PolicyKit: Branch 'master'

David Zeuthen david at kemper.freedesktop.org
Mon Jun 30 12:46:00 PDT 2008 

 README                 |   87 ++++++++++++++++++++++++++++++++++++++++++++++---
 configure.in           |   12 +++---
 src/polkit/Makefile.am |    2 -
 3 files changed, 91 insertions(+), 10 deletions(-)

New commits:
commit 785a63bcb175bc9eee14c664353e82c5ca8a6206
Author: David Zeuthen <davidz at redhat.com>
Date:   Mon Jun 30 15:44:02 2008 -0400

    fix up permissions / docs for certain helpers and files/directories
    
    Also document in README why the various permissions/modes are
    used. Thanks to Michael Biebl <biebl at debian.org> for pointing this
    out.

diff --git a/README b/README
index 2de5278..e2c24bd 100644
--- a/README
+++ b/README
@@ -1,13 +1,92 @@
 
-PolicyKit is a framework for defining policy for system-wide components and
-for desktop pieces to configure it. It is used by HAL.
+PolicyKit is an authorization framework. It is typically used by
+privileged user space daemons to control access.
 
-See also the file HACKING for notes of interest to developers working 
+See also the file HACKING for notes of interest to developers working
 on PolicyKit.
 
-See http://www.freedesktop.org/Software/hal for lots of documentation, 
+See http://www.freedesktop.org/Software/hal for lots of documentation,
 mailing lists, etc.
 
+-------------------------------------------------------
+Rationale for permissions/modes for the default backend
+-------------------------------------------------------
 
+0770 root:polkituser /var/run/PolicyKit
+0770 root:polkituser /var/lib/PolicyKit
 
+We store authorizations for each user here. Since we don't want users
+to know what authorizations other users has, no one can read these
+files. However, when checking authorizations we need to be able to
+read from here; we use this helper
 
+2755 root:polkituser /usr/libexec/polkit-read-auth-helper
+
+which can read from here since it's setgid 'polkituser'. This helper
+will refuse to return authorizations for other users than the calling
+user except if the calling user is authorized for org.fd.pk.read.
+
+We also want to be able to grant authorizations through authentication.
+That happens with this helper
+
+2755 root:polkituser /usr/libexec/polkit-grant-helper
+
+This program is setgid 'polkituser' so it can write files in
+/var/{run,lib}/PolicyKit. Note that these files are created with mode
+464.
+
+To do the actual authentication check when granting authorizations
+through authentication, polkit-grant-helper uses another helper
+
+4754 root:polkituser /usr/libexec/polkit-grant-helper-pam
+
+This one is setuid root because checking authentications might need
+require that (you may be checking the root password). The reason
+polkit-grant-helper-pam is is owned by group 'polkituser' is to ensure
+that random users can't execute it; only setgid 'polkituser' programs
+can do this. Which polkit-grant-helper is.
+
+On to
+
+2755 root:polkituser /libexec/polkit-revoke-helper
+
+This one is used to revoke authorizations. It will only allow uid 0 and
+users with the org.fd.pk.revoke authorization to do so. It needs to be
+setgid polkituser to be able to modify authorization files
+in /var/{run,lib}/PolicyKit.
+
+2755 root:polkituser /usr/libexec/polkit-explicit-grant-helper
+
+Same story as for polkit-revoke-helper only this grants authorizations.
+Only allowed for uid 0 and users with the org.fd.pk.grant authorization.
+
+On to
+
+0755 polkituser:root /var/lib/PolicyKit-public
+
+This is where we store modifications to the defaults. Anyone should be
+able to read these files. They are created with mode 644. These files
+are written / modified by this helper
+
+4755 polkituser:root /usr/libexec/polkit-set-default-helper
+
+which is setuid polkituser to be able to write/modify files.
+
+On to
+
+4755 root:root /usr/libexec/polkit-resolve-exe-helper
+
+This is used to find the executable name for a process. On Linux this is
+the /proc/<pid>/exe symlink and you can only do this for processes you
+own. This helper finds the executable name for processes not owned by
+you but only if you have the org.fd.pk.read authorization. This is
+important to let e.g. user 'haldaemon' check authorizations for a user
+requesting service.
+
+0664 polkituser:polkituser /var/lib/misc/PolicyKit.reload
+
+This file is used by libpolkit to detect when something has changed
+(authorizations granted/revoked, defaults changed etc.). It is
+writable by both user 'polkituser' and group 'polkituser' because we
+have helpers running with both euid 'polkituser' and egid 'polkituser'
+that wants to trigger a reload.
diff --git a/configure.in b/configure.in
index 5530958..9876f5c 100644
--- a/configure.in
+++ b/configure.in
@@ -1,8 +1,8 @@
 dnl Process this file with autoconf to produce a configure script.
 
 AC_PREREQ(2.59c)
-AC_INIT(PolicyKit, 0.8, david at fubar.dk)
-AM_INIT_AUTOMAKE(PolicyKit, 0.8)
+AC_INIT(PolicyKit, 0.9, http://lists.freedesktop.org/mailman/listinfo/polkit-devel)
+AM_INIT_AUTOMAKE(PolicyKit, 0.9)
 AM_CONFIG_HEADER(config.h)
 AM_MAINTAINER_MODE
 
@@ -644,11 +644,11 @@ if test "${POLKIT_AUTHDB}" = default ; then
   echo "NOTE: The directories ${localstatedir}/run/PolicyKit and ${localstatedir}/lib/PolicyKit will be"
   echo "      owned by group ${POLKIT_GROUP} and will be mode 770."
   echo
-  echo "NOTE: The directory ${localstatedir}/run/PolicyKit-public will be"
+  echo "NOTE: The directory ${localstatedir}/lib/PolicyKit-public will be"
   echo "      owned by user ${POLKIT_USER} and will be mode 755."
   echo
   echo "NOTE: The file ${localstatedir}/lib/misc/PolicyKit.reload will be"
-  echo "      owned by user ${POLKIT_USER} and group ${POLKIT_GROUP} and will be mode 775."
+  echo "      owned by user ${POLKIT_USER} and group ${POLKIT_GROUP} and will be mode 664."
   echo
   echo "NOTE: ${libexecdir}/polkit-set-default-helper will be owned by"
   echo "      user ${POLKIT_USER} and installed with mode 4755 (setuid binary)."
@@ -667,11 +667,13 @@ if test "${POLKIT_AUTHDB}" = default ; then
   echo
   echo "NOTE: ${libexecdir}/polkit-grant-helper-pam will be owned by group"
   echo "      ${POLKIT_GROUP} and installed with mode 4754 (setuid root binary)."
-  echo
 fi
 
+echo
 echo "NOTE: ${libexecdir}/polkit-resolve-exe-helper will be installed with"
 echo "      mode 4755 (setuid root binary)."
 echo
 echo "NOTE: For packaging, remember to retain the modes and ownership."
 echo
+echo "See the README file for the rationale for these modes/permissions."
+echo
diff --git a/src/polkit/Makefile.am b/src/polkit/Makefile.am
index 20546a8..4c3d313 100644
--- a/src/polkit/Makefile.am
+++ b/src/polkit/Makefile.am
@@ -143,7 +143,7 @@ install-data-local:
 	mkdir -p $(DESTDIR)$(localstatedir)/lib/misc
 	touch $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
 	-chown $(POLKIT_USER):$(POLKIT_GROUP) $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
-	-chmod 775 $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
+	-chmod 664 $(DESTDIR)$(localstatedir)/lib/misc/PolicyKit.reload
 	mkdir -p $(DESTDIR)$(localstatedir)/lib/PolicyKit-public
 	mkdir -p $(DESTDIR)$(localstatedir)/lib/PolicyKit
 	mkdir -p $(DESTDIR)$(localstatedir)/run/PolicyKit

More information about the hal-commit mailing list