PolicyKit: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Fri Aug 31 10:57:10 PDT 2007
polkit-grant/Makefile.am | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
New commits:
diff-tree 6642ec69b4e379897e146a47df25240f4153af2d (from 61b3adc5b393b4070c19818f558dd76ac4b4d880)
Author: David Zeuthen <davidz at redhat.com>
Date: Fri Aug 31 13:51:10 2007 -0400
make polkit-grant-helper-pam out of reach for normal users
Adds a little bit of more security..
diff --git a/polkit-grant/Makefile.am b/polkit-grant/Makefile.am
index 8c876ef..d888624 100644
--- a/polkit-grant/Makefile.am
+++ b/polkit-grant/Makefile.am
@@ -42,9 +42,12 @@ clean-local :
#
# polkit-grant-helper-pam need to be setuid root because it's used to
# authenticate not only the invoking user, but possibly also root
-# and/or other users.
+# and/or other users. As only polkit-grant-helper will invoke it
+# we make it owned by the polkitiuser group and non-readable /
+# non-executable to the world
#
install-data-local:
-chown :$(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-grant-helper
-chmod 2755 $(DESTDIR)$(libexecdir)/polkit-grant-helper
- -chmod 4755 $(DESTDIR)$(libexecdir)/polkit-grant-helper-pam
+ -chown :$(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-grant-helper-pam
+ -chmod 4750 $(DESTDIR)$(libexecdir)/polkit-grant-helper-pam
More information about the hal-commit
mailing list