| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Also simplify the code it by using the on-disk database. Makes
everything a lot simpler.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Set has_data to true after the data is loaded to prevent excessive
reloading of config files.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Added support for the shadow authentication framework instead of PAM.
Enable it by passing --with-authfw=shadow to configure.
This is done by splitting the polkitagenthelper source into separate
parts, one that does auth with PAM, and another that does auth with
shadow, sharing functions where appropriate.
Also, all PAM-dependendent code in all other files has been #ifdef'd.
The only affected file is src/programs/pkexec.c
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
pkexec is vulnerable to a minor information disclosure vulnerability
that allows an attacker to verify whether or not arbitrary files
exist, violating directory permissions. I reproduced the issue on my
Karmic installation as follows:
$ mkdir secret
$ sudo chown root:root secret
$ sudo chmod 400 secret
$ sudo touch secret/hidden
$ pkexec /home/drosenbe/secret/hidden
(password prompt)
$ pkexec /home/drosenbe/secret/doesnotexist
Error getting information about /home/drosenbe/secret/doesnotexist: No such
file or directory
I've attached my patch for the issue. I replaced the stat() call
entirely with access() using F_OK, so rather than check that the
target exists, pkexec now checks if the user has permission to verify
the existence of the program. There might be another way of doing
this, such as chdir()'ing to the parent directory of the target and
calling lstat(), but this seemed like more code than necessary to
prevent such a minor problem. I see no reason to allow pkexec to
execute targets that are not accessible to the executing user because
of directory permissions. This is such a limited use case anyway that
this doesn't really affect functionality.
http://bugs.freedesktop.org/show_bug.cgi?id=26982
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
It's a little too verbose to do this. See
http://lists.freedesktop.org/archives/polkit-devel/2009-December/000283.html
for the rationale.
|
|
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Dec 15 13:48:05 localhost pkexec[29065]: davidz: Executing command [USER=root] [TTY=/dev/pts/8] [CWD=/root] [COMMAND=/usr/bin/pk-example-frobnicate]
Dec 15 13:49:30 localhost pkexec[29080]: davidz: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/5] [CWD=/home/davidz] [COMMAND=/bin/bash]
Dec 15 13:49:45 localhost pkexec[29082]: davidz: The value for environment variable LC_ALL contains suscipious content [USER=root] [TTY=/dev/pts/5] [CWD=/home/davidz] [COMMAND=/bin/bash]
Dec 15 13:50:03 localhost pkexec[29086]: davidz: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/5] [CWD=/home/davidz] [COMMAND=/bin/bash]
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Suggested here
http://lists.freedesktop.org/archives/polkit-devel/2009-December/000279.html
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Pointed out by Kay Sievers - thanks!
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
For now we log the following events
1. Daemon startup -> /var/log/messages
--------------------------------------
Dec 11 15:12:56 localhost polkitd[3035]: started daemon version 0.95 using authority implementation `local' version `0.95'
2. Authentication agent -> /var/log/secure
------------------------------------------
Dec 11 15:14:00 localhost polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.903 [./polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 11 15:16:18 localhost polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.903, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
3. Authorization checks
-----------------------
Dec 11 15:17:57 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.905 [pkexec /usr/bin/pk-example-frobnicate])
Dec 11 15:18:10 localhost polkitd(authority=local): ALLOWING action org.freedesktop.udisks.filesystem-mount-system-internal for system-bus-name::1.902 [palimpsest] owned by unix-user:davidz (check requested by system-bus-name::1.380 [/usr/libexec/udisks-daemon])
4. Authorizations through authentication (both success and
failures) -> /var/log/secure
----------------------------------------------------------
Dec 11 15:19:01 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:davidz to gain TEMPORARY authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
Dec 11 15:19:01 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.906 [pkexec /usr/bin/pk-example-frobnicate])
Dec 11 15:19:10 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:davidz to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
Dec 11 15:19:10 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.908 [pkexec bash])
Dec 11 15:19:10 localhost pkexec: pam_unix(polkit-1:session): session opened for user root by davidz(uid=500)
Dec 11 15:19:22 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
Dec 11 15:19:22 localhost polkitd(authority=local): DENYING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.910 [pkexec bash])
Dec 11 15:20:06 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:bateman to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
Dec 11 15:20:06 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.913 [pkexec bash])
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
This was pointed out in
http://lists.freedesktop.org/archives/polkit-devel/2009-December/000276.html
We already run the authentication and acct_mgmt parts in the
authentication agent.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Turns out some people would rather edit local files in /etc rather
than shipping them in a package (as e.g. Fedora does with the
polkit-desktop-policy RPM).
This also drops the hard-coded list of directory names such as
10-vendor.d, 20-org.d - we now monitor the
/var/lib/polkit-1/localauthority and /etc/polkit-1/localauthority
directories for changes - whenever we see a subdirectory in any of
these directories, we create an AuthorizationStore object that looks
for .pkla files.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
|
|
Also rename the action from org.freedesktop.policykit.localauthority.lockdown
to org.freedesktop.policykit.lockdown since any authority implementation
can now implement this.
This changes only ABI/API used by e.g. polkit-gnome. This is fine
since we're not at 1.0 yet.
|
|
Now to implement this in the interactive authority...
|
|
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
polkit-agent-helper calls pam_end on pam_h without setting pam_h to
NULL. This causes the error handler to call pam_end on the stale
handler if the send_dbus_message procedure fails, which in turn
generates a SIGSEGV.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
http://bugs.freedesktop.org/show_bug.cgi?id=24566
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
PATH_MAX, which hurd-i386 doesn't define since it doesn't have such
arbitrary limitation. The attached patch fixes it by just using
glibc's get_current_dir_name() extension when available.
Signed-off-by: Michael Biebl <mbiebl@gmail.com>
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
See https://bugzilla.redhat.com/show_bug.cgi?id=526053 for more details.
|
|
Also bump requirement on EggDBus to 0.6 (to be released later) for a
bug-fix with flag properties.
|
|
When using polkit_unix_process_new_full() the start-time
wasn't being set from the process' PID if it wasn't
passed to the function.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Also handle 64-bit jiffies (rather than 63-bit) for maximum
correctness.
|
|
Without this, builds with --enable-introspection fails in the Fedora
buildsystem.
|
|
|
|
Polkit-1.0.gir is a generated file and only built with
--enable-instrospection. So remove it from EXTRA_DIST, otherwise
"make dist" fails with --disable-introspection.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Add --enable-examples configure switch which allows to disable the
compilation and installation of the examples.
Default is off.
|
|
libpolkit{agent,backend} use private symbols from libpolkit-gobject.
As we no longer export them, the build fails.
Move those symbols into a separate noinst lib libpolkit-private, which
those three libs can link against.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Use _polkit_agent_marshal prefix with glib-genmarshal to hide the
(autogenerated) symbols. Update the code accordingly.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
Add -export-symbols-regex '(^polkit_.*) to LDFLAGS for libpolkit*
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
For now, convert SystemBusName to UnixProcess when storing/checking
temporary authorizations. See
http://git.gnome.org/cgit/PolicyKit-gnome/commit/?id=ad5fe38a1f7a7a670c3d8e9384b9cd0d037c9222
for a test-case for this.
|
|
|
|
|
|
This includes changing from POSIX types (uid_t, gid_t, pid_t) to
gint. Won't affect much since the size is the same. And we want this
anyway since it is needed to build the library on non-POSIX platforms.
|
|
This makes it easier to write the desktop component showing a
notification icon - said component now only needs to watch ::changed
and reenumerate temporary authorizations. If this is done, then the
notification icon is updated in near-realtime.
Also emit ::changed on ConsoleKit changes. This helps remind
Mechanisms that they should redo an authorization check (if this is
how the Mechanism decides to cache authorizations).
|
|
|
|
|
|
There are a few issues with building polkit-0.93 on FreeBSD:
* No clearenv() function on FreeBSD
* While FreeBSD has a /proc, it is deprecated, and kinfo_proc should
be used instead.
* FreeBSD's printf() functions do not support the %m notation. This
is only supported for syslog().
* You can't call GINT_TO_POINTER() on a 64-bit value, as this will
break on 64-bit OSes.
The attached patch fixes these problems. First, a check for
clearenv() is added to configure. Second, I moved the check for
process uid to polkit/polkitunixprocess.c. This may not be ideal, but
it seems to fit, and reduces code duplication. Third, I replaces all
%m with %s ... g_strerror (errno). Finally, I replaced
GINT_TO_POINTER() with GSIZE_TO_POINTER.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
