PolicyKit: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Mon Feb 21 09:13:20 PST 2011
src/polkitagent/polkitagenthelper-pam.c | 49 +++++++++++++++++++++++++++++---
src/polkitagent/polkitagentsession.c | 9 +++++
2 files changed, 54 insertions(+), 4 deletions(-)
New commits:
commit 2e96ddd07f897518f63e7f499afb3ab85d91ac3b
Author: David Zeuthen <davidz at redhat.com>
Date: Mon Feb 21 12:11:11 2011 -0500
Improve error reporting for authentication sessions
In particular ensure that we show
Incorrect permissions on /opt/gnome-shell/install/libexec/polkit-agent-helper-1
as a PAM error message if the permissions on the helper are incorrect
(e.g. if the helper is not setuid root).
Signed-off-by: David Zeuthen <davidz at redhat.com>
diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/polkitagenthelper-pam.c
index d1eed85..91b2b39 100644
--- a/src/polkitagent/polkitagenthelper-pam.c
+++ b/src/polkitagent/polkitagenthelper-pam.c
@@ -35,10 +35,36 @@
static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
+static void
+send_to_helper (const gchar *str1,
+ const gchar *str2)
+{
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", str1);
+#endif /* PAH_DEBUG */
+ fprintf (stdout, "%s", str1);
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", str2);
+#endif /* PAH_DEBUG */
+ fprintf (stdout, "%s", str2);
+ if (strlen (str2) > 0 && str2[strlen (str2) - 1] != '\n')
+ {
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: writing newline to stdout\n");
+#endif /* PAH_DEBUG */
+ fputc ('\n', stdout);
+ }
+#ifdef PAH_DEBUG
+ fprintf (stderr, "polkit-agent-helper-1: flushing stdout\n");
+#endif /* PAH_DEBUG */
+ fflush (stdout);
+}
+
int
main (int argc, char *argv[])
{
int rc;
+ int err_ret;
const char *user_to_auth;
const char *cookie;
struct pam_conv pam_conversation;
@@ -47,6 +73,7 @@ main (int argc, char *argv[])
rc = 0;
pam_h = NULL;
+ err_ret = 1;
/* clear the entire environment to avoid attacks using with libraries honoring environment variables */
if (_polkit_clearenv () != 0)
@@ -59,6 +86,10 @@ main (int argc, char *argv[])
if (geteuid () != 0)
{
fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
+ /* Special-case a very common error triggered in jhbuild setups - see
+ * polkitagentsession.c:child_watch_func() for details
+ */
+ err_ret = 2;
goto error;
}
@@ -116,7 +147,10 @@ main (int argc, char *argv[])
rc = pam_authenticate (pam_h, 0);
if (rc != PAM_SUCCESS)
{
- fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
+ const char *err;
+ err = pam_strerror (pam_h, rc);
+ fprintf (stderr, "polkit-agent-helper-1: pam_authenticate failed: %s\n", err);
+ send_to_helper ("PAM_ERROR_MSG ", err);
goto error;
}
@@ -124,7 +158,10 @@ main (int argc, char *argv[])
rc = pam_acct_mgmt (pam_h, 0);
if (rc != PAM_SUCCESS)
{
- fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
+ const char *err;
+ err = pam_strerror (pam_h, rc);
+ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", err);
+ send_to_helper ("PAM_ERROR_MSG ", err);
goto error;
}
@@ -132,7 +169,10 @@ main (int argc, char *argv[])
rc = pam_get_item (pam_h, PAM_USER, &authed_user);
if (rc != PAM_SUCCESS)
{
- fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
+ const char *err;
+ err = pam_strerror (pam_h, rc);
+ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", err);
+ send_to_helper ("PAM_ERROR_MSG ", err);
goto error;
}
@@ -140,6 +180,7 @@ main (int argc, char *argv[])
{
fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
user_to_auth, (const char *) authed_user);
+ send_to_helper ("PAM_ERROR_MSG ", "Authenticated the wrong user");
goto error;
}
@@ -179,7 +220,7 @@ error:
fprintf (stdout, "FAILURE\n");
flush_and_wait();
- return 1;
+ return err_ret;
}
static int
diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c
index 22a19ce..813b14c 100644
--- a/src/polkitagent/polkitagentsession.c
+++ b/src/polkitagent/polkitagentsession.c
@@ -404,6 +404,15 @@ child_watch_func (GPid pid,
/* kill all the watches we have set up, except for the child since it has exited already */
session->child_pid = 0;
kill_helper (session);
+
+ /* Special-case a very common error triggered in jhbuild setups */
+ if (WIFEXITED (status) && WEXITSTATUS (status) == 2)
+ {
+ g_signal_emit_by_name (session,
+ "show-error",
+ "Incorrect permissions on " PACKAGE_LIBEXEC_DIR "/polkit-agent-helper-1");
+ complete_session (session, FALSE);
+ }
}
static gboolean
More information about the hal-commit
mailing list