hal: Branch 'master' - 2 commits
David Zeuthen
david at kemper.freedesktop.org
Tue Apr 1 13:09:29 PDT 2008
configure.in | 13 +++++++++++--
hal.conf.in | 20 ++------------------
2 files changed, 13 insertions(+), 20 deletions(-)
New commits:
commit ac2c63385db4edd71536981eed65d72f367661d8
Author: David Zeuthen <davidz at redhat.com>
Date: Tue Apr 1 16:08:52 2008 -0400
default to use CK and PK by default and print warning if PK is not found
diff --git a/configure.in b/configure.in
index 013e2b3..e76ff51 100644
--- a/configure.in
+++ b/configure.in
@@ -479,7 +479,7 @@ AC_DEFINE_UNQUOTED(DBUS_API_SUBJECT_TO_CHANGE, [], [DBUS API is subject to chang
# check for ConsoleKit
AM_CONDITIONAL(HAVE_CONKIT, false)
-AC_ARG_ENABLE(console-kit, [ --enable-console-kit Use ConsoleKit],enable_console_kit=$enableval,enable_console_kit=no)
+AC_ARG_ENABLE(console-kit, [ --enable-console-kit Use ConsoleKit],enable_console_kit=$enableval,enable_console_kit=yes)
msg_conkit=no
if test "x$enable_console_kit" != "xno"; then
AM_CONDITIONAL(HAVE_CONKIT, true)
@@ -524,7 +524,7 @@ AM_CONDITIONAL(BUILD_KEYMAPS, [test x$BUILD_KEYMAPS = xyes])
AM_CONDITIONAL(HAVE_POLKIT, [false])
AC_ARG_ENABLE([policy-kit],
AS_HELP_STRING([--enable-policy-kit], [Use PolicyKit]),
- [enable_policy_kit=$enableval], [enable_policy_kit=no])
+ [enable_policy_kit=$enableval], [enable_policy_kit=yes])
msg_polkit=no
if test "x$enable_policy_kit" != "xno"; then
if test "x$enable_console_kit" = "xno"; then
@@ -1106,6 +1106,15 @@ echo "
Building man pages: ${enable_man_pages}
"
+if test x${msg_polkit} = xno; then
+ echo "WARNING: PolicyKit is disabled. You need to manually edit the hal.conf"
+ echo " file to lock down the service. Failure to do so allows any"
+ echo " caller to make hald do work on their behalf which may be"
+ echo " a huge SECURITY HOLE. I repeat: YOU NEED TO EDIT THE FILE"
+ echo " hal.conf to match your distro/site to avoid NASTY SECURITY HOLES."
+ echo ""
+fi
+
if test x$BUILD_ACPI_IBM = xyes; then
echo "NOTE: Future Linux kernels may provide IBM ACPI events via a kernel."
echo " input device resulting in HAL emitting twice as many events as it"
commit ff6736fb5ab04a117c55edee99ec9b61385e14b6
Author: David Zeuthen <davidz at redhat.com>
Date: Wed Mar 26 00:59:32 2008 -0400
remove use of at_console in the D-Bus configuration file
The main reason for this is that PolicyKit is used _anyway_ to control
access to methods. And using pam_console to do this breaks when you
try to e.g. run a power manager on the login screen as we're doing in
Fedora 9 with g-p-m and the new gdm.
diff --git a/hal.conf.in b/hal.conf.in
index 747e108..ef97b8f 100644
--- a/hal.conf.in
+++ b/hal.conf.in
@@ -37,25 +37,9 @@
receive_sender="org.freedesktop.Hal"/>
</policy>
- <!-- Default policy for the exported interfaces -->
+ <!-- Default policy for the exported interfaces; if PolicyKit is not used
+ for access control you will need to modify this -->
<policy context="default">
- <deny send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
- <deny send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/>
- <deny send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
- <deny send_interface="org.freedesktop.Hal.Device.Volume"/>
- <deny send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
- </policy>
-
- <!-- This will not work if pam_console support is not enabled -->
- <policy at_console="true">
- <allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
- <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
- <allow send_interface="org.freedesktop.Hal.Device.Volume"/>
- <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/>
- </policy>
-
- <!-- You can change this to a more suitable user, or make per-group -->
- <policy user="0">
<allow send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/>
<allow send_interface="org.freedesktop.Hal.Device.VideoAdapterPM"/>
<allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/>
More information about the hal-commit
mailing list