PolicyKit: Branch 'master'

David Zeuthen david at kemper.freedesktop.org
Mon Feb 21 09:13:20 PST 2011 

 src/polkitagent/polkitagenthelper-pam.c |   49 +++++++++++++++++++++++++++++---
 src/polkitagent/polkitagentsession.c    |    9 +++++
 2 files changed, 54 insertions(+), 4 deletions(-)

New commits:
commit 2e96ddd07f897518f63e7f499afb3ab85d91ac3b
Author: David Zeuthen <davidz at redhat.com>
Date:   Mon Feb 21 12:11:11 2011 -0500

    Improve error reporting for authentication sessions
    
    In particular ensure that we show
    
     Incorrect permissions on /opt/gnome-shell/install/libexec/polkit-agent-helper-1
    
    as a PAM error message if the permissions on the helper are incorrect
    (e.g. if the helper is not setuid root).
    
    Signed-off-by: David Zeuthen <davidz at redhat.com>

diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/polkitagenthelper-pam.c
index d1eed85..91b2b39 100644
--- a/src/polkitagent/polkitagenthelper-pam.c
+++ b/src/polkitagent/polkitagenthelper-pam.c
@@ -35,10 +35,36 @@
 
 static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
 
+static void
+send_to_helper (const gchar *str1,
+                const gchar *str2)
+{
+#ifdef PAH_DEBUG
+  fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", str1);
+#endif /* PAH_DEBUG */
+  fprintf (stdout, "%s", str1);
+#ifdef PAH_DEBUG
+  fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", str2);
+#endif /* PAH_DEBUG */
+  fprintf (stdout, "%s", str2);
+  if (strlen (str2) > 0 && str2[strlen (str2) - 1] != '\n')
+    {
+#ifdef PAH_DEBUG
+      fprintf (stderr, "polkit-agent-helper-1: writing newline to stdout\n");
+#endif /* PAH_DEBUG */
+      fputc ('\n', stdout);
+    }
+#ifdef PAH_DEBUG
+  fprintf (stderr, "polkit-agent-helper-1: flushing stdout\n");
+#endif /* PAH_DEBUG */
+  fflush (stdout);
+}
+
 int
 main (int argc, char *argv[])
 {
   int rc;
+  int err_ret;
   const char *user_to_auth;
   const char *cookie;
   struct pam_conv pam_conversation;
@@ -47,6 +73,7 @@ main (int argc, char *argv[])
 
   rc = 0;
   pam_h = NULL;
+  err_ret = 1;
 
   /* clear the entire environment to avoid attacks using with libraries honoring environment variables */
   if (_polkit_clearenv () != 0)
@@ -59,6 +86,10 @@ main (int argc, char *argv[])
   if (geteuid () != 0)
     {
       fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
+      /* Special-case a very common error triggered in jhbuild setups - see
+       * polkitagentsession.c:child_watch_func() for details
+       */
+      err_ret = 2;
       goto error;
     }
 
@@ -116,7 +147,10 @@ main (int argc, char *argv[])
   rc = pam_authenticate (pam_h, 0);
   if (rc != PAM_SUCCESS)
     {
-      fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
+      const char *err;
+      err = pam_strerror (pam_h, rc);
+      fprintf (stderr, "polkit-agent-helper-1: pam_authenticate failed: %s\n", err);
+      send_to_helper ("PAM_ERROR_MSG ", err);
       goto error;
     }
 
@@ -124,7 +158,10 @@ main (int argc, char *argv[])
   rc = pam_acct_mgmt (pam_h, 0);
   if (rc != PAM_SUCCESS)
     {
-      fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
+      const char *err;
+      err = pam_strerror (pam_h, rc);
+      fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", err);
+      send_to_helper ("PAM_ERROR_MSG ", err);
       goto error;
     }
 
@@ -132,7 +169,10 @@ main (int argc, char *argv[])
   rc = pam_get_item (pam_h, PAM_USER, &authed_user);
   if (rc != PAM_SUCCESS)
     {
-      fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
+      const char *err;
+      err = pam_strerror (pam_h, rc);
+      fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", err);
+      send_to_helper ("PAM_ERROR_MSG ", err);
       goto error;
     }
 
@@ -140,6 +180,7 @@ main (int argc, char *argv[])
     {
       fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
                user_to_auth, (const char *) authed_user);
+      send_to_helper ("PAM_ERROR_MSG ", "Authenticated the wrong user");
       goto error;
     }
 
@@ -179,7 +220,7 @@ error:
 
   fprintf (stdout, "FAILURE\n");
   flush_and_wait();
-  return 1;
+  return err_ret;
 }
 
 static int
diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c
index 22a19ce..813b14c 100644
--- a/src/polkitagent/polkitagentsession.c
+++ b/src/polkitagent/polkitagentsession.c
@@ -404,6 +404,15 @@ child_watch_func (GPid     pid,
   /* kill all the watches we have set up, except for the child since it has exited already */
   session->child_pid = 0;
   kill_helper (session);
+
+  /* Special-case a very common error triggered in jhbuild setups */
+  if (WIFEXITED (status) && WEXITSTATUS (status) == 2)
+    {
+      g_signal_emit_by_name (session,
+                             "show-error",
+                             "Incorrect permissions on " PACKAGE_LIBEXEC_DIR "/polkit-agent-helper-1");
+      complete_session (session, FALSE);
+    }
 }
 
 static gboolean

More information about the hal-commit mailing list