PolicyKit: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Sun Nov 18 16:16:28 PST 2007
doc/polkit-docs.xml | 1
src/polkit-dbus/Makefile.am | 6
src/polkit-dbus/polkit-dbus.h | 6
src/polkit-dbus/polkit-read-auth-helper.c | 122 -----------
src/polkit-dbus/polkit-set-default-helper.c | 90 --------
src/polkit-dbus/polkit-simple.c | 247 ++++++++++++++++++++++++
src/polkit-dbus/polkit-simple.h | 42 ++++
src/polkit-grant/polkit-explicit-grant-helper.c | 90 --------
src/polkit-grant/polkit-revoke-helper.c | 103 ----------
9 files changed, 328 insertions(+), 379 deletions(-)
New commits:
commit a712e78e69220b43695463e00983e9316a646d32
Author: David Zeuthen <davidz at redhat.com>
Date: Sun Nov 18 19:16:23 2007 -0500
provide convenience functions for auth checking and port helpers to use them
Basically, checking auths with polkit is now a one-liner:
if (polkit_check_auth (getpid (), "com.acme.some-action", NULL) == 0) {
fprintf (stderr, "Not authorized; go away\n");
exit (1);
}
This can be used for making a lot of the legacy UNIX tools PolicyKit
aware. For example, vixie-cron could make crontab(1) (a setuid
program) check whether the calling user is authorized for the action
org.isc.vixie-cron.edit-own-crontab
This is a nice way to provide least privilege and still put the system
administrator in control via polkit-auth(1), polkit-action(1) and the
GTK+ "Manage Authorizations" utility:
http://people.redhat.com/davidz/polkitg-auth-1.png
http://people.redhat.com/davidz/polkitg-auth-2.png
http://people.redhat.com/davidz/polkitg-auth-3.png
diff --git a/doc/polkit-docs.xml b/doc/polkit-docs.xml
index 5e54e02..b309a55 100644
--- a/doc/polkit-docs.xml
+++ b/doc/polkit-docs.xml
@@ -104,6 +104,7 @@
</partintro>
<xi:include href="xml/polkit-types.xml"/>
<xi:include href="xml/polkit-sysdeps.xml"/>
+ <xi:include href="xml/polkit-simple.xml"/>
<xi:include href="xml/polkit-error.xml"/>
<xi:include href="xml/polkit-result.xml"/>
<xi:include href="xml/polkit-action.xml"/>
diff --git a/src/polkit-dbus/Makefile.am b/src/polkit-dbus/Makefile.am
index 6c5a165..d426848 100644
--- a/src/polkit-dbus/Makefile.am
+++ b/src/polkit-dbus/Makefile.am
@@ -18,10 +18,12 @@ lib_LTLIBRARIES=libpolkit-dbus.la
libpolkit_dbusincludedir=$(includedir)/PolicyKit/polkit-dbus
libpolkit_dbusinclude_HEADERS = \
- polkit-dbus.h
+ polkit-dbus.h \
+ polkit-simple.h
libpolkit_dbus_la_SOURCES = \
- polkit-dbus.h polkit-dbus.c
+ polkit-dbus.h polkit-dbus.c \
+ polkit-simple.h polkit-simple.c
libpolkit_dbus_la_LIBADD = @DBUS_LIBS@ $(top_builddir)/src/polkit/libpolkit.la $(SELINUX_LIBS) $(GLIB_LIBS)
diff --git a/src/polkit-dbus/polkit-dbus.h b/src/polkit-dbus/polkit-dbus.h
index 98f2353..4d99d0e 100644
--- a/src/polkit-dbus/polkit-dbus.h
+++ b/src/polkit-dbus/polkit-dbus.h
@@ -30,6 +30,10 @@
#include <polkit/polkit.h>
#include <dbus/dbus.h>
+#define _POLKIT_INSIDE_POLKIT_DBUS_H 1
+#include <polkit-dbus/polkit-simple.h>
+#undef _POLKIT_INSIDE_POLKIT_DBUS_H
+
POLKIT_BEGIN_DECLS
PolKitSession *polkit_session_new_from_objpath (DBusConnection *con, const char *objpath, uid_t uid, DBusError *error);
@@ -62,5 +66,3 @@ polkit_bool_t polkit_tracker_is_authorization_relevant (PolKitTracker *pk_trac
POLKIT_END_DECLS
#endif /* POLKIT_DBUS_H */
-
-
diff --git a/src/polkit-dbus/polkit-read-auth-helper.c b/src/polkit-dbus/polkit-read-auth-helper.c
index edc19c6..767b7b1 100644
--- a/src/polkit-dbus/polkit-read-auth-helper.c
+++ b/src/polkit-dbus/polkit-read-auth-helper.c
@@ -46,109 +46,6 @@
#include <polkit-dbus/polkit-dbus.h>
-/* This is a bit incestuous; we are, effectively, calling into
- * ourselves.. it's safe though; this function will never get hit..
- */
-static polkit_bool_t
-check_for_auth (uid_t caller_uid, pid_t caller_pid)
-{
- polkit_bool_t ret;
- DBusError error;
- DBusConnection *bus;
- PolKitCaller *caller;
- PolKitAction *action;
- PolKitContext *context;
- PolKitError *pk_error;
- PolKitResult pk_result;
-
- ret = FALSE;
-
- dbus_error_init (&error);
- bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
- if (bus == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot connect to system bus: %s: %s\n",
- error.name, error.message);
- dbus_error_free (&error);
- goto out;
- }
-
- caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
- if (caller == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot get caller from pid: %s: %s\n",
- error.name, error.message);
- goto out;
- }
-
- action = polkit_action_new ();
- if (action == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitAction\n");
- goto out;
- }
- if (!polkit_action_set_action_id (action, "org.freedesktop.policykit.read")) {
- fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
- goto out;
- }
-
- context = polkit_context_new ();
- if (context == NULL) {
- fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitContext\n");
- goto out;
- }
-
- pk_error = NULL;
- if (!polkit_context_init (context, &pk_error)) {
- fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit context: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
-
- pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
- if (polkit_error_is_set (pk_error)) {
-
- if (polkit_error_get_error_code (pk_error) ==
- POLKIT_ERROR_NOT_AUTHORIZED_TO_READ_AUTHORIZATIONS_FOR_OTHER_USERS) {
- polkit_error_free (pk_error);
- pk_error = NULL;
- } else {
- fprintf (stderr, "polkit-read-auth-helper: cannot determine if caller is authorized: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
- }
-
- if (pk_result != POLKIT_RESULT_YES) {
- /* having 'grant' (which is a lot more powerful) is also sufficient.. this is because 'read'
- * is required to 'grant' (to check if there's a similar authorization already)
- */
- if (!polkit_action_set_action_id (action, "org.freedesktop.policykit.grant")) {
- fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
- goto out;
- }
-
- pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
- if (polkit_error_is_set (pk_error)) {
- fprintf (stderr, "polkit-read-auth-helper: cannot determine if caller is authorized: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
-
- if (pk_result != POLKIT_RESULT_YES) {
- goto out;
- }
- }
-
- ret = TRUE;
-out:
-
- return ret;
-}
-
static polkit_bool_t
dump_auths_from_file (const char *path, uid_t uid)
{
@@ -432,18 +329,15 @@ main (int argc, char *argv[])
/* uid 0 and user polkituser is allowed to read anything */
if (caller_uid != 0 && caller_uid != uid_for_polkit_user) {
if (caller_uid != requesting_info_for_uid) {
+ pid_t ppid;
+
+ ppid = getppid ();
+ if (ppid == 1)
+ goto out;
- /* see if calling user has the
- *
- * org.freedesktop.policykit.read
- *
- * authorization
- */
- if (!check_for_auth (caller_uid, getppid ())) {
- //fprintf (stderr,
- // "polkit-read-auth-helper: uid %d cannot read authorizations for uid %d.\n",
- // caller_uid,
- // requesting_info_for_uid);
+ if (polkit_check_auth (ppid,
+ "org.freedesktop.policykit.read",
+ "org.freedesktop.policykit.grant", NULL) == 0) {
goto out;
}
}
diff --git a/src/polkit-dbus/polkit-set-default-helper.c b/src/polkit-dbus/polkit-set-default-helper.c
index ffaaa2a..2018ba2 100644
--- a/src/polkit-dbus/polkit-set-default-helper.c
+++ b/src/polkit-dbus/polkit-set-default-helper.c
@@ -50,82 +50,6 @@
#include <polkit-dbus/polkit-dbus.h>
static polkit_bool_t
-check_for_auth (uid_t caller_uid, pid_t caller_pid)
-{
- polkit_bool_t ret;
- DBusError error;
- DBusConnection *bus;
- PolKitCaller *caller;
- PolKitAction *action;
- PolKitContext *context;
- PolKitError *pk_error;
- PolKitResult pk_result;
-
- ret = FALSE;
-
- dbus_error_init (&error);
- bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
- if (bus == NULL) {
- fprintf (stderr, "polkit-set-default-helper: cannot connect to system bus: %s: %s\n",
- error.name, error.message);
- dbus_error_free (&error);
- goto out;
- }
-
- caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
- if (caller == NULL) {
- fprintf (stderr, "polkit-set-default-helper: cannot get caller from pid: %s: %s\n",
- error.name, error.message);
- goto out;
- }
-
- action = polkit_action_new ();
- if (action == NULL) {
- fprintf (stderr, "polkit-set-default-helper: cannot allocate PolKitAction\n");
- goto out;
- }
-
- if (!polkit_action_set_action_id (action, "org.freedesktop.policykit.modify-defaults")) {
- fprintf (stderr, "polkit-set-default-helper: cannot set action_id\n");
- goto out;
- }
-
- context = polkit_context_new ();
- if (context == NULL) {
- fprintf (stderr, "polkit-set-default-helper: cannot allocate PolKitContext\n");
- goto out;
- }
-
- pk_error = NULL;
- if (!polkit_context_init (context, &pk_error)) {
- fprintf (stderr, "polkit-set-default-helper: cannot initialize polkit context: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
-
- pk_result = polkit_context_is_caller_authorized (context, action, caller, TRUE, &pk_error);
- if (polkit_error_is_set (pk_error)) {
-
- fprintf (stderr, "polkit-set-default-helper: cannot determine if caller is authorized: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
-
- if (pk_result != POLKIT_RESULT_YES) {
- goto out;
- }
-
- ret = TRUE;
-out:
-
- return ret;
-}
-
-static polkit_bool_t
set_default (const char *action_id, const char *any, const char *inactive, const char *active)
{
char *path;
@@ -243,13 +167,13 @@ main (int argc, char *argv[])
/* uid 0 is allowed to set anything */
if (caller_uid != 0) {
- /* see if calling user has the
- *
- * org.freedesktop.policykit.modify-defaults
- *
- * authorization
- */
- if (!check_for_auth (caller_uid, getppid ())) {
+ pid_t ppid;
+
+ ppid = getppid ();
+ if (ppid == 1)
+ goto out;
+
+ if (polkit_check_auth (ppid, "org.freedesktop.policykit.modify-defaults", NULL) == 0) {
goto out;
}
}
diff --git a/src/polkit-dbus/polkit-simple.c b/src/polkit-dbus/polkit-simple.c
new file mode 100644
index 0000000..b6d9ac9
--- /dev/null
+++ b/src/polkit-dbus/polkit-simple.c
@@ -0,0 +1,247 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/***************************************************************************
+ *
+ * polkit-simple.c : Simple convenience interface
+ *
+ * Copyright (C) 2007 David Zeuthen, <david at fubar.dk>
+ *
+ * Licensed under the Academic Free License version 2.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ **************************************************************************/
+
+/**
+ * SECTION:polkit-simple
+ * @title: Simple convenience interface
+ * @short_description: Simple convenience interface
+ *
+ * Simple convenience interface
+ **/
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <grp.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <polkit/polkit-private.h>
+#include "polkit-simple.h"
+
+
+/**
+ * polkit_check_auth:
+ * @pid: process to check for; typically you want to pass the result of getpid() here
+ * @...: %NULL terminated list of action identifiers to check for
+ *
+ * A simple convenience function to check whether a given process is
+ * authorized for a number of actions.
+ *
+ * This is useful for programs that just wants to check whether they
+ * should carry out some action. Note that the user identity used for
+ * the purpose of checking authorizations is the Real one compared to
+ * the e.g. Effective one (e.g. getuid(), getgid() is used instead of
+ * e.g. geteuid(), getegid()). This is typically what one wants in a
+ * setuid root program if the setuid root program is designed to do
+ * work on behalf of the unprivileged user who invoked it (for
+ * example, the PulseAudio sound server is setuid root only so it can
+ * become a real time process; after that it drops all privileges).
+ *
+ * It varies whether one wants to pass getpid() or getppid() as the
+ * process id to this function. For example, in the PulseAudio case it
+ * is the right thing to pass getpid(). However, in a setup where the
+ * process is a privileged helper, one wants to pass the process id of
+ * the parent. Beware though, if the parent dies, getppid() will
+ * return 1 (the process id of <literal>/sbin/init</literal>) which is
+ * almost certainly guaranteed to be privileged as it is running as
+ * uid 0.
+ *
+ * Note that this function will open a connection to the system
+ * message bus and query ConsoleKit for details. In addition, it will
+ * load PolicyKit specific files and spawn privileged helpers if
+ * necessary. As such, there is a bit of IPC, context switching,
+ * syscall overhead and I/O involved in using this function. If you
+ * are planning on calling this function multiple times (e.g. from a
+ * daemon) on a frequent basis and/or need more detail you should use
+ * the #PolKitContext and #PolKitTracker classes instead as these are
+ * designed to aggresively cache information.
+ *
+ * The return value is a bit mask indicating whether the given process
+ * is authorized for the given actions. Bit 0 represents the first
+ * action; bit 1 represents the 2nd action and so forth. A bit is set
+ * to 1 if, and only if, the caller is authorized for the given
+ * action. If the given action is unknown zero will be returned as well.
+ *
+ * If the function succeeds, errno will be set to 0. If an error
+ * occurs 0 is returned and errno will be set:
+ * <itemizedlist>
+ * <listitem><literal>ENOMEM</literal>: Out of memory.</listitem>
+ * <listitem><literal>ENOENT</literal>: Failed to connect to either the system message bus or ConsoleKit.</listitem>
+ * </itemizedlist>
+ *
+ * Returns: See above
+ *
+ * Since: 0.7
+ */
+polkit_uint64_t
+polkit_check_auth (pid_t pid, ...)
+{
+ int n;
+ va_list args;
+ char *action_id;
+ polkit_uint64_t ret;
+ const char *action_ids[65];
+
+ ret = 0;
+
+ n = 0;
+ va_start (args, pid);
+ while ((action_id = va_arg (args, char *)) != NULL) {
+ if (n == 64) {
+ errno = EOVERFLOW;
+ goto out;
+ }
+ action_ids[n++] = action_id;
+ }
+ va_end (args);
+ action_ids[n] = NULL;
+
+ ret = polkit_check_authv (pid, action_ids);
+out:
+ return ret;
+}
+
+/**
+ * polkit_check_authv:
+ * @pid: See docs for polkit_check_auth()
+ * @action_ids: %NULL terminated array of action id's
+ *
+ * This function is similar to polkit_check_auth() but takes an %NULL
+ * terminated array instead of being a varadic function.
+ *
+ * Returns: See docs for polkit_check_auth()
+ *
+ * Since: 0.7
+ */
+polkit_uint64_t
+polkit_check_authv (pid_t pid, const char **action_ids)
+{
+ int n;
+ polkit_uint64_t ret;
+ DBusError error;
+ DBusConnection *bus;
+ PolKitCaller *caller;
+ PolKitContext *context;
+ PolKitError *pk_error;
+ PolKitResult pk_result;
+
+ ret = 0;
+ errno = ENOENT;
+
+ dbus_error_init (&error);
+ bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
+ if (bus == NULL) {
+ kit_warning ("cannot connect to system bus: %s: %s", error.name, error.message);
+ dbus_error_free (&error);
+ goto out;
+ }
+
+ caller = polkit_caller_new_from_pid (bus, pid, &error);
+ if (caller == NULL) {
+ kit_warning ("cannot get caller from pid: %s: %s", error.name, error.message);
+ goto out;
+ }
+
+ context = polkit_context_new ();
+ if (context == NULL) {
+ kit_warning ("cannot allocate PolKitContext");
+ errno = ENOMEM;
+ goto out;
+ }
+
+ pk_error = NULL;
+ if (!polkit_context_init (context, &pk_error)) {
+ kit_warning ("cannot initialize polkit context: %s: %s",
+ polkit_error_get_error_name (pk_error),
+ polkit_error_get_error_message (pk_error));
+ polkit_error_free (pk_error);
+ goto out;
+ }
+
+ for (n = 0; action_ids[n] != NULL; n++) {
+ PolKitAction *action;
+
+ action = polkit_action_new ();
+ if (action == NULL) {
+ kit_warning ("cannot allocate PolKitAction");
+ errno = ENOMEM;
+ goto out;
+ }
+ if (!polkit_action_set_action_id (action, action_ids[n])) {
+ polkit_action_unref (action);
+ kit_warning ("cannot set action_id");
+ errno = ENOMEM;
+ goto out;
+ }
+
+ pk_error = NULL;
+ pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
+
+ if (polkit_error_is_set (pk_error)) {
+ polkit_error_free (pk_error);
+ pk_error = NULL;
+ } else {
+ if (pk_result == POLKIT_RESULT_YES)
+ ret |= (1<<n);
+ }
+
+ polkit_action_unref (action);
+ }
+
+out:
+ if (bus != NULL)
+ dbus_connection_unref (bus);
+ if (caller != NULL)
+ polkit_caller_unref (caller);
+ if (context != NULL)
+ polkit_context_unref (context);
+
+ return ret;
+}
+
+#ifdef POLKIT_BUILD_TESTS
+
+static polkit_bool_t
+_run_test (void)
+{
+ return TRUE;
+}
+
+KitTest _test_simple = {
+ "polkit_simple",
+ NULL,
+ NULL,
+ _run_test
+};
+
+#endif /* POLKIT_BUILD_TESTS */
diff --git a/src/polkit-dbus/polkit-simple.h b/src/polkit-dbus/polkit-simple.h
new file mode 100644
index 0000000..c982621
--- /dev/null
+++ b/src/polkit-dbus/polkit-simple.h
@@ -0,0 +1,42 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/***************************************************************************
+ *
+ * polkit-simple.h : Simple convenience interface
+ *
+ * Copyright (C) 2007 David Zeuthen, <david at fubar.dk>
+ *
+ * Licensed under the Academic Free License version 2.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ **************************************************************************/
+
+#if !defined (POLKIT_COMPILATION) && !defined(_POLKIT_INSIDE_POLKIT_DBUS_H)
+#error "Only <polkit-dbus/polkit-dbus.h> can be included directly, this file may disappear or change contents."
+#endif
+
+#ifndef POLKIT_SIMPLE_H
+#define POLKIT_SIMPLE_H
+
+#include <polkit-dbus/polkit-dbus.h>
+
+POLKIT_BEGIN_DECLS
+
+polkit_uint64_t polkit_check_auth (pid_t pid, ...);
+polkit_uint64_t polkit_check_authv (pid_t pid, const char **action_ids);
+
+POLKIT_END_DECLS
+
+#endif /* POLKIT_SIMPLE_H */
diff --git a/src/polkit-grant/polkit-explicit-grant-helper.c b/src/polkit-grant/polkit-explicit-grant-helper.c
index 3f5d2ef..7d08448 100644
--- a/src/polkit-grant/polkit-explicit-grant-helper.c
+++ b/src/polkit-grant/polkit-explicit-grant-helper.c
@@ -47,84 +47,6 @@
#include <polkit-dbus/polkit-dbus.h>
#include <polkit/polkit-private.h>
-static polkit_bool_t
-check_pid_for_authorization (pid_t caller_pid, const char *action_id)
-{
- polkit_bool_t ret;
- DBusError error;
- DBusConnection *bus;
- PolKitCaller *caller;
- PolKitAction *action;
- PolKitContext *context;
- PolKitError *pk_error;
- PolKitResult pk_result;
-
- ret = FALSE;
-
- dbus_error_init (&error);
- bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
- if (bus == NULL) {
- fprintf (stderr, "polkit-explicit-grant-helper: cannot connect to system bus: %s: %s\n",
- error.name, error.message);
- dbus_error_free (&error);
- goto out;
- }
-
- caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
- if (caller == NULL) {
- fprintf (stderr, "polkit-explicit-grant-helper: cannot get caller from pid: %s: %s\n",
- error.name, error.message);
- goto out;
- }
-
- action = polkit_action_new ();
- if (action == NULL) {
- fprintf (stderr, "polkit-explicit-grant-helper: cannot allocate PolKitAction\n");
- goto out;
- }
- if (!polkit_action_set_action_id (action, action_id)) {
- fprintf (stderr, "polkit-explicit-grant-helper: cannot set action_id\n");
- goto out;
- }
-
- context = polkit_context_new ();
- if (context == NULL) {
- fprintf (stderr, "polkit-explicit-grant-helper: cannot allocate PolKitContext\n");
- goto out;
- }
-
- pk_error = NULL;
- if (!polkit_context_init (context, &pk_error)) {
- fprintf (stderr, "polkit-explicit-grant-helper: cannot initialize polkit context: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
-
- pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
- if (polkit_error_is_set (pk_error)) {
- fprintf (stderr, "polkit-explicit-grant-helper: cannot determine if caller is authorized: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
-
- if (pk_result != POLKIT_RESULT_YES) {
- //fprintf (stderr,
- // "polkit-explicit-grant-helper: uid %d (pid %d) does not have the "
- // "org.freedesktop.policykit.read-other-authorizations authorization\n",
- // caller_uid, caller_pid);
- goto out;
- }
-
- ret = TRUE;
-out:
-
- return ret;
-}
-
int
main (int argc, char *argv[])
{
@@ -225,11 +147,13 @@ main (int argc, char *argv[])
/* OK, we're done parsing ... check if the user is authorized */
if (invoking_uid != 0) {
- /* see if calling user is authorized for
- *
- * org.freedesktop.policykit.grant
- */
- if (!check_pid_for_authorization (getppid (), "org.freedesktop.policykit.grant")) {
+ pid_t ppid;
+
+ ppid = getppid ();
+ if (ppid == 1)
+ goto out;
+
+ if (polkit_check_auth (ppid, "org.freedesktop.policykit.grant", NULL) == 0) {
goto out;
}
}
diff --git a/src/polkit-grant/polkit-revoke-helper.c b/src/polkit-grant/polkit-revoke-helper.c
index f588afc..e4853ee 100644
--- a/src/polkit-grant/polkit-revoke-helper.c
+++ b/src/polkit-grant/polkit-revoke-helper.c
@@ -45,81 +45,6 @@
#include <polkit-dbus/polkit-dbus.h>
-static polkit_bool_t
-check_for_authorization (const char *action_id, pid_t caller_pid)
-{
- polkit_bool_t ret;
- DBusError error;
- DBusConnection *bus;
- PolKitCaller *caller;
- PolKitAction *action;
- PolKitContext *context;
- PolKitError *pk_error;
- PolKitResult pk_result;
-
- ret = FALSE;
-
- dbus_error_init (&error);
- bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
- if (bus == NULL) {
- fprintf (stderr, "polkit-revoke-helper: cannot connect to system bus: %s: %s\n",
- error.name, error.message);
- dbus_error_free (&error);
- goto out;
- }
-
- caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
- if (caller == NULL) {
- fprintf (stderr, "polkit-revoke-helper: cannot get caller from pid: %s: %s\n",
- error.name, error.message);
- goto out;
- }
-
- action = polkit_action_new ();
- if (action == NULL) {
- fprintf (stderr, "polkit-revoke-helper: cannot allocate PolKitAction\n");
- goto out;
- }
- if (!polkit_action_set_action_id (action, action_id)) {
- fprintf (stderr, "polkit-revoke-helper: cannot set action_id\n");
- goto out;
- }
-
- context = polkit_context_new ();
- if (context == NULL) {
- fprintf (stderr, "polkit-revoke-helper: cannot allocate PolKitContext\n");
- goto out;
- }
-
- pk_error = NULL;
- if (!polkit_context_init (context, &pk_error)) {
- fprintf (stderr, "polkit-revoke-helper: cannot initialize polkit context: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
-
- pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
- if (polkit_error_is_set (pk_error)) {
- fprintf (stderr, "polkit-revoke-helper: cannot determine if caller is authorized: %s: %s\n",
- polkit_error_get_error_name (pk_error),
- polkit_error_get_error_message (pk_error));
- polkit_error_free (pk_error);
- goto out;
- }
-
- if (pk_result != POLKIT_RESULT_YES) {
- goto out;
- }
-
- ret = TRUE;
-out:
-
- return ret;
-}
-
-
static int
_write_to_fd (int fd, const char *str, ssize_t str_len)
{
@@ -273,26 +198,14 @@ found:
if (invoking_uid != 0) {
/* Check that the caller is privileged to do this... */
if (invoking_uid != uid_to_revoke) {
-
- /* see if calling user has the
- *
- * org.freedesktop.policykit.revoke
- *
- * authorization
- */
- if (!check_for_authorization ("org.freedesktop.policykit.revoke", getppid ())) {
-
- /* if it's about revoking a one-shot authorization, it's sufficient to have
- * org.freedesktop.policykit.read - see polkit_context_is_caller_authorized()
- * for why...
- */
- if (is_one_shot) {
- if (!check_for_authorization ("org.freedesktop.policykit.read", getppid ())) {
- goto out;
- }
- } else {
- goto out;
- }
+ pid_t ppid;
+
+ ppid = getppid ();
+ if (ppid == 1)
+ goto out;
+
+ if (polkit_check_auth (ppid, "org.freedesktop.policykit.revoke", NULL) == 0) {
+ goto out;
}
}
}
More information about the hal-commit
mailing list