h
include/polkit-1/polkitbackend/polkitbackendinteractiveauthority.h
include/polkit-1/polkitbackend/polkitbackendlocalauthority.h
include/polkit-1/polkitbackend/polkitbackendlocalauthorizationstore.h
include/polkit-1/polkitbackend/polkitbackendsessionmonitor.h
include/polkit-1/polkitbackend/polkitbackendtypes.h
lib/girepository-1.0/
lib/girepository-1.0/Polkit-1.0.typelib
lib/girepository-1.0/PolkitAgent-1.0.typelib
lib/libpolkit-agent-1.a
lib/libpolkit-agent-1.la
lib/libpolkit-backend-1.a
@ -62,8 +62,6 @@ lib/polkit-1/
lib/polkit-1/extensions/
@comment lib/polkit-1/extensions/libnullbackend.a
@comment lib/polkit-1/extensions/libnullbackend.la
@comment lib/polkit-1/extensions/libpkexec-action-lookup.a
@comment lib/polkit-1/extensions/libpkexec-action-lookup.la
@mode 4755
@owner root
@bin libexec/polkit-agent-helper-1
@ -88,8 +86,8 @@ share/examples/polkit/polkit-1/
@mode 0700
@sample ${SYSCONFDIR}/polkit-1/
@sample /var/db/polkit-1/
@mode
@sample ${SYSCONFDIR}/polkit-1/localauthority/
@mode
share/examples/polkit/polkit-1/localauthority.conf.d/
@sample ${SYSCONFDIR}/polkit-1/localauthority.conf.d/
share/examples/polkit/polkit-1/localauthority.conf.d/50-localauthority.conf
@ -108,6 +106,7 @@ share/examples/polkit/var/db/polkit-1/localauthority/10-vendor.d/
share/examples/polkit/var/db/polkit-1/localauthority/10-vendor.d/10-desktop-policy.pkla
share/gir-1.0/
share/gir-1.0/Polkit-1.0.gir
share/gir-1.0/PolkitAgent-1.0.gir
share/locale/da/LC_MESSAGES/polkit-1.mo
share/polkit-1/
share/polkit-1/actions/