PolicyKit: Branch 'master'

David Zeuthen david at kemper.freedesktop.org
Sun Nov 18 16:16:28 PST 2007


 doc/polkit-docs.xml                             |    1 
 src/polkit-dbus/Makefile.am                     |    6 
 src/polkit-dbus/polkit-dbus.h                   |    6 
 src/polkit-dbus/polkit-read-auth-helper.c       |  122 -----------
 src/polkit-dbus/polkit-set-default-helper.c     |   90 --------
 src/polkit-dbus/polkit-simple.c                 |  247 ++++++++++++++++++++++++
 src/polkit-dbus/polkit-simple.h                 |   42 ++++
 src/polkit-grant/polkit-explicit-grant-helper.c |   90 --------
 src/polkit-grant/polkit-revoke-helper.c         |  103 ----------
 9 files changed, 328 insertions(+), 379 deletions(-)

New commits:
commit a712e78e69220b43695463e00983e9316a646d32
Author: David Zeuthen <davidz at redhat.com>
Date:   Sun Nov 18 19:16:23 2007 -0500

    provide convenience functions for auth checking and port helpers to use them
    
    Basically, checking auths with polkit is now a one-liner:
    
        if (polkit_check_auth (getpid (), "com.acme.some-action", NULL) == 0) {
            fprintf (stderr, "Not authorized; go away\n");
            exit (1);
        }
    
    This can be used for making a lot of the legacy UNIX tools PolicyKit
    aware. For example, vixie-cron could make crontab(1) (a setuid
    program) check whether the calling user is authorized for the action
    
     org.isc.vixie-cron.edit-own-crontab
    
    This is a nice way to provide least privilege and still put the system
    administrator in control via polkit-auth(1), polkit-action(1) and the
    GTK+ "Manage Authorizations" utility:
    
     http://people.redhat.com/davidz/polkitg-auth-1.png
     http://people.redhat.com/davidz/polkitg-auth-2.png
     http://people.redhat.com/davidz/polkitg-auth-3.png

diff --git a/doc/polkit-docs.xml b/doc/polkit-docs.xml
index 5e54e02..b309a55 100644
--- a/doc/polkit-docs.xml
+++ b/doc/polkit-docs.xml
@@ -104,6 +104,7 @@
     </partintro>
     <xi:include href="xml/polkit-types.xml"/>
     <xi:include href="xml/polkit-sysdeps.xml"/>
+    <xi:include href="xml/polkit-simple.xml"/>
     <xi:include href="xml/polkit-error.xml"/>
     <xi:include href="xml/polkit-result.xml"/>
     <xi:include href="xml/polkit-action.xml"/>
diff --git a/src/polkit-dbus/Makefile.am b/src/polkit-dbus/Makefile.am
index 6c5a165..d426848 100644
--- a/src/polkit-dbus/Makefile.am
+++ b/src/polkit-dbus/Makefile.am
@@ -18,10 +18,12 @@ lib_LTLIBRARIES=libpolkit-dbus.la
 libpolkit_dbusincludedir=$(includedir)/PolicyKit/polkit-dbus
 
 libpolkit_dbusinclude_HEADERS =              			\
-	polkit-dbus.h
+	polkit-dbus.h						\
+	polkit-simple.h
 
 libpolkit_dbus_la_SOURCES =                                	\
-	polkit-dbus.h		polkit-dbus.c
+	polkit-dbus.h		polkit-dbus.c			\
+	polkit-simple.h		polkit-simple.c
 
 libpolkit_dbus_la_LIBADD = @DBUS_LIBS@ $(top_builddir)/src/polkit/libpolkit.la $(SELINUX_LIBS) $(GLIB_LIBS)
 
diff --git a/src/polkit-dbus/polkit-dbus.h b/src/polkit-dbus/polkit-dbus.h
index 98f2353..4d99d0e 100644
--- a/src/polkit-dbus/polkit-dbus.h
+++ b/src/polkit-dbus/polkit-dbus.h
@@ -30,6 +30,10 @@
 #include <polkit/polkit.h>
 #include <dbus/dbus.h>
 
+#define _POLKIT_INSIDE_POLKIT_DBUS_H 1
+#include <polkit-dbus/polkit-simple.h>
+#undef _POLKIT_INSIDE_POLKIT_DBUS_H
+
 POLKIT_BEGIN_DECLS
 
 PolKitSession *polkit_session_new_from_objpath   (DBusConnection *con, const char *objpath, uid_t uid, DBusError *error);
@@ -62,5 +66,3 @@ polkit_bool_t  polkit_tracker_is_authorization_relevant  (PolKitTracker *pk_trac
 POLKIT_END_DECLS
 
 #endif /* POLKIT_DBUS_H */
-
-
diff --git a/src/polkit-dbus/polkit-read-auth-helper.c b/src/polkit-dbus/polkit-read-auth-helper.c
index edc19c6..767b7b1 100644
--- a/src/polkit-dbus/polkit-read-auth-helper.c
+++ b/src/polkit-dbus/polkit-read-auth-helper.c
@@ -46,109 +46,6 @@
 
 #include <polkit-dbus/polkit-dbus.h>
 
-/* This is a bit incestuous; we are, effectively, calling into
- * ourselves.. it's safe though; this function will never get hit..
- */
-static polkit_bool_t
-check_for_auth (uid_t caller_uid, pid_t caller_pid)
-{
-        polkit_bool_t ret;
-        DBusError error;
-        DBusConnection *bus;
-        PolKitCaller *caller;
-        PolKitAction *action;
-        PolKitContext *context;
-        PolKitError *pk_error;
-        PolKitResult pk_result;
-
-        ret = FALSE;
-
-        dbus_error_init (&error);
-        bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
-        if (bus == NULL) {
-                fprintf (stderr, "polkit-read-auth-helper: cannot connect to system bus: %s: %s\n", 
-                         error.name, error.message);
-                dbus_error_free (&error);
-                goto out;
-        }
-
-        caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
-        if (caller == NULL) {
-                fprintf (stderr, "polkit-read-auth-helper: cannot get caller from pid: %s: %s\n",
-                         error.name, error.message);
-                goto out;
-        }
-
-        action = polkit_action_new ();
-        if (action == NULL) {
-                fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitAction\n");
-                goto out;
-        }
-        if (!polkit_action_set_action_id (action, "org.freedesktop.policykit.read")) {
-                fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
-                goto out;
-        }
-
-        context = polkit_context_new ();
-        if (context == NULL) {
-                fprintf (stderr, "polkit-read-auth-helper: cannot allocate PolKitContext\n");
-                goto out;
-        }
-
-        pk_error = NULL;
-        if (!polkit_context_init (context, &pk_error)) {
-                fprintf (stderr, "polkit-read-auth-helper: cannot initialize polkit context: %s: %s\n",
-                         polkit_error_get_error_name (pk_error),
-                         polkit_error_get_error_message (pk_error));
-                polkit_error_free (pk_error);
-                goto out;
-        }
-
-        pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
-        if (polkit_error_is_set (pk_error)) {
-
-                if (polkit_error_get_error_code (pk_error) == 
-                    POLKIT_ERROR_NOT_AUTHORIZED_TO_READ_AUTHORIZATIONS_FOR_OTHER_USERS) {
-                        polkit_error_free (pk_error);
-                        pk_error = NULL;
-                } else {
-                        fprintf (stderr, "polkit-read-auth-helper: cannot determine if caller is authorized: %s: %s\n",
-                                 polkit_error_get_error_name (pk_error),
-                                 polkit_error_get_error_message (pk_error));
-                        polkit_error_free (pk_error);
-                        goto out;
-                }
-        }
-        
-        if (pk_result != POLKIT_RESULT_YES) {
-                /* having 'grant' (which is a lot more powerful) is also sufficient.. this is because 'read'
-                 * is required to 'grant' (to check if there's a similar authorization already)
-                 */
-                if (!polkit_action_set_action_id (action, "org.freedesktop.policykit.grant")) {
-                        fprintf (stderr, "polkit-read-auth-helper: cannot set action_id\n");
-                        goto out;
-                }
-
-                pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
-                if (polkit_error_is_set (pk_error)) {
-                        fprintf (stderr, "polkit-read-auth-helper: cannot determine if caller is authorized: %s: %s\n",
-                                 polkit_error_get_error_name (pk_error),
-                                 polkit_error_get_error_message (pk_error));
-                        polkit_error_free (pk_error);
-                        goto out;
-                }
-
-                if (pk_result != POLKIT_RESULT_YES) {
-                        goto out;
-                }
-        }
-
-        ret = TRUE;
-out:
-
-        return ret;
-}
-
 static polkit_bool_t
 dump_auths_from_file (const char *path, uid_t uid)
 {
@@ -432,18 +329,15 @@ main (int argc, char *argv[])
         /* uid 0 and user polkituser is allowed to read anything */
         if (caller_uid != 0 && caller_uid != uid_for_polkit_user) {
                 if (caller_uid != requesting_info_for_uid) {
+                        pid_t ppid;
+                        
+                        ppid = getppid ();
+                        if (ppid == 1)
+                                goto out;
 
-                        /* see if calling user has the
-                         *
-                         *  org.freedesktop.policykit.read
-                         *
-                         * authorization
-                         */
-                        if (!check_for_auth (caller_uid, getppid ())) {
-                                //fprintf (stderr, 
-                                //         "polkit-read-auth-helper: uid %d cannot read authorizations for uid %d.\n", 
-                                //        caller_uid,
-                                //        requesting_info_for_uid);
+                        if (polkit_check_auth (ppid, 
+                                               "org.freedesktop.policykit.read", 
+                                               "org.freedesktop.policykit.grant", NULL) == 0) {
                                 goto out;
                         }
                 }
diff --git a/src/polkit-dbus/polkit-set-default-helper.c b/src/polkit-dbus/polkit-set-default-helper.c
index ffaaa2a..2018ba2 100644
--- a/src/polkit-dbus/polkit-set-default-helper.c
+++ b/src/polkit-dbus/polkit-set-default-helper.c
@@ -50,82 +50,6 @@
 #include <polkit-dbus/polkit-dbus.h>
 
 static polkit_bool_t
-check_for_auth (uid_t caller_uid, pid_t caller_pid)
-{
-        polkit_bool_t ret;
-        DBusError error;
-        DBusConnection *bus;
-        PolKitCaller *caller;
-        PolKitAction *action;
-        PolKitContext *context;
-        PolKitError *pk_error;
-        PolKitResult pk_result;
-
-        ret = FALSE;
-
-        dbus_error_init (&error);
-        bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
-        if (bus == NULL) {
-                fprintf (stderr, "polkit-set-default-helper: cannot connect to system bus: %s: %s\n", 
-                         error.name, error.message);
-                dbus_error_free (&error);
-                goto out;
-        }
-
-        caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
-        if (caller == NULL) {
-                fprintf (stderr, "polkit-set-default-helper: cannot get caller from pid: %s: %s\n",
-                         error.name, error.message);
-                goto out;
-        }
-
-        action = polkit_action_new ();
-        if (action == NULL) {
-                fprintf (stderr, "polkit-set-default-helper: cannot allocate PolKitAction\n");
-                goto out;
-        }
-
-        if (!polkit_action_set_action_id (action, "org.freedesktop.policykit.modify-defaults")) {
-                fprintf (stderr, "polkit-set-default-helper: cannot set action_id\n");
-                goto out;
-        }
-
-        context = polkit_context_new ();
-        if (context == NULL) {
-                fprintf (stderr, "polkit-set-default-helper: cannot allocate PolKitContext\n");
-                goto out;
-        }
-
-        pk_error = NULL;
-        if (!polkit_context_init (context, &pk_error)) {
-                fprintf (stderr, "polkit-set-default-helper: cannot initialize polkit context: %s: %s\n",
-                         polkit_error_get_error_name (pk_error),
-                         polkit_error_get_error_message (pk_error));
-                polkit_error_free (pk_error);
-                goto out;
-        }
-
-        pk_result = polkit_context_is_caller_authorized (context, action, caller, TRUE, &pk_error);
-        if (polkit_error_is_set (pk_error)) {
-
-                fprintf (stderr, "polkit-set-default-helper: cannot determine if caller is authorized: %s: %s\n",
-                         polkit_error_get_error_name (pk_error),
-                         polkit_error_get_error_message (pk_error));
-                polkit_error_free (pk_error);
-                goto out;
-        }
-        
-        if (pk_result != POLKIT_RESULT_YES) {
-                goto out;
-        }
-
-        ret = TRUE;
-out:
-
-        return ret;
-}
-
-static polkit_bool_t
 set_default (const char *action_id, const char *any, const char *inactive, const char *active)
 {
         char *path;
@@ -243,13 +167,13 @@ main (int argc, char *argv[])
 
         /* uid 0 is allowed to set anything */
         if (caller_uid != 0) {
-                /* see if calling user has the
-                 *
-                 *  org.freedesktop.policykit.modify-defaults
-                 *
-                 * authorization
-                 */
-                if (!check_for_auth (caller_uid, getppid ())) {
+                pid_t ppid;
+                        
+                ppid = getppid ();
+                if (ppid == 1)
+                        goto out;
+
+                if (polkit_check_auth (ppid, "org.freedesktop.policykit.modify-defaults", NULL) == 0) {
                         goto out;
                 }
         }
diff --git a/src/polkit-dbus/polkit-simple.c b/src/polkit-dbus/polkit-simple.c
new file mode 100644
index 0000000..b6d9ac9
--- /dev/null
+++ b/src/polkit-dbus/polkit-simple.c
@@ -0,0 +1,247 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/***************************************************************************
+ *
+ * polkit-simple.c : Simple convenience interface
+ *
+ * Copyright (C) 2007 David Zeuthen, <david at fubar.dk>
+ *
+ * Licensed under the Academic Free License version 2.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	 See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307	 USA
+ *
+ **************************************************************************/
+
+/**
+ * SECTION:polkit-simple
+ * @title: Simple convenience interface
+ * @short_description: Simple convenience interface
+ *
+ * Simple convenience interface
+ **/
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <grp.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <polkit/polkit-private.h>
+#include "polkit-simple.h"
+
+
+/**
+ * polkit_check_auth:
+ * @pid: process to check for; typically you want to pass the result of getpid() here
+ * @...: %NULL terminated list of action identifiers to check for
+ *
+ * A simple convenience function to check whether a given process is
+ * authorized for a number of actions. 
+ *
+ * This is useful for programs that just wants to check whether they
+ * should carry out some action. Note that the user identity used for
+ * the purpose of checking authorizations is the Real one compared to
+ * the e.g. Effective one (e.g. getuid(), getgid() is used instead of
+ * e.g. geteuid(), getegid()). This is typically what one wants in a
+ * setuid root program if the setuid root program is designed to do
+ * work on behalf of the unprivileged user who invoked it (for
+ * example, the PulseAudio sound server is setuid root only so it can
+ * become a real time process; after that it drops all privileges).
+ *
+ * It varies whether one wants to pass getpid() or getppid() as the
+ * process id to this function. For example, in the PulseAudio case it
+ * is the right thing to pass getpid(). However, in a setup where the
+ * process is a privileged helper, one wants to pass the process id of
+ * the parent. Beware though, if the parent dies, getppid() will
+ * return 1 (the process id of <literal>/sbin/init</literal>) which is
+ * almost certainly guaranteed to be privileged as it is running as
+ * uid 0.
+ *
+ * Note that this function will open a connection to the system
+ * message bus and query ConsoleKit for details. In addition, it will
+ * load PolicyKit specific files and spawn privileged helpers if
+ * necessary. As such, there is a bit of IPC, context switching,
+ * syscall overhead and I/O involved in using this function. If you
+ * are planning on calling this function multiple times (e.g. from a
+ * daemon) on a frequent basis and/or need more detail you should use
+ * the #PolKitContext and #PolKitTracker classes instead as these are
+ * designed to aggresively cache information.
+ *
+ * The return value is a bit mask indicating whether the given process
+ * is authorized for the given actions. Bit 0 represents the first
+ * action; bit 1 represents the 2nd action and so forth. A bit is set
+ * to 1 if, and only if, the caller is authorized for the given
+ * action. If the given action is unknown zero will be returned as well.
+ *
+ * If the function succeeds, errno will be set to 0. If an error
+ * occurs 0 is returned and errno will be set:
+ * <itemizedlist>
+ * <listitem><literal>ENOMEM</literal>: Out of memory.</listitem>
+ * <listitem><literal>ENOENT</literal>: Failed to connect to either the system message bus or ConsoleKit.</listitem>
+ * </itemizedlist>
+ *
+ * Returns: See above
+ *
+ * Since: 0.7
+ */
+polkit_uint64_t 
+polkit_check_auth (pid_t pid, ...)
+{
+        int n;
+        va_list args;
+        char *action_id;
+        polkit_uint64_t ret;
+        const char *action_ids[65];
+
+        ret = 0;
+
+        n = 0;
+        va_start (args, pid);
+        while ((action_id = va_arg (args, char *)) != NULL) {
+                if (n == 64) {
+                        errno = EOVERFLOW;
+                        goto out;
+                }
+                action_ids[n++] = action_id;
+        }
+        va_end (args);
+        action_ids[n] = NULL;
+
+        ret = polkit_check_authv (pid, action_ids); 
+out:
+        return ret;
+}
+
+/**
+ * polkit_check_authv:
+ * @pid: See docs for polkit_check_auth()
+ * @action_ids: %NULL terminated array of action id's
+ *
+ * This function is similar to polkit_check_auth() but takes an %NULL
+ * terminated array instead of being a varadic function.
+ *
+ * Returns: See docs for polkit_check_auth()
+ *
+ * Since: 0.7
+ */
+polkit_uint64_t 
+polkit_check_authv (pid_t pid, const char **action_ids)
+{
+        int n;
+        polkit_uint64_t ret;
+        DBusError error;
+        DBusConnection *bus;
+        PolKitCaller *caller;
+        PolKitContext *context;
+        PolKitError *pk_error;
+        PolKitResult pk_result;
+
+        ret = 0;
+        errno = ENOENT;
+
+        dbus_error_init (&error);
+        bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
+        if (bus == NULL) {
+                kit_warning ("cannot connect to system bus: %s: %s", error.name, error.message);
+                dbus_error_free (&error);
+                goto out;
+        }
+
+        caller = polkit_caller_new_from_pid (bus, pid, &error);
+        if (caller == NULL) {
+                kit_warning ("cannot get caller from pid: %s: %s", error.name, error.message);
+                goto out;
+        }
+
+        context = polkit_context_new ();
+        if (context == NULL) {
+                kit_warning ("cannot allocate PolKitContext");
+                errno = ENOMEM;
+                goto out;
+        }
+
+        pk_error = NULL;
+        if (!polkit_context_init (context, &pk_error)) {
+                kit_warning ("cannot initialize polkit context: %s: %s",
+                             polkit_error_get_error_name (pk_error),
+                             polkit_error_get_error_message (pk_error));
+                polkit_error_free (pk_error);
+                goto out;
+        }
+
+        for (n = 0; action_ids[n] != NULL; n++) {
+                PolKitAction *action;
+
+                action = polkit_action_new ();
+                if (action == NULL) {
+                        kit_warning ("cannot allocate PolKitAction");
+                        errno = ENOMEM;
+                        goto out;
+                }
+                if (!polkit_action_set_action_id (action, action_ids[n])) {
+                        polkit_action_unref (action);
+                        kit_warning ("cannot set action_id");
+                        errno = ENOMEM;
+                        goto out;
+                }
+                
+                pk_error = NULL;
+                pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
+
+                if (polkit_error_is_set (pk_error)) {
+                        polkit_error_free (pk_error);
+                        pk_error = NULL;
+                } else {
+                        if (pk_result == POLKIT_RESULT_YES)
+                                ret |= (1<<n);
+                }
+
+                polkit_action_unref (action);
+        }
+
+out:
+        if (bus != NULL)
+                dbus_connection_unref (bus);
+        if (caller != NULL)
+                polkit_caller_unref (caller);
+        if (context != NULL)
+                polkit_context_unref (context);
+
+        return ret;
+}
+
+#ifdef POLKIT_BUILD_TESTS
+
+static polkit_bool_t
+_run_test (void)
+{
+        return TRUE;
+}
+
+KitTest _test_simple = {
+        "polkit_simple",
+        NULL,
+        NULL,
+        _run_test
+};
+
+#endif /* POLKIT_BUILD_TESTS */
diff --git a/src/polkit-dbus/polkit-simple.h b/src/polkit-dbus/polkit-simple.h
new file mode 100644
index 0000000..c982621
--- /dev/null
+++ b/src/polkit-dbus/polkit-simple.h
@@ -0,0 +1,42 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */
+/***************************************************************************
+ *
+ * polkit-simple.h : Simple convenience interface
+ *
+ * Copyright (C) 2007 David Zeuthen, <david at fubar.dk>
+ *
+ * Licensed under the Academic Free License version 2.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ **************************************************************************/
+
+#if !defined (POLKIT_COMPILATION) && !defined(_POLKIT_INSIDE_POLKIT_DBUS_H)
+#error "Only <polkit-dbus/polkit-dbus.h> can be included directly, this file may disappear or change contents."
+#endif
+
+#ifndef POLKIT_SIMPLE_H
+#define POLKIT_SIMPLE_H
+
+#include <polkit-dbus/polkit-dbus.h>
+
+POLKIT_BEGIN_DECLS
+
+polkit_uint64_t polkit_check_auth (pid_t pid, ...);
+polkit_uint64_t polkit_check_authv (pid_t pid, const char **action_ids);
+
+POLKIT_END_DECLS
+
+#endif /* POLKIT_SIMPLE_H */
diff --git a/src/polkit-grant/polkit-explicit-grant-helper.c b/src/polkit-grant/polkit-explicit-grant-helper.c
index 3f5d2ef..7d08448 100644
--- a/src/polkit-grant/polkit-explicit-grant-helper.c
+++ b/src/polkit-grant/polkit-explicit-grant-helper.c
@@ -47,84 +47,6 @@
 #include <polkit-dbus/polkit-dbus.h>
 #include <polkit/polkit-private.h>
 
-static polkit_bool_t
-check_pid_for_authorization (pid_t caller_pid, const char *action_id)
-{
-        polkit_bool_t ret;
-        DBusError error;
-        DBusConnection *bus;
-        PolKitCaller *caller;
-        PolKitAction *action;
-        PolKitContext *context;
-        PolKitError *pk_error;
-        PolKitResult pk_result;
-
-        ret = FALSE;
-
-        dbus_error_init (&error);
-        bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
-        if (bus == NULL) {
-                fprintf (stderr, "polkit-explicit-grant-helper: cannot connect to system bus: %s: %s\n", 
-                         error.name, error.message);
-                dbus_error_free (&error);
-                goto out;
-        }
-
-        caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
-        if (caller == NULL) {
-                fprintf (stderr, "polkit-explicit-grant-helper: cannot get caller from pid: %s: %s\n",
-                         error.name, error.message);
-                goto out;
-        }
-
-        action = polkit_action_new ();
-        if (action == NULL) {
-                fprintf (stderr, "polkit-explicit-grant-helper: cannot allocate PolKitAction\n");
-                goto out;
-        }
-        if (!polkit_action_set_action_id (action, action_id)) {
-                fprintf (stderr, "polkit-explicit-grant-helper: cannot set action_id\n");
-                goto out;
-        }
-
-        context = polkit_context_new ();
-        if (context == NULL) {
-                fprintf (stderr, "polkit-explicit-grant-helper: cannot allocate PolKitContext\n");
-                goto out;
-        }
-
-        pk_error = NULL;
-        if (!polkit_context_init (context, &pk_error)) {
-                fprintf (stderr, "polkit-explicit-grant-helper: cannot initialize polkit context: %s: %s\n",
-                         polkit_error_get_error_name (pk_error),
-                         polkit_error_get_error_message (pk_error));
-                polkit_error_free (pk_error);
-                goto out;
-        }
-
-        pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
-        if (polkit_error_is_set (pk_error)) {
-                fprintf (stderr, "polkit-explicit-grant-helper: cannot determine if caller is authorized: %s: %s\n",
-                         polkit_error_get_error_name (pk_error),
-                         polkit_error_get_error_message (pk_error));
-                polkit_error_free (pk_error);
-                goto out;
-        }
-
-        if (pk_result != POLKIT_RESULT_YES) {
-                //fprintf (stderr, 
-                //         "polkit-explicit-grant-helper: uid %d (pid %d) does not have the "
-                //         "org.freedesktop.policykit.read-other-authorizations authorization\n", 
-                //         caller_uid, caller_pid);
-                goto out;
-        }
-
-        ret = TRUE;
-out:
-
-        return ret;
-}
-
 int
 main (int argc, char *argv[])
 {
@@ -225,11 +147,13 @@ main (int argc, char *argv[])
         /* OK, we're done parsing ... check if the user is authorized */
 
         if (invoking_uid != 0) {
-                /* see if calling user is authorized for
-                 *
-                 *  org.freedesktop.policykit.grant
-                 */
-                if (!check_pid_for_authorization (getppid (), "org.freedesktop.policykit.grant")) {
+                pid_t ppid;
+                        
+                ppid = getppid ();
+                if (ppid == 1)
+                        goto out;
+
+                if (polkit_check_auth (ppid, "org.freedesktop.policykit.grant", NULL) == 0) {
                         goto out;
                 }
         }
diff --git a/src/polkit-grant/polkit-revoke-helper.c b/src/polkit-grant/polkit-revoke-helper.c
index f588afc..e4853ee 100644
--- a/src/polkit-grant/polkit-revoke-helper.c
+++ b/src/polkit-grant/polkit-revoke-helper.c
@@ -45,81 +45,6 @@
 
 #include <polkit-dbus/polkit-dbus.h>
 
-static polkit_bool_t
-check_for_authorization (const char *action_id, pid_t caller_pid)
-{
-        polkit_bool_t ret;
-        DBusError error;
-        DBusConnection *bus;
-        PolKitCaller *caller;
-        PolKitAction *action;
-        PolKitContext *context;
-        PolKitError *pk_error;
-        PolKitResult pk_result;
-
-        ret = FALSE;
-
-        dbus_error_init (&error);
-        bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
-        if (bus == NULL) {
-                fprintf (stderr, "polkit-revoke-helper: cannot connect to system bus: %s: %s\n", 
-                         error.name, error.message);
-                dbus_error_free (&error);
-                goto out;
-        }
-
-        caller = polkit_caller_new_from_pid (bus, caller_pid, &error);
-        if (caller == NULL) {
-                fprintf (stderr, "polkit-revoke-helper: cannot get caller from pid: %s: %s\n",
-                         error.name, error.message);
-                goto out;
-        }
-
-        action = polkit_action_new ();
-        if (action == NULL) {
-                fprintf (stderr, "polkit-revoke-helper: cannot allocate PolKitAction\n");
-                goto out;
-        }
-        if (!polkit_action_set_action_id (action, action_id)) {
-                fprintf (stderr, "polkit-revoke-helper: cannot set action_id\n");
-                goto out;
-        }
-
-        context = polkit_context_new ();
-        if (context == NULL) {
-                fprintf (stderr, "polkit-revoke-helper: cannot allocate PolKitContext\n");
-                goto out;
-        }
-
-        pk_error = NULL;
-        if (!polkit_context_init (context, &pk_error)) {
-                fprintf (stderr, "polkit-revoke-helper: cannot initialize polkit context: %s: %s\n",
-                         polkit_error_get_error_name (pk_error),
-                         polkit_error_get_error_message (pk_error));
-                polkit_error_free (pk_error);
-                goto out;
-        }
-
-        pk_result = polkit_context_is_caller_authorized (context, action, caller, FALSE, &pk_error);
-        if (polkit_error_is_set (pk_error)) {
-                fprintf (stderr, "polkit-revoke-helper: cannot determine if caller is authorized: %s: %s\n",
-                         polkit_error_get_error_name (pk_error),
-                         polkit_error_get_error_message (pk_error));
-                polkit_error_free (pk_error);
-                goto out;
-        }
-        
-        if (pk_result != POLKIT_RESULT_YES) {
-                goto out;
-        }
-
-        ret = TRUE;
-out:
-
-        return ret;
-}
-
-
 static int
 _write_to_fd (int fd, const char *str, ssize_t str_len)
 {
@@ -273,26 +198,14 @@ found:
         if (invoking_uid != 0) {
                 /* Check that the caller is privileged to do this... */
                 if (invoking_uid != uid_to_revoke) {
-         
-                        /* see if calling user has the
-                         *
-                         *  org.freedesktop.policykit.revoke
-                         *
-                         * authorization
-                         */
-                        if (!check_for_authorization ("org.freedesktop.policykit.revoke", getppid ())) {
-
-                                /* if it's about revoking a one-shot authorization, it's sufficient to have
-                                 * org.freedesktop.policykit.read - see polkit_context_is_caller_authorized()
-                                 * for why...
-                                 */
-                                if (is_one_shot) {
-                                        if (!check_for_authorization ("org.freedesktop.policykit.read", getppid ())) {
-                                                goto out;
-                                        }
-                                } else {
-                                        goto out;
-                                }
+                        pid_t ppid;
+                        
+                        ppid = getppid ();
+                        if (ppid == 1)
+                                goto out;
+
+                        if (polkit_check_auth (ppid, "org.freedesktop.policykit.revoke", NULL) == 0) {
+                                goto out;
                         }
                 }
         }


More information about the hal-commit mailing list