Group :: Sistema/Bibliotecas
RPM: polkit
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: polkit-0.120-alt1.qa2.patch
Download
Download
.gear/rules | 3 +
.gear/tags/list | 1 +
configure.ac | 2 +-
data/Makefile.am | 2 +-
polkit-0.109-alt-helper_path.patch | 26 ++
polkit.spec | 389 +++++++++++++++++++++
src/polkit/polkitsystembusname.c | 38 +-
src/polkitagent/Makefile.am | 2 +-
src/polkitbackend/Makefile.am | 2 +-
src/polkitbackend/polkitbackendactionpool.c | 6 +-
.../polkitbackendinteractiveauthority.c | 85 ++++-
src/polkitbackend/polkitbackendjsauthority.cpp | 9 +-
src/programs/pkcheck.c | 5 +
src/programs/pkexec.c | 23 +-
14 files changed, 563 insertions(+), 30 deletions(-)
diff --git a/.gear/rules b/.gear/rules
new file mode 100644
index 0000000..5bc2624
--- /dev/null
+++ b/.gear/rules
@@ -0,0 +1,3 @@
+tar: @version@:.
+diff: @version@:. .
+copy: *.patch
diff --git a/.gear/tags/list b/.gear/tags/list
new file mode 100644
index 0000000..ba353c8
--- /dev/null
+++ b/.gear/tags/list
@@ -0,0 +1 @@
+92b910ce2273daf6a76038f6bd764fa6958d4e8e 0.120
diff --git a/configure.ac b/configure.ac
index e434ca2..01dd1c1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -76,7 +76,7 @@ CC_CHECK_FLAGS_APPEND([WARN_CFLAGS], [CFLAGS], [\
])
AC_SUBST(WARN_CFLAGS)
-PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.38.0])
AC_SUBST(GLIB_CFLAGS)
AC_SUBST(GLIB_LIBS)
diff --git a/data/Makefile.am b/data/Makefile.am
index 6b045be..807b9dc 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -2,7 +2,7 @@
NULL =
-libprivdir = $(prefix)/lib/polkit-1
+libprivdir = $(libexecdir)/polkit-1
# ----------------------------------------------------------------------------------------------------
diff --git a/polkit-0.109-alt-helper_path.patch b/polkit-0.109-alt-helper_path.patch
new file mode 100644
index 0000000..a51beb1
--- /dev/null
+++ b/polkit-0.109-alt-helper_path.patch
@@ -0,0 +1,26 @@
+From a38187e2bb2cdbe40eefac09b90793f3dac247be Mon Sep 17 00:00:00 2001
+From: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Date: Tue, 25 Dec 2012 18:46:07 +0400
+Subject: [PATCH] Partially revert commit
+ 6fbcc6cd839680fcefd81c4a43676e7c031c9859.
+
+In altlinux we still place helper in /usr/libexec/polkit-1
+---
+ src/polkitagent/polkitagentsession.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c
+index 1c7a2dc..97c0c32 100644
+--- a/src/polkitagent/polkitagentsession.c
++++ b/src/polkitagent/polkitagentsession.c
+@@ -620,7 +620,7 @@ polkit_agent_session_initiate (PolkitAgentSession *session)
+ goto error;
+ }
+
+- helper_argv[0] = PACKAGE_PREFIX "/lib/polkit-1/polkit-agent-helper-1";
++ helper_argv[0] = PACKAGE_LIBEXEC_DIR "/polkit-1/polkit-agent-helper-1";
+ helper_argv[1] = passwd->pw_name;
+ helper_argv[2] = session->cookie;
+ helper_argv[3] = NULL;
+--
+1.7.12.4
diff --git a/polkit.spec b/polkit.spec
new file mode 100644
index 0000000..eac2dc9
--- /dev/null
+++ b/polkit.spec
@@ -0,0 +1,389 @@
+# system bus required
+%def_enable check
+
+Name: polkit
+Version: 0.120
+Release: alt1.qa2
+
+Summary: PolicyKit Authorization Framework
+License: LGPLv2+
+Group: System/Libraries
+URL: http://www.freedesktop.org/wiki/Software/PolicyKit
+Packager: Valery Inozemtsev <shrek@altlinux.ru>
+
+Requires: lib%name = %version-%release
+Requires(pre): dbus
+
+Source: %name-%version.tar
+Patch: %name-%version-%release.patch
+Patch1: %name-0.109-alt-helper_path.patch
+
+BuildRequires: gcc-c++ gobject-introspection-devel gtk-doc libexpat-devel libpam-devel
+BuildRequires: libmozjs78-devel pkgconfig(systemd)
+%{?_enable_check:BuildRequires: /proc dbus-tools-gui python3-module-dbusmock}
+
+%description
+PolicyKit is a toolkit for defining and handling authorizations.
+It is used for allowing unprivileged processes to speak to privileged
+processes.
+
+%package -n lib%name
+Summary: PolicyKit libraries
+Group: System/Libraries
+Provides: lib%{name}1 = %version-%release
+Obsoletes: lib%{name}1 < %version
+
+%description -n lib%name
+Libraries for interacting with PolicyKit
+
+%package -n lib%name-devel
+Summary: Development libraries and headers for PolicyKit
+Group: Development/C
+Requires: lib%name = %version-%release
+Provides: lib%{name}1-devel = %version-%release
+Obsoletes: lib%{name}1-devel < %version
+
+%description -n lib%name-devel
+Headers, libraries and API docs for PolicyKit
+
+%package -n lib%name-gir
+Summary: GObject introspection data for the Polkit-1.0 library
+Group: System/Libraries
+Requires: lib%name = %version-%release
+Provides: lib%{name}1-gir = %version-%release
+Obsoletes: lib%{name}1-gir < %version
+
+%description -n lib%name-gir
+GObject introspection data for the Polkit-1.0 library
+
+%package -n lib%name-gir-devel
+Summary: GObject introspection devel data for the Polkit-1.0 library
+Group: System/Libraries
+BuildArch: noarch
+Requires: lib%name-gir = %version-%release lib%name-devel = %version-%release
+Provides: lib%{name}1-gir-devel = %version-%release
+Obsoletes: lib%{name}1-gir-devel < %version
+
+%description -n lib%name-gir-devel
+GObject introspection devel data for the Polkit-1.0 library
+
+%prep
+%setup
+%patch -p1
+%patch1 -p1
+
+touch ChangeLog
+
+%build
+%ifarch %e2k
+%add_optflags -std=gnu++11
+%endif
+%autoreconf
+%configure \
+ --libexecdir=%_prefix/libexec \
+ --localstatedir=%_var \
+ --enable-gtk-doc \
+ --disable-static \
+ --enable-libsystemd-login=yes
+%make
+
+%install
+%makeinstall_std
+
+%find_lang %name-1
+
+%check
+%make check
+
+%pre
+%_sbindir/groupadd -r -f polkitd 2>/dev/null ||:
+%_sbindir/useradd -r -n -g polkitd -d / \
+ -s /dev/null -c "User for polkitd" polkitd 2>/dev/null ||:
+
+%files -f %name-1.lang
+%dir %_sysconfdir/%name-1
+%attr(0700,polkitd,root) %dir %_sysconfdir/%name-1/rules.d
+%_sysconfdir/%name-1/rules.d/50-default.rules
+%_datadir/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
+%_sysconfdir/pam.d/polkit-1
+%_bindir/pk[act]*
+%attr(4511,root,root) %_bindir/pkexec
+%dir %_prefix/libexec/%name-1
+%_prefix/libexec/%name-1/polkitd
+%attr(4511,root,root) %_prefix/libexec/polkit-1/polkit-agent-helper-1
+%dir %_datadir/%name-1
+%dir %_datadir/%name-1/actions
+%attr(0700,polkitd,root) %dir %_datadir/%name-1/rules.d
+%_datadir/%name-1/actions/org.freedesktop.policykit.policy
+%_datadir/dbus-1/system-services/org.freedesktop.PolicyKit1.service
+%systemd_unitdir/polkit.service
+%_man1dir/*.1*
+%_man8dir/*.8*
+
+%files -n lib%name
+%_libdir/*.so.*
+
+%files -n lib%name-gir
+%_typelibdir/*.typelib
+
+%files -n lib%name-devel
+%_includedir/*
+%_libdir/*.so
+%_pkgconfigdir/*.pc
+%_datadir/gettext/its/%name.its
+%_datadir/gettext/its/%name.loc
+%_datadir/gtk-doc/html/%name-1/
+
+%files -n lib%name-gir-devel
+%_girdir/*.gir
+
+# examples
+%exclude %_bindir/pk-example-frobnicate
+%exclude %_datadir/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
+
+%changelog
+* Mon Feb 28 2022 Yuri N. Sedunov <aris@altlinux.org> 0.120-alt1.qa2
+- upplied upstream fix for CVE-2021-4115 (GHSL-2021-077)
+
+* Tue Jan 25 2022 Dmitry V. Levin <ldv@altlinux.org> 0.120-alt1.qa1
+- NMU (fixes: CVE-2021-4034).
+- Applied upstream fix for a trivially exploitable local root vulnerability,
+ see https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
+
+* Tue Oct 05 2021 Yuri N. Sedunov <aris@altlinux.org> 0.120-alt1
+- 0.120
+
+* Thu Sep 16 2021 Evgeny Sinelnikov <sin@altlinux.org> 0.119-alt2
+- Fix the ability to add user_of_subject to user_identities
+- Refactoring the addition_to_user_identities_user_of_subject function
+
+* Fri Jun 04 2021 Yuri N. Sedunov <aris@altlinux.org> 0.119-alt1
+- 0.119 (fixed CVE-2021-3560)
+
+* Mon Dec 07 2020 Ivan Savin <svn17@altlinux.org> 0.118-alt2
+- Add the ability to add user_of_subject to user_identities list
+ if user_of_subject is a member of the group with administrator
+ rights but it is not in /etc/groups (If a privileged group is
+ assigned through the NSS). (closes: 39420)
+
+* Fri Sep 11 2020 Yuri N. Sedunov <aris@altlinux.org> 0.118-alt1
+- 0.118 (ported to mozjs78)
+
+* Sun Aug 02 2020 Yuri N. Sedunov <aris@altlinux.org> 0.117-alt1
+- updated to 0.117-2-gb6110c4
+- enabled %%check
+
+* Wed Jun 17 2020 Yuri N. Sedunov <aris@altlinux.org> 0.116-alt3
+- updated to 0.116-20-g47890bf (ported to mozjs68)
+
+* Tue Dec 10 2019 Yuri N. Sedunov <aris@altlinux.org> 0.116-alt2
+- updated to 0.116-10-gb806f0c (fixed memory leaks)
+
+* Mon May 06 2019 Yuri N. Sedunov <aris@altlinux.org> 0.116-alt1
+- 0.116
+
+* Wed Jan 09 2019 Yuri N. Sedunov <aris@altlinux.org> 0.115-alt5
+- updated to 0.115-26-gc898fdf (fixed CVE-2018-19788)
+
+* Thu Dec 06 2018 Alexey Shabalin <shaba@altlinux.org> 0.115-alt4
+- updated to 0.115-23fd211e
+- Port the JS authority to mozjs-60
+- Move D-Bus policy file to /usr/share/dbus-1/system.d/
+- Drop deprecated use of g_type_class_add_private()
+- Allow negative uids/gids in PolkitUnixUser and Group objects (fixed CVE-2018-19788)
+
+* Tue Sep 18 2018 Yuri N. Sedunov <aris@altlinux.org> 0.115-alt3
+- updated to 0.115-11-g6e1f826
+
+* Wed Jul 18 2018 Yuri N. Sedunov <aris@altlinux.org> 0.115-alt2
+- sem@: use -std=gnu++11 on %%e2k
+
+* Tue Jul 10 2018 Yuri N. Sedunov <aris@altlinux.org> 0.115-alt1
+- 0.115 (fixed CVE-2018-1116)
+
+* Mon Apr 16 2018 Yuri N. Sedunov <aris@altlinux.org> 0.114-alt2
+- rebuilt with libmozjs52-52.7.3
+
+* Tue Apr 03 2018 Yuri N. Sedunov <aris@altlinux.org> 0.114-alt1
+- 0.114 (ported to mozjs52)
+
+* Sun Jul 09 2017 Yuri N. Sedunov <aris@altlinux.org> 0.113-alt3
+- updated to 0.113-32-g766a2ea (ported to mozjs24)
+
+* Wed Jul 27 2016 Yuri N. Sedunov <aris@altlinux.org> 0.113-alt2
+- updated to 0.113-24-g2cc5ed5
+
+* Thu Jul 02 2015 Yuri N. Sedunov <aris@altlinux.org> 0.113-alt1
+- 0.113
+
+* Tue Jun 09 2015 Yuri N. Sedunov <aris@altlinux.org> 0.112-alt4
+- updated to 264cc195e (fixed FDO bugs #90879, 90877, 76358, 90829(CVE-2015-3218))
+
+* Mon Apr 20 2015 Yuri N. Sedunov <aris@altlinux.org> 0.112-alt3
+- updated to 2291767a0 (fixed FDO #83093, 88288 (ALT #30843))
+
+* Thu Oct 02 2014 Yuri N. Sedunov <aris@altlinux.org> 0.112-alt2
+- updated to 3497a9c3 (fixed FDO #83093, 78905, 77167, 60847...)
+
+* Thu Sep 19 2013 Yuri N. Sedunov <aris@altlinux.org> 0.112-alt1
+- 0.112
+
+* Thu Jun 06 2013 Yuri N. Sedunov <aris@altlinux.org> 0.111-alt2
+- updated to f613c31 (includes a fix from FDO #65130)
+
+* Thu May 16 2013 Yuri N. Sedunov <aris@altlinux.org> 0.111-alt1
+- 0.111
+- build against libmozjs17
+
+* Wed Feb 27 2013 Yuri N. Sedunov <aris@altlinux.org> 0.110-alt1
+- 0.110 release
+
+* Mon Dec 24 2012 Yuri N. Sedunov <aris@altlinux.org> 0.109-alt1
+- pre 0.110 (d6acecdd)
+- removed upstreamed patches
+- fixed helper path (ALT #28272)
+
+* Wed Dec 19 2012 Yuri N. Sedunov <aris@altlinux.org> 0.108-alt3
+- added libmozjs to reqs
+
+* Wed Dec 12 2012 Yuri N. Sedunov <aris@altlinux.org> 0.108-alt2
+- attempt to open the correct libmozjs185 library, otherwise polkit
+ auth rules will not work unless js-devel is installed (fc patch)
+- create polkitd user/group in %%pre
+- fixed permissions for rules.d directories as recommended
+- packaged lost polkit.service
+
+* Wed Dec 12 2012 Valery Inozemtsev <shrek@altlinux.ru> 0.108-alt1
+- 0.108
+
+* Sun Sep 23 2012 Valery Inozemtsev <shrek@altlinux.ru> 0.107-alt1
+- 0.107
+
+* Sat May 12 2012 Valery Inozemtsev <shrek@altlinux.ru> 0.105-alt1
+- 0.105
+
+* Thu Jan 19 2012 Valery Inozemtsev <shrek@altlinux.ru> 0.104-alt1
+- 0.104
+
+* Fri Aug 19 2011 Valery Inozemtsev <shrek@altlinux.ru> 0.102-alt1
+- 0.102
+
+* Mon Apr 25 2011 Valery Inozemtsev <shrek@altlinux.ru> 0.101-alt2
+- update to master git.7c59052 (fixed CVE-2011-1485)
+
+* Tue Mar 08 2011 Valery Inozemtsev <shrek@altlinux.ru> 0.101-alt1
+- 0.101
+
+* Tue Feb 22 2011 Valery Inozemtsev <shrek@altlinux.ru> 0.100-alt1
+- 0.100
+
+* Tue Feb 08 2011 Valery Inozemtsev <shrek@altlinux.ru> 0.99-alt3
+- rebuild
+
+* Wed Oct 13 2010 Valery Inozemtsev <shrek@altlinux.ru> 0.99-alt2
+- updated build dependencies
+
+* Fri Oct 08 2010 Valery Inozemtsev <shrek@altlinux.ru> 0.99-alt1
+- 0.99
+
+* Thu Apr 01 2010 Valery Inozemtsev <shrek@altlinux.ru> 0.96-alt3
+- rebuild
+
+* Tue Mar 09 2010 Valery Inozemtsev <shrek@altlinux.ru> 0.96-alt2
+- rebuild
+
+* Sat Jan 16 2010 Valery Inozemtsev <shrek@altlinux.ru> 0.96-alt1
+- 0.96
+
+* Thu Nov 19 2009 Valery Inozemtsev <shrek@altlinux.ru> 0.95-alt1
+- 0.95
+
+* Wed Aug 12 2009 Valery Inozemtsev <shrek@altlinux.ru> 0.94-alt1
+- 0.94
+
+* Tue Aug 11 2009 Valery Inozemtsev <shrek@altlinux.ru> 0.93-alt1
+- 0.93
+
+* Wed May 27 2009 Valery Inozemtsev <shrek@altlinux.ru> 0.9-alt7
+- relocated devel files
+
+* Thu Feb 12 2009 Valery Inozemtsev <shrek@altlinux.ru> 0.9-alt6
+- fixed D-Bus policy (fd.o #18948)
+
+* Sat Nov 22 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.9-alt5
+- removed obsolete %%post_ldconfig/%%postun_ldconfig calls
+
+* Fri Nov 21 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.9-alt4
+- added suid for polkit-grant-helper-pam
+
+* Thu Nov 20 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.9-alt3
+- /usr/libexec/PolicyKit/polkit-*: fixed permission
+
+* Sat Aug 02 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.9-alt2
+- API fixed in CK 0.3
+
+* Fri Aug 01 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.9-alt1
+- 0.9
+
+* Thu Apr 17 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.8-alt1
+- 0.8
+- rename subpackage libPolicyKit to libpolkit
+
+* Fri Apr 04 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.7-alt3
+- fixed CVE-2008-1658
+- drop polkit-bash-completion.sh (close #15232)
+
+* Tue Apr 01 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.7-alt2
+- fixed read default policy on reiserfs/xfs
+
+* Fri Jan 25 2008 Valery Inozemtsev <shrek@altlinux.ru> 0.7-alt1
+- 0.7
+
+* Fri Oct 12 2007 Valery Inozemtsev <shrek@altlinux.ru> 0.6-alt1
+- 0.6
+
+* Sun Jul 29 2007 Valery Inozemtsev <shrek@altlinux.ru> 0.4-alt1
+- 0.4
+
+* Mon Jun 25 2007 Valery Inozemtsev <shrek@altlinux.ru> 0.3-alt1
+- 0.3
+
+* Mon Jun 11 2007 Igor Zubkov <icesik@altlinux.org> 0.2-alt7.git20060822
+- move gtk-doc documentation to devel subpackage (closes #12008)
+- buildreq
+
+* Tue Feb 20 2007 Igor Zubkov <icesik@altlinux.org> 0.2-alt6.git20060822
+- fix attr's for %%_var/run/polkit
+
+* Mon Dec 25 2006 Igor Zubkov <icesik@altlinux.org> 0.2-alt5.git20060822
+- rebuild with new dbus
+
+* Tue Nov 28 2006 Igor Zubkov <icesik@altlinux.org> 0.2-alt4.git20060822
+- small fix for thresh@ changes
+- s/%%make_build/make/ (fix build in hasher)
+- change polkit group to _polkit
+- change polkit user to _polkit
+
+* Mon Nov 27 2006 Pavlov Konstantin <thresh@altlinux.ru> 0.2-alt3.git20060822
+- Some spec cleanup.
+- Some buildrequires cleanup.
+- Some descriptions cleanup.
+- Fix docs packaging.
+- Altify user creation in %%pre.
+
+* Mon Nov 20 2006 Igor Zubkov <icesik@altlinux.org> 0.2-alt2.git20060822
+- disable -Werror
+
+* Mon Nov 20 2006 Igor Zubkov <icesik@altlinux.org> 0.2-alt1.git20060822
+- rename spec from policykit.spec to PolicyKit.spec
+- s/%%make/%%make_build/
+- add HACKING to docs
+- remove INSTALL from docs
+- correct License from GPL to AFL/GPL
+- add Packager tag
+- add pam module subpackage
+- build with -Werror by default
+- add PolicyKit-devel-static subpackage
+
+* Tue Nov 14 2006 Alexey Shabalin <shaba@altlinux.ru> 0.2_git20060822-alt0.1
+- initial build
diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
index 8ed1363..2fbf5f1 100644
--- a/src/polkit/polkitsystembusname.c
+++ b/src/polkit/polkitsystembusname.c
@@ -62,6 +62,10 @@ enum
PROP_NAME,
};
+
+guint8 dbus_call_respond_fails; // has to be global because of callback
+
+
static void subject_iface_init (PolkitSubjectIface *subject_iface);
G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
if (!v)
{
data->caught_error = TRUE;
+ dbus_call_respond_fails += 1;
}
else
{
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
tmp_context = g_main_context_new ();
g_main_context_push_thread_default (tmp_context);
+ dbus_call_respond_fails = 0;
+
/* Do two async calls as it's basically as fast as one sync call.
*/
g_dbus_connection_call (connection,
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
on_retrieved_unix_uid_pid,
&data);
- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
- g_main_context_iteration (tmp_context, TRUE);
+ while (TRUE)
+ {
+ /* If one dbus call returns error, we must wait until the other call
+ * calls _call_finish(), otherwise fd leak is possible.
+ * Resolves: GHSL-2021-077
+ */
- if (data.caught_error)
- goto out;
+ if ( (dbus_call_respond_fails > 1) )
+ {
+ // we got two faults, we can leave
+ goto out;
+ }
+
+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
+ {
+ // we got one fault and the other call finally finished, we can leave
+ goto out;
+ }
+
+ if ( !(data.retrieved_uid && data.retrieved_pid) )
+ {
+ g_main_context_iteration (tmp_context, TRUE);
+ }
+ else
+ {
+ break;
+ }
+ }
if (out_uid)
*out_uid = data.uid;
diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am
index c98f29d..b26e00f 100644
--- a/src/polkitagent/Makefile.am
+++ b/src/polkitagent/Makefile.am
@@ -79,7 +79,7 @@ libpolkit_agent_1_la_LIBADD = \
libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)'
-libprivdir = $(prefix)/lib/polkit-1
+libprivdir = $(libexecdir)/polkit-1
libpriv_PROGRAMS = polkit-agent-helper-1
polkit_agent_helper_1_SOURCES = \
diff --git a/src/polkitbackend/Makefile.am b/src/polkitbackend/Makefile.am
index 7e3c080..907a77a 100644
--- a/src/polkitbackend/Makefile.am
+++ b/src/polkitbackend/Makefile.am
@@ -69,7 +69,7 @@ rules_DATA = 50-default.rules
# ----------------------------------------------------------------------------------------------------
-libprivdir = $(prefix)/lib/polkit-1
+libprivdir = $(libexecdir)/polkit-1
libpriv_PROGRAMS = polkitd
polkitd_SOURCES = \
diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
index 3894fe9..e0de72a 100644
--- a/src/polkitbackend/polkitbackendactionpool.c
+++ b/src/polkitbackend/polkitbackendactionpool.c
@@ -111,7 +111,7 @@ enum
PROP_DIRECTORY,
};
-#define POLKIT_BACKEND_ACTION_POOL_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), POLKIT_BACKEND_TYPE_ACTION_POOL, PolkitBackendActionPoolPrivate))
+#define POLKIT_BACKEND_ACTION_POOL_GET_PRIVATE(o) polkit_backend_action_pool_get_instance_private ((PolkitBackendActionPool *) (o))
enum
{
@@ -121,7 +121,7 @@ enum
static guint signals[LAST_SIGNAL] = {0};
-G_DEFINE_TYPE (PolkitBackendActionPool, polkit_backend_action_pool, G_TYPE_OBJECT);
+G_DEFINE_TYPE_WITH_PRIVATE (PolkitBackendActionPool, polkit_backend_action_pool, G_TYPE_OBJECT)
static void
polkit_backend_action_pool_init (PolkitBackendActionPool *pool)
@@ -289,8 +289,6 @@ polkit_backend_action_pool_class_init (PolkitBackendActionPoolClass *klass)
gobject_class->set_property = polkit_backend_action_pool_set_property;
gobject_class->finalize = polkit_backend_action_pool_finalize;
- g_type_class_add_private (klass, sizeof (PolkitBackendActionPoolPrivate));
-
/**
* PolkitBackendActionPool:directory:
*
diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
index 056d9a8..8be3bf2 100644
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
@@ -225,11 +225,11 @@ typedef struct
/* ---------------------------------------------------------------------------------------------------- */
-G_DEFINE_TYPE (PolkitBackendInteractiveAuthority,
- polkit_backend_interactive_authority,
- POLKIT_BACKEND_TYPE_AUTHORITY);
+G_DEFINE_TYPE_WITH_PRIVATE (PolkitBackendInteractiveAuthority,
+ polkit_backend_interactive_authority,
+ POLKIT_BACKEND_TYPE_AUTHORITY)
-#define POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), POLKIT_BACKEND_TYPE_INTERACTIVE_AUTHORITY, PolkitBackendInteractiveAuthorityPrivate))
+#define POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE(o) polkit_backend_interactive_authority_get_instance_private((PolkitBackendInteractiveAuthority *) (o))
static gboolean
identity_is_root_user (PolkitIdentity *user)
@@ -413,10 +413,6 @@ polkit_backend_interactive_authority_class_init (PolkitBackendInteractiveAuthori
authority_class->enumerate_temporary_authorizations = polkit_backend_interactive_authority_enumerate_temporary_authorizations;
authority_class->revoke_temporary_authorizations = polkit_backend_interactive_authority_revoke_temporary_authorizations;
authority_class->revoke_temporary_authorization_by_id = polkit_backend_interactive_authority_revoke_temporary_authorization_by_id;
-
-
-
- g_type_class_add_private (klass, sizeof (PolkitBackendInteractiveAuthorityPrivate));
}
/* ---------------------------------------------------------------------------------------------------- */
@@ -2285,6 +2281,74 @@ get_users_in_net_group (PolkitIdentity *group,
return ret;
}
+/*If the user is a member of the group with administrator rights
+ *but he is not in /etc/groups, then add him to the list.
+ */
+static GList*
+addition_to_user_identities_user_of_subject (PolkitIdentity *user_of_subject,
+ GList *user_identities,
+ GList *unix_groups)
+{
+ GList *l;
+
+ for (l = user_identities; l != NULL; l = l->next)
+ {
+ PolkitIdentity *identity = POLKIT_IDENTITY (l->data);
+
+ if (polkit_identity_equal(user_of_subject, identity))
+ {
+ /* user_of_subject is already in the list */
+ return user_identities;
+ }
+ }
+
+ /* Check if the user_of_subject is a member of groups with the required privileges. */
+ if (unix_groups == NULL)
+ {
+ return user_identities;
+ }
+
+ uid_t uid = polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_subject));
+ struct passwd *passwd = getpwuid (uid);
+
+ if (passwd == NULL)
+ {
+ return user_identities;
+ }
+
+ gid_t gids[512];
+ int num_gids = 512;
+
+ if (getgrouplist (passwd->pw_name,
+ passwd->pw_gid,
+ gids,
+ &num_gids) >= 0)
+ {
+ gint n;
+ for (n = 0; n < num_gids; n++)
+ {
+
+ for (l = unix_groups; l != NULL; l = l->next)
+ {
+ PolkitIdentity *identity = POLKIT_IDENTITY (l->data);
+
+ if (POLKIT_IS_UNIX_GROUP (identity))
+ {
+ gid_t gid = polkit_unix_group_get_gid (POLKIT_UNIX_GROUP (identity));
+
+ if (gid == gids[n])
+ {
+ /* Add user_of_subject to the list */
+ return g_list_append (user_identities, g_object_ref (user_of_subject));
+ }
+ }
+ }
+ }
+ }
+
+ return user_identities;
+}
+
/* ---------------------------------------------------------------------------------------------------- */
static void
@@ -2310,6 +2374,7 @@ authentication_agent_initiate_challenge (AuthenticationAgent *agent,
GList *user_identities = NULL;
GVariantBuilder identities_builder;
GVariant *parameters;
+ GList * unix_groups = NULL;
get_localized_data_for_challenge (authority,
caller,
@@ -2367,6 +2432,7 @@ authentication_agent_initiate_challenge (AuthenticationAgent *agent,
}
else if (POLKIT_IS_UNIX_GROUP (identity))
{
+ unix_groups = g_list_append (unix_groups, g_object_ref (identity));
user_identities = g_list_concat (user_identities, get_users_in_group (identity, FALSE));
}
else if (POLKIT_IS_UNIX_NETGROUP (identity))
@@ -2379,6 +2445,9 @@ authentication_agent_initiate_challenge (AuthenticationAgent *agent,
}
}
+ user_identities = addition_to_user_identities_user_of_subject (user_of_subject, user_identities, unix_groups);
+ g_list_free_full (unix_groups, g_object_unref);
+
/* Fall back to uid 0 if no users are available (rhbz #834494) */
if (user_identities == NULL)
user_identities = g_list_prepend (NULL, polkit_unix_user_new (0));
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index ca17108..d8d9d42 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -151,7 +151,7 @@ static PolkitImplicitAuthorization polkit_backend_js_authority_check_authorizati
PolkitDetails *details,
PolkitImplicitAuthorization implicit);
-G_DEFINE_TYPE (PolkitBackendJsAuthority, polkit_backend_js_authority, POLKIT_BACKEND_TYPE_INTERACTIVE_AUTHORITY);
+G_DEFINE_TYPE_WITH_PRIVATE (PolkitBackendJsAuthority, polkit_backend_js_authority, POLKIT_BACKEND_TYPE_INTERACTIVE_AUTHORITY)
/* ---------------------------------------------------------------------------------------------------- */
@@ -224,9 +224,7 @@ static void report_error (JSContext *cx,
static void
polkit_backend_js_authority_init (PolkitBackendJsAuthority *authority)
{
- authority->priv = G_TYPE_INSTANCE_GET_PRIVATE (authority,
- POLKIT_BACKEND_TYPE_JS_AUTHORITY,
- PolkitBackendJsAuthorityPrivate);
+ authority->priv = static_cast<PolkitBackendJsAuthorityPrivate*> (polkit_backend_js_authority_get_instance_private (authority));
}
static gint
@@ -663,9 +661,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
G_TYPE_STRV,
GParamFlags(G_PARAM_CONSTRUCT_ONLY | G_PARAM_WRITABLE)));
-
- g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
-
JS_Init ();
}
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..768525c 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..84e5ef6 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+ */
+ if (argc<1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{