PolicyKit: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Tue Apr 8 14:02:24 PDT 2008
NEWS | 8 +++++++
configure.in | 7 ++++--
src/polkit-dbus/Makefile.am | 8 +++----
src/polkit-dbus/polkit-set-default-helper.c | 31 +++++++++-------------------
src/polkit/Makefile.am | 14 ++++++------
src/polkit/polkit-policy-file-entry.c | 4 +--
6 files changed, 37 insertions(+), 35 deletions(-)
New commits:
commit 149a3df1926c24b51b0f0336ac051473aed980fe
Author: David Zeuthen <davidz at redhat.com>
Date: Tue Apr 8 16:57:43 2008 -0400
fix issue where users allowed to change defaults can delete override files
More details at
https://bugzilla.novell.com/show_bug.cgi?id=295341#c25
diff --git a/NEWS b/NEWS
index b054407..6f6f63b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,12 @@
==========
+PolicyKit 0.8 ""
+==========
+
+NOTE NOTE NOTE: The permissions and modes of certain files has changed
+ since PolicyKit 0.7. Make sure to update your spec files
+ to reflect this. See the output of configure for details.
+
+==========
PolicyKit 0.7 "Common sense ain't common"
==========
diff --git a/configure.in b/configure.in
index 370aa69..a008e61 100644
--- a/configure.in
+++ b/configure.in
@@ -617,10 +617,13 @@ if test "${POLKIT_AUTHDB}" = default ; then
echo " owned by group ${POLKIT_GROUP} and will be mode 770."
echo
echo "NOTE: The directory ${localstatedir}/run/PolicyKit-public will be"
- echo " owned by group ${POLKIT_GROUP} and will be mode 775."
+ echo " owned by user ${POLKIT_USER} and will be mode 755."
+ echo
+ echo "NOTE: The file ${localstatedir}/lib/misc/PolicyKit.reload will be"
+ echo " owned by user ${POLKIT_USER} and group ${POLKIT_GROUP} and will be mode 775."
echo
echo "NOTE: ${libexecdir}/polkit-set-default-helper will be owned by"
- echo " group ${POLKIT_GROUP} and installed with mode 2755 (setgid binary)."
+ echo " user ${POLKIT_USER} and installed with mode 4755 (setuid binary)."
echo
echo "NOTE: ${libexecdir}/polkit-read-auth-helper will be owned by"
echo " group ${POLKIT_GROUP} and installed with mode 2755 (setgid binary)."
diff --git a/src/polkit-dbus/Makefile.am b/src/polkit-dbus/Makefile.am
index 19601a7..0d31275 100644
--- a/src/polkit-dbus/Makefile.am
+++ b/src/polkit-dbus/Makefile.am
@@ -50,8 +50,8 @@ polkit_set_default_helper_LDADD = $(top_builddir)/src/polkit/libpolkit.la libpol
# to read authorization files in /var/lib/PolicyKit and
# /var/run/PolicyKit
#
-# polkit-set-default-helper needs to be setgid $POLKIT_GROUP to be able
-# to write .override files in /var/lib/PolicyKit-public
+# polkit-set-default-helper needs to be setuid $POLKIT_USER to be able
+# to write .defaults-override files in /var/lib/PolicyKit-public
#
# polkit-resolve-exe-helper needs to be setuid root to be able to resolve
# /proc/$pid/exe symlinks.
@@ -59,8 +59,8 @@ polkit_set_default_helper_LDADD = $(top_builddir)/src/polkit/libpolkit.la libpol
install-exec-hook:
-chgrp $(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-read-auth-helper
-chmod 2755 $(DESTDIR)$(libexecdir)/polkit-read-auth-helper
- -chgrp $(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-set-default-helper
- -chmod 2755 $(DESTDIR)$(libexecdir)/polkit-set-default-helper
+ -chown $(POLKIT_USER) $(DESTDIR)$(libexecdir)/polkit-set-default-helper
+ -chmod 4755 $(DESTDIR)$(libexecdir)/polkit-set-default-helper
-chmod 4755 $(DESTDIR)$(libexecdir)/polkit-resolve-exe-helper
else
install-exec-hook:
diff --git a/src/polkit-dbus/polkit-set-default-helper.c b/src/polkit-dbus/polkit-set-default-helper.c
index 2efaffc..6fb2eae 100644
--- a/src/polkit-dbus/polkit-set-default-helper.c
+++ b/src/polkit-dbus/polkit-set-default-helper.c
@@ -69,7 +69,7 @@ set_default (const char *action_id, const char *any, const char *inactive, const
contents = NULL;
ret = FALSE;
- path = kit_strdup_printf (PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit-public/%s.override", action_id);
+ path = kit_strdup_printf (PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit-public/%s.defaults-override", action_id);
if (path == NULL)
goto out;
@@ -78,7 +78,7 @@ set_default (const char *action_id, const char *any, const char *inactive, const
if (contents == NULL)
goto out;
- if (!kit_file_set_contents (path, 0464, contents, strlen (contents))) {
+ if (!kit_file_set_contents (path, 0644, contents, strlen (contents))) {
kit_warning ("Error writing override file '%s': %m\n", path);
goto out;
}
@@ -101,7 +101,7 @@ clear_default (const char *action_id)
ret = FALSE;
- path = kit_strdup_printf (PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit-public/%s.override", action_id);
+ path = kit_strdup_printf (PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit-public/%s.defaults-override", action_id);
if (path == NULL)
goto out;
@@ -122,11 +122,9 @@ int
main (int argc, char *argv[])
{
int ret;
- gid_t egid;
- struct group *group;
uid_t caller_uid;
+ uid_t euid;
struct passwd *pw;
- uid_t uid_for_polkit_user;
ret = 1;
/* clear the entire environment to avoid attacks using with libraries honoring environment variables */
@@ -160,24 +158,17 @@ main (int argc, char *argv[])
goto out;
}
- /* check that we are setgid polkituser */
- egid = getegid ();
- group = getgrgid (egid);
- if (group == NULL) {
- fprintf (stderr, "polkit-set-default-helper: cannot lookup group info for gid %d\n", egid);
- goto out;
- }
- if (strcmp (group->gr_name, POLKIT_GROUP) != 0) {
- fprintf (stderr, "polkit-set-default-helper: needs to be setgid " POLKIT_GROUP "\n");
+ /* check that we are setuid polkituser */
+ euid = geteuid ();
+ pw = getpwuid (euid);
+ if (pw == NULL) {
+ fprintf (stderr, "polkit-set-default-helper: cannot lookup passwd info for uid %d\n", euid);
goto out;
}
-
- pw = getpwnam (POLKIT_USER);
- if (pw == NULL) {
- fprintf (stderr, "polkit-set-default-helper: cannot lookup uid for " POLKIT_USER "\n");
+ if (strcmp (pw->pw_name, POLKIT_USER) != 0) {
+ fprintf (stderr, "polkit-set-default-helper: needs to be setuid " POLKIT_USER "\n");
goto out;
}
- uid_for_polkit_user = pw->pw_uid;
/*----------------------------------------------------------------------------------------------------*/
diff --git a/src/polkit/Makefile.am b/src/polkit/Makefile.am
index 0a8bc8c..10c6590 100644
--- a/src/polkit/Makefile.am
+++ b/src/polkit/Makefile.am
@@ -126,26 +126,26 @@ if POLKIT_AUTHDB_DEFAULT
# polkit-auth-read-helper is used to read it) and the $POLKIT_GROUP
# group needs to be able to write files there.
#
-# The /var/lib/PolicyKit-public is used for storing world-readable
-# information. Only $POLKIT_GROUP may write to it.
+# The directory /var/lib/PolicyKit-public is used for storing world-readable
+# information. Only $POLKIT_USER may write to it.
#
# The /var/lib/misc/PolicyKit.reload file is used for triggering that
# authorizations have changed; it needs to be world readable and
-# writeable for the $POLKIT_GROUP group (FHS 2.3 suggests that
-# location)
+# writeable for user $POLKIT_USER and group $POLKIT_GROUP (FHS 2.3 suggests
+# that location)
#
install-data-local:
mkdir -p $(DESTDIR)$(localstatedir)/lib/misc
touch $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
- -chgrp $(POLKIT_GROUP) $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
+ -chown $(POLKIT_USER):$(POLKIT_GROUP) $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
-chmod 775 $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
mkdir -p $(DESTDIR)$(localstatedir)/lib/PolicyKit-public
mkdir -p $(DESTDIR)$(localstatedir)/lib/PolicyKit
mkdir -p $(DESTDIR)$(localstatedir)/run/PolicyKit
- -chgrp $(POLKIT_GROUP) $(DESTDIR)$(localstatedir)/lib/PolicyKit-public
+ -chown $(POLKIT_USER) $(DESTDIR)$(localstatedir)/lib/PolicyKit-public
-chgrp $(POLKIT_GROUP) $(DESTDIR)$(localstatedir)/lib/PolicyKit
-chgrp $(POLKIT_GROUP) $(DESTDIR)$(localstatedir)/run/PolicyKit
- -chmod 775 $(DESTDIR)$(localstatedir)/lib/PolicyKit-public
+ -chmod 755 $(DESTDIR)$(localstatedir)/lib/PolicyKit-public
-chmod 770 $(DESTDIR)$(localstatedir)/lib/PolicyKit
-chmod 770 $(DESTDIR)$(localstatedir)/run/PolicyKit
endif
diff --git a/src/polkit/polkit-policy-file-entry.c b/src/polkit/polkit-policy-file-entry.c
index 23ab577..f7bd524 100644
--- a/src/polkit/polkit-policy-file-entry.c
+++ b/src/polkit/polkit-policy-file-entry.c
@@ -140,7 +140,7 @@ _polkit_policy_file_entry_new (const char *action_id,
#ifdef POLKIT_AUTHDB_DEFAULT
/* read override file */
- path = kit_strdup_printf (PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit-public/%s.override", action_id);
+ path = kit_strdup_printf (PACKAGE_LOCALSTATE_DIR "/lib/PolicyKit-public/%s.defaults-override", action_id);
if (path == NULL)
goto error;
if (!kit_file_get_contents (path, &contents, &contents_size)) {
@@ -532,7 +532,7 @@ polkit_policy_file_entry_set_default (PolKitPolicyFileEntry *policy_file_entry,
}
if (!WIFEXITED (exit_status)) {
- kit_warning ("Revoke helper crashed!");
+ kit_warning ("Set-default helper crashed!");
polkit_error_set_error (error,
POLKIT_ERROR_GENERAL_ERROR,
"set-default helper crashed!");
More information about the hal-commit
mailing list