diff options
author | Brian Cameron <brian.cameron@sun.com> | 2008-01-28 17:43:05 -0500 |
---|---|---|
committer | William Jon McCann <mccann@jhu.edu> | 2008-01-28 17:43:05 -0500 |
commit | 5895396bc583ae08c5041f5b81f5f9d0a2888e22 (patch) | |
tree | cd7ab3be029f2b0fd6921a4a66c3937e3cb048aa /src | |
parent | 96d613ee9a4850753e8f93113ab28ed3045f73f3 (diff) | |
download | ConsoleKit2-5895396bc583ae08c5041f5b81f5f9d0a2888e22.tar.gz |
make polkit optional and use RBAC on Solaris
This patch makes polkit an optional dependency. If present
it builds with it. If not, polkit support is disabled.
This patch also adds a --enable-rbac-shutdown=<key> option.
If set, then ConsoleKit will allow shutdown/reboot if the
user has the RBAC key authorization defined. For example,
since the GDM GUI program runs as the "gdm" user, setting
the key for the "gdm" user allows the login program to
shutdown and reboot via ConsoleKit.
Also this patch modifies the tools/solaris/ck-system-restart
and tools/solaris/ck-system-stop scripts to call "/sbin/init 6"
and "/sbin/init 5", which are the right commands for Solaris.
Diffstat (limited to 'src')
-rw-r--r-- | src/Makefile.am | 7 | ||||
-rw-r--r-- | src/ck-manager.c | 71 |
2 files changed, 77 insertions, 1 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 2f0d42d..2f77c4f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -10,6 +10,7 @@ INCLUDES = \ -I. \ -I$(srcdir) \ $(CONSOLE_KIT_CFLAGS) \ + $(POLKIT_CFLAGS) \ $(DISABLE_DEPRECATED_CFLAGS) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ @@ -129,6 +130,8 @@ EXTRA_console_kit_daemon_SOURCES = \ console_kit_daemon_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ + $(RBAC_LIBS) \ libck.la \ libck-event-log.la \ $(NULL) @@ -147,6 +150,8 @@ test_event_logger_SOURCES = \ test_event_logger_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ + $(RBAC_LIBS) \ libck-event-log.la \ $(NULL) @@ -158,6 +163,7 @@ test_vt_monitor_SOURCES = \ test_vt_monitor_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ libck.la \ $(NULL) @@ -171,6 +177,7 @@ test_tty_idle_monitor_SOURCES = \ test_tty_idle_monitor_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ libck.la \ $(NULL) diff --git a/src/ck-manager.c b/src/ck-manager.c index 5eac98f..c7c045b 100644 --- a/src/ck-manager.c +++ b/src/ck-manager.c @@ -39,7 +39,14 @@ #include <dbus/dbus-glib.h> #include <dbus/dbus-glib-lowlevel.h> +#ifdef HAVE_POLKIT #include <polkit/polkit.h> +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN +#include <auth_attr.h> +#include <secdb.h> +#endif #include "ck-manager.h" #include "ck-manager-glue.h" @@ -61,7 +68,9 @@ struct CkManagerPrivate { +#ifdef HAVE_POLKIT PolKitContext *pol_ctx; +#endif GHashTable *seats; GHashTable *sessions; @@ -703,6 +712,7 @@ get_session_for_unix_process (CkManager *manager, return session; } +#ifdef HAVE_POLKIT static PolKitSession * new_polkit_session_from_session (CkManager *manager, CkSession *ck_session) @@ -1064,6 +1074,7 @@ _check_polkit_for_action (CkManager *manager, return TRUE; } +#endif /* adapted from PolicyKit */ static gboolean @@ -1201,6 +1212,47 @@ get_system_num_users (CkManager *manager) return num_users; } +#ifdef ENABLE_RBAC_SHUTDOWN +static gboolean +check_rbac_permissions (CkManager *manager, + DBusGMethodInvocation *context) +{ + const char *sender; + char *username; + gboolean res; + uid_t uid; + pid_t pid; + + username = NULL; + sender = dbus_g_method_get_sender (context); + res = get_caller_info (manager, + sender, + &uid, + &pid); + if (!res) { + goto out; + } + + username = get_user_name (uid); + + if (username == NULL || + !chkauthattr (RBAC_SHUTDOWN_KEY, username)) { + res = FALSE; + goto out; + } + +out: + + if (res == TRUE) + g_debug ("User %s has RBAC permission to stop/restart", username); + else + g_debug ("User %s does not have RBAC permission to stop/restart", username); + + g_free (username); + return res; +} +#endif + /* Example: dbus-send --system --dest=org.freedesktop.ConsoleKit \ @@ -1227,11 +1279,17 @@ ck_manager_restart (CkManager *manager, g_debug ("ConsoleKit Restart: %s", action); +#ifdef HAVE_POLKIT res = _check_polkit_for_action (manager, context, action); - if (! res) { goto out; } +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN + if (!check_rbac_permissions (manager, context)) + goto out; +#endif g_debug ("ConsoleKit preforming Restart: %s", action); @@ -1277,10 +1335,17 @@ ck_manager_stop (CkManager *manager, action = "org.freedesktop.consolekit.system.stop"; } +#ifdef HAVE_POLKIT res = _check_polkit_for_action (manager, context, action); if (! res) { goto out; } +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN + if (!check_rbac_permissions (manager, context)) + goto out; +#endif g_debug ("Stopping system"); error = NULL; @@ -2296,6 +2361,7 @@ bus_name_owner_changed (DBusGProxy *bus_proxy, service_name, old_service_name, new_service_name); } +#ifdef HAVE_POLKIT static gboolean pk_io_watch_have_data (GIOChannel *channel, GIOCondition condition, @@ -2338,18 +2404,21 @@ pk_io_remove_watch (PolKitContext *pk_context, { g_source_remove (watch_id); } +#endif static gboolean register_manager (CkManager *manager) { GError *error = NULL; +#ifdef HAVE_POLKIT manager->priv->pol_ctx = polkit_context_new (); polkit_context_set_io_watch_functions (manager->priv->pol_ctx, pk_io_add_watch, pk_io_remove_watch); if (! polkit_context_init (manager->priv->pol_ctx, NULL)) { g_critical ("cannot initialize libpolkit"); return FALSE; } +#endif error = NULL; manager->priv->connection = dbus_g_bus_get (DBUS_BUS_SYSTEM, &error); |