diff options
Diffstat (limited to 'source/l/polkit')
-rw-r--r-- | source/l/polkit/polkit-1-shadow.diff | 1030 | ||||
-rwxr-xr-x | source/l/polkit/polkit.SlackBuild | 144 | ||||
-rw-r--r-- | source/l/polkit/slack-desc | 19 |
3 files changed, 1193 insertions, 0 deletions
diff --git a/source/l/polkit/polkit-1-shadow.diff b/source/l/polkit/polkit-1-shadow.diff new file mode 100644 index 00000000..56e24277 --- /dev/null +++ b/source/l/polkit/polkit-1-shadow.diff @@ -0,0 +1,1030 @@ +diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am +index 3f38329..e114d01 100644 +--- a/src/polkitagent/Makefile.am ++++ b/src/polkitagent/Makefile.am +@@ -68,8 +68,15 @@ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)' + libexec_PROGRAMS = polkit-agent-helper-1 + + polkit_agent_helper_1_SOURCES = \ +- polkitagenthelper.c \ +- $(NULL) ++ polkitagenthelperprivate.c polkitagenthelperprivate.h ++ ++if POLKIT_AUTHFW_PAM ++polkit_agent_helper_1_SOURCES += polkitagenthelper-pam.c ++endif ++if POLKIT_AUTHFW_SHADOW ++polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c ++endif ++polkit_agent_helper_1_SOURCES += $(NULL) + + polkit_agent_helper_1_CFLAGS = \ + -D_POLKIT_COMPILATION \ +diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/polkitagenthelper-pam.c +new file mode 100644 +index 0000000..4c6c6fb +--- /dev/null ++++ b/src/polkitagent/polkitagenthelper-pam.c +@@ -0,0 +1,264 @@ ++/* ++ * Copyright (C) 2008, 2010 Red Hat, Inc. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General ++ * Public License along with this library; if not, write to the ++ * Free Software Foundation, Inc., 59 Temple Place, Suite 330, ++ * Boston, MA 02111-1307, USA. ++ * ++ * Author: David Zeuthen <davidz@redhat.com> ++ */ ++ ++#include "config.h" ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <unistd.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <syslog.h> ++#include <security/pam_appl.h> ++ ++#include <polkit/polkit.h> ++#include "polkitagenthelperprivate.h" ++ ++static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data); ++ ++int ++main (int argc, char *argv[]) ++{ ++ int rc; ++ const char *user_to_auth; ++ const char *cookie; ++ struct pam_conv pam_conversation; ++ pam_handle_t *pam_h; ++ const void *authed_user; ++ ++ rc = 0; ++ pam_h = NULL; ++ ++ /* clear the entire environment to avoid attacks using with libraries honoring environment variables */ ++ if (clearenv () != 0) ++ goto error; ++ ++ /* set a minimal environment */ ++ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); ++ ++ /* check that we are setuid root */ ++ if (geteuid () != 0) ++ { ++ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); ++ goto error; ++ } ++ ++ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); ++ ++ /* check for correct invocation */ ++ if (argc != 3) ++ { ++ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ()); ++ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n"); ++ goto error; ++ } ++ ++ user_to_auth = argv[1]; ++ cookie = argv[2]; ++ ++ if (getuid () != 0) ++ { ++ /* check we're running with a non-tty stdin */ ++ if (isatty (STDIN_FILENO) != 0) ++ { ++ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ()); ++ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n"); ++ goto error; ++ } ++ } ++ ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth); ++#endif /* PAH_DEBUG */ ++ ++ pam_conversation.conv = conversation_function; ++ pam_conversation.appdata_ptr = NULL; ++ ++ /* start the pam stack */ ++ rc = pam_start ("polkit-1", ++ user_to_auth, ++ &pam_conversation, ++ &pam_h); ++ if (rc != PAM_SUCCESS) ++ { ++ fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc)); ++ goto error; ++ } ++ ++ /* set the requesting user */ ++ rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth); ++ if (rc != PAM_SUCCESS) ++ { ++ fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc)); ++ goto error; ++ } ++ ++ /* is user really user? */ ++ rc = pam_authenticate (pam_h, 0); ++ if (rc != PAM_SUCCESS) ++ { ++ fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc)); ++ goto error; ++ } ++ ++ /* permitted access? */ ++ rc = pam_acct_mgmt (pam_h, 0); ++ if (rc != PAM_SUCCESS) ++ { ++ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc)); ++ goto error; ++ } ++ ++ /* did we auth the right user? */ ++ rc = pam_get_item (pam_h, PAM_USER, &authed_user); ++ if (rc != PAM_SUCCESS) ++ { ++ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc)); ++ goto error; ++ } ++ ++ if (strcmp (authed_user, user_to_auth) != 0) ++ { ++ fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead", ++ user_to_auth, (const char *) authed_user); ++ goto error; ++ } ++ ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth); ++#endif /* PAH_DEBUG */ ++ ++ pam_end (pam_h, rc); ++ pam_h = NULL; ++ ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n"); ++#endif /* PAH_DEBUG */ ++ ++ /* now send a D-Bus message to the PolicyKit daemon that ++ * includes a) the cookie; and b) the user we authenticated ++ */ ++ if (!send_dbus_message (cookie, user_to_auth)) ++ { ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n"); ++#endif /* PAH_DEBUG */ ++ goto error; ++ } ++ ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n"); ++#endif /* PAH_DEBUG */ ++ ++ fprintf (stdout, "SUCCESS\n"); ++ flush_and_wait(); ++ return 0; ++ ++error: ++ if (pam_h != NULL) ++ pam_end (pam_h, rc); ++ ++ fprintf (stdout, "FAILURE\n"); ++ flush_and_wait(); ++ return 1; ++} ++ ++static int ++conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data) ++{ ++ struct pam_response *aresp; ++ char buf[PAM_MAX_RESP_SIZE]; ++ int i; ++ ++ data = data; ++ if (n <= 0 || n > PAM_MAX_NUM_MSG) ++ return PAM_CONV_ERR; ++ ++ if ((aresp = calloc(n, sizeof *aresp)) == NULL) ++ return PAM_BUF_ERR; ++ ++ for (i = 0; i < n; ++i) ++ { ++ aresp[i].resp_retcode = 0; ++ aresp[i].resp = NULL; ++ switch (msg[i]->msg_style) ++ { ++ ++ case PAM_PROMPT_ECHO_OFF: ++ fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); ++ goto conv1; ++ ++ case PAM_PROMPT_ECHO_ON: ++ fprintf (stdout, "PAM_PROMPT_ECHO_ON "); ++ conv1: ++ fputs (msg[i]->msg, stdout); ++ if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n') ++ fputc ('\n', stdout); ++ fflush (stdout); ++ ++ if (fgets (buf, sizeof buf, stdin) == NULL) ++ goto error; ++ ++ if (strlen (buf) > 0 && ++ buf[strlen (buf) - 1] == '\n') ++ buf[strlen (buf) - 1] = '\0'; ++ ++ aresp[i].resp = strdup (buf); ++ if (aresp[i].resp == NULL) ++ goto error; ++ break; ++ ++ case PAM_ERROR_MSG: ++ fprintf (stdout, "PAM_ERROR_MSG "); ++ goto conv2; ++ ++ case PAM_TEXT_INFO: ++ fprintf (stdout, "PAM_TEXT_INFO "); ++ conv2: ++ fputs (msg[i]->msg, stdout); ++ if (strlen (msg[i]->msg) > 0 && ++ msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n') ++ fputc ('\n', stdout); ++ fflush (stdout); ++ break; ++ ++ default: ++ goto error; ++ } ++ } ++ ++ *resp = aresp; ++ return PAM_SUCCESS; ++ ++error: ++ ++ for (i = 0; i < n; ++i) ++ { ++ if (aresp[i].resp != NULL) { ++ memset (aresp[i].resp, 0, strlen(aresp[i].resp)); ++ free (aresp[i].resp); ++ } ++ } ++ memset (aresp, 0, n * sizeof *aresp); ++ *resp = NULL; ++ return PAM_CONV_ERR; ++} ++ +diff --git a/src/polkitagent/polkitagenthelper-shadow.c b/src/polkitagent/polkitagenthelper-shadow.c +new file mode 100644 +index 0000000..7435533 +--- /dev/null ++++ b/src/polkitagent/polkitagenthelper-shadow.c +@@ -0,0 +1,189 @@ ++/* ++ * Copyright (C) 2008 Red Hat, Inc. ++ * Copyright (C) 2009-2010 Andrew Psaltis <ampsaltis@gmail.com> ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General ++ * Public License along with this library; if not, write to the ++ * Free Software Foundation, Inc., 59 Temple Place, Suite 330, ++ * Boston, MA 02111-1307, USA. ++ * ++ * Authors: Andrew Psaltis <ampsaltis@gmail.com>, based on ++ * polkitagenthelper.c which was written by ++ * David Zeuthen <davidz@redhat.com> ++ */ ++ ++#include "config.h" ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <unistd.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <syslog.h> ++#include <shadow.h> ++#include <grp.h> ++#include <pwd.h> ++#include <time.h> ++ ++#include <polkit/polkit.h> ++#include "polkitagenthelperprivate.h" ++ ++ ++extern char *crypt (); ++static int shadow_authenticate (struct spwd *shadow); ++ ++int ++main (int argc, char *argv[]) ++{ ++ struct spwd *shadow; ++ const char *user_to_auth; ++ const char *cookie; ++ time_t tm; ++ ++ /* clear the entire environment to avoid attacks with ++ libraries honoring environment variables */ ++ if (clearenv () != 0) ++ goto error; ++ ++ /* set a minimal environment */ ++ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); ++ ++ /* check that we are setuid root */ ++ if (geteuid () != 0) ++ { ++ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); ++ goto error; ++ } ++ ++ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); ++ ++ /* check for correct invocation */ ++ if (argc != 3) ++ { ++ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ()); ++ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n"); ++ goto error; ++ } ++ ++ if (getuid () != 0) ++ { ++ /* check we're running with a non-tty stdin */ ++ if (isatty (STDIN_FILENO) != 0) ++ { ++ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ()); ++ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n"); ++ goto error; ++ } ++ } ++ ++ user_to_auth = argv[1]; ++ cookie = argv[2]; ++ ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth); ++#endif /* PAH_DEBUG */ ++ ++ /* Ask shadow about the user requesting authentication */ ++ if ((shadow = getspnam (user_to_auth)) == NULL) ++ { ++ syslog (LOG_NOTICE, "shadow file data information request for user %s [uid=%d] failed", user_to_auth, getuid()); ++ fprintf(stderr, "polkit-agent-helper-1: could not get shadow information for%.100s", user_to_auth); ++ goto error; ++ } ++ ++ /* Check the user's identity */ ++ if(!shadow_authenticate (shadow)) ++ { ++ syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth); ++ fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n"); ++ goto error; ++ } ++ ++ /* Check whether the user's password has expired */ ++ time(&tm); ++ if( shadow->sp_max >= 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 * 24 <= tm) ++ { ++ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () ); ++ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); ++ goto error; ++ } ++ ++ /* Check whether the user's password has aged (and account expired along ++ * with it) ++ */ ++ if( shadow->sp_inact >= 0 && (shadow->sp_lstchg + shadow->sp_max + shadow->sp_inact) * 60 * 60 * 24 <= tm) ++ { ++ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () ); ++ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); ++ goto error; ++ } ++ ++ /* Check whether the user's account has expired */ ++ if(shadow->sp_expire >= 0 && shadow->sp_expire * 60 * 60 * 24 <= tm) ++ { ++ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () ); ++ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); ++ goto error; ++ } ++ ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n"); ++#endif /* PAH_DEBUG */ ++ ++ /* now send a D-Bus message to the PolicyKit daemon that ++ * includes a) the cookie; and b) the user we authenticated ++ */ ++ if (!send_dbus_message (cookie, user_to_auth)) ++ { ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n"); ++#endif /* PAH_DEBUG */ ++ goto error; ++ } ++ ++#ifdef PAH_DEBUG ++ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n"); ++#endif /* PAH_DEBUG */ ++ ++ fprintf (stdout, "SUCCESS\n"); ++ flush_and_wait(); ++ return 0; ++ ++error: ++ fprintf (stdout, "FAILURE\n"); ++ flush_and_wait(); ++ return 1; ++} ++ ++static int ++shadow_authenticate(struct spwd *shadow) ++{ ++ /* Speak PAM to the daemon, thanks to David Zeuthen for the idea. */ ++ char passwd[512]; ++ fprintf(stdout, "PAM_PROMPT_ECHO_OFF password:\n"); ++ fflush(stdout); ++ usleep (10 * 1000); /* since fflush(3) seems buggy */ ++ ++ if (fgets (passwd, sizeof (passwd), stdin) == NULL) ++ goto error; ++ ++ if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n') ++ passwd[strlen (passwd) - 1] = '\0'; ++ ++ if (strcmp (shadow->sp_pwdp, crypt (passwd, shadow->sp_pwdp)) != 0) ++ goto error; ++ return 1; ++error: ++ return 0; ++} ++ +diff --git a/src/polkitagent/polkitagenthelper.c b/src/polkitagent/polkitagenthelper.c +deleted file mode 100644 +index cca86db..0000000 +--- a/src/polkitagent/polkitagenthelper.c ++++ /dev/null +@@ -1,339 +0,0 @@ +-/* +- * Copyright (C) 2008 Red Hat, Inc. +- * +- * This library is free software; you can redistribute it and/or +- * modify it under the terms of the GNU Lesser General Public +- * License as published by the Free Software Foundation; either +- * version 2 of the License, or (at your option) any later version. +- * +- * This library is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +- * Lesser General Public License for more details. +- * +- * You should have received a copy of the GNU Lesser General +- * Public License along with this library; if not, write to the +- * Free Software Foundation, Inc., 59 Temple Place, Suite 330, +- * Boston, MA 02111-1307, USA. +- * +- * Author: David Zeuthen <davidz@redhat.com> +- */ +- +-#include "config.h" +-#include <stdio.h> +-#include <stdlib.h> +-#include <string.h> +-#include <unistd.h> +-#include <sys/types.h> +-#include <sys/stat.h> +-#include <syslog.h> +-#include <security/pam_appl.h> +- +-#include <polkit/polkit.h> +- +-#ifdef HAVE_SOLARIS +-# define LOG_AUTHPRIV (10<<3) +-#endif +- +-#ifndef HAVE_CLEARENV +-extern char **environ; +- +-static int +-clearenv (void) +-{ +- if (environ != NULL) +- environ[0] = NULL; +- return 0; +-} +-#endif +- +-/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ +- * enable this in production builds; it may leak passwords and other +- * sensitive information. +- */ +-#undef PAH_DEBUG +-// #define PAH_DEBUG +- +-static gboolean send_dbus_message (const char *cookie, const char *user); +- +-static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data); +- +-int +-main (int argc, char *argv[]) +-{ +- int rc; +- const char *user_to_auth; +- const char *cookie; +- struct pam_conv pam_conversation; +- pam_handle_t *pam_h; +- const void *authed_user; +- +- rc = 0; +- pam_h = NULL; +- +- /* clear the entire environment to avoid attacks using with libraries honoring environment variables */ +- if (clearenv () != 0) +- goto error; +- +- /* set a minimal environment */ +- setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); +- +- /* check that we are setuid root */ +- if (geteuid () != 0) +- { +- fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); +- goto error; +- } +- +- openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); +- +- /* check for correct invocation */ +- if (argc != 3) +- { +- syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ()); +- fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n"); +- goto error; +- } +- +- user_to_auth = argv[1]; +- cookie = argv[2]; +- +- if (getuid () != 0) +- { +- /* check we're running with a non-tty stdin */ +- if (isatty (STDIN_FILENO) != 0) +- { +- syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ()); +- fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n"); +- goto error; +- } +- } +- +-#ifdef PAH_DEBUG +- fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth); +-#endif /* PAH_DEBUG */ +- +- pam_conversation.conv = conversation_function; +- pam_conversation.appdata_ptr = NULL; +- +- /* start the pam stack */ +- rc = pam_start ("polkit-1", +- user_to_auth, +- &pam_conversation, +- &pam_h); +- if (rc != PAM_SUCCESS) +- { +- fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc)); +- goto error; +- } +- +- /* set the requesting user */ +- rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth); +- if (rc != PAM_SUCCESS) +- { +- fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc)); +- goto error; +- } +- +- /* is user really user? */ +- rc = pam_authenticate (pam_h, 0); +- if (rc != PAM_SUCCESS) +- { +- fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc)); +- goto error; +- } +- +- /* permitted access? */ +- rc = pam_acct_mgmt (pam_h, 0); +- if (rc != PAM_SUCCESS) +- { +- fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc)); +- goto error; +- } +- +- /* did we auth the right user? */ +- rc = pam_get_item (pam_h, PAM_USER, &authed_user); +- if (rc != PAM_SUCCESS) +- { +- fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc)); +- goto error; +- } +- +- if (strcmp (authed_user, user_to_auth) != 0) +- { +- fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead", +- user_to_auth, (const char *) authed_user); +- goto error; +- } +- +-#ifdef PAH_DEBUG +- fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth); +-#endif /* PAH_DEBUG */ +- +- pam_end (pam_h, rc); +- pam_h = NULL; +- +-#ifdef PAH_DEBUG +- fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n"); +-#endif /* PAH_DEBUG */ +- +- /* now send a D-Bus message to the PolicyKit daemon that +- * includes a) the cookie; and b) the user we authenticated +- */ +- if (!send_dbus_message (cookie, user_to_auth)) +- { +-#ifdef PAH_DEBUG +- fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n"); +-#endif /* PAH_DEBUG */ +- goto error; +- } +- +-#ifdef PAH_DEBUG +- fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n"); +-#endif /* PAH_DEBUG */ +- +- fprintf (stdout, "SUCCESS\n"); +- fflush (stdout); +- fflush (stderr); +- usleep (10 * 1000); /* since fflush(3) seems buggy */ +- return 0; +- +-error: +- if (pam_h != NULL) +- pam_end (pam_h, rc); +- +- fprintf (stdout, "FAILURE\n"); +- fflush (stdout); +- fflush (stderr); +- usleep (10 * 1000); /* since fflush(3) seems buggy */ +- return 1; +-} +- +-static int +-conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data) +-{ +- struct pam_response *aresp; +- char buf[PAM_MAX_RESP_SIZE]; +- int i; +- +- data = data; +- if (n <= 0 || n > PAM_MAX_NUM_MSG) +- return PAM_CONV_ERR; +- +- if ((aresp = calloc(n, sizeof *aresp)) == NULL) +- return PAM_BUF_ERR; +- +- for (i = 0; i < n; ++i) +- { +- aresp[i].resp_retcode = 0; +- aresp[i].resp = NULL; +- switch (msg[i]->msg_style) +- { +- +- case PAM_PROMPT_ECHO_OFF: +- fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); +- goto conv1; +- +- case PAM_PROMPT_ECHO_ON: +- fprintf (stdout, "PAM_PROMPT_ECHO_ON "); +- conv1: +- fputs (msg[i]->msg, stdout); +- if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n') +- fputc ('\n', stdout); +- fflush (stdout); +- +- if (fgets (buf, sizeof buf, stdin) == NULL) +- goto error; +- +- if (strlen (buf) > 0 && +- buf[strlen (buf) - 1] == '\n') +- buf[strlen (buf) - 1] = '\0'; +- +- aresp[i].resp = strdup (buf); +- if (aresp[i].resp == NULL) +- goto error; +- break; +- +- case PAM_ERROR_MSG: +- fprintf (stdout, "PAM_ERROR_MSG "); +- goto conv2; +- +- case PAM_TEXT_INFO: +- fprintf (stdout, "PAM_TEXT_INFO "); +- conv2: +- fputs (msg[i]->msg, stdout); +- if (strlen (msg[i]->msg) > 0 && +- msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n') +- fputc ('\n', stdout); +- fflush (stdout); +- break; +- +- default: +- goto error; +- } +- } +- +- *resp = aresp; +- return PAM_SUCCESS; +- +-error: +- +- for (i = 0; i < n; ++i) +- { +- if (aresp[i].resp != NULL) { +- memset (aresp[i].resp, 0, strlen(aresp[i].resp)); +- free (aresp[i].resp); +- } +- } +- memset (aresp, 0, n * sizeof *aresp); +- *resp = NULL; +- return PAM_CONV_ERR; +-} +- +-static gboolean +-send_dbus_message (const char *cookie, const char *user) +-{ +- PolkitAuthority *authority; +- PolkitIdentity *identity; +- GError *error; +- gboolean ret; +- +- ret = FALSE; +- +- error = NULL; +- +- g_type_init (); +- +- authority = polkit_authority_get (); +- +- identity = polkit_unix_user_new_for_name (user, &error); +- if (identity == NULL) +- { +- g_printerr ("Error constructing identity: %s\n", error->message); +- g_error_free (error); +- goto out; +- } +- +- if (!polkit_authority_authentication_agent_response_sync (authority, +- cookie, +- identity, +- NULL, +- &error)) +- { +- g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message); +- g_error_free (error); +- goto out; +- } +- +- ret = TRUE; +- +- out: +- +- if (identity != NULL) +- g_object_unref (identity); +- +- if (authority != NULL) +- g_object_unref (authority); +- +- return ret; +-} +diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c +new file mode 100644 +index 0000000..abf5524 +--- /dev/null ++++ b/src/polkitagent/polkitagenthelperprivate.c +@@ -0,0 +1,97 @@ ++/* ++ * Copyright (C) 2009-2010 Red Hat, Inc. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General ++ * Public License along with this library; if not, write to the ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++ * ++ * Authors: David Zeuthen <davidz@redhat.com>, ++ * Andrew Psaltis <ampsaltis@gmail.com> ++ */ ++ ++#include "polkitagenthelperprivate.h" ++#include <stdio.h> ++ ++#ifndef HAVE_CLEARENV ++extern char **environ; ++ ++static int ++clearenv (void) ++{ ++ if (environ != NULL) ++ environ[0] = NULL; ++ return 0; ++} ++#endif ++ ++ ++gboolean ++send_dbus_message (const char *cookie, const char *user) ++{ ++ PolkitAuthority *authority; ++ PolkitIdentity *identity; ++ GError *error; ++ gboolean ret; ++ ++ ret = FALSE; ++ ++ error = NULL; ++ ++ g_type_init (); ++ ++ authority = polkit_authority_get (); ++ ++ identity = polkit_unix_user_new_for_name (user, &error); ++ if (identity == NULL) ++ { ++ g_printerr ("Error constructing identity: %s\n", error->message); ++ g_error_free (error); ++ goto out; ++ } ++ ++ if (!polkit_authority_authentication_agent_response_sync (authority, ++ cookie, ++ identity, ++ NULL, ++ &error)) ++ { ++ g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message); ++ g_error_free (error); ++ goto out; ++ } ++ ++ ret = TRUE; ++ ++ out: ++ ++ if (identity != NULL) ++ g_object_unref (identity); ++ ++ if (authority != NULL) ++ g_object_unref (authority); ++ ++ return ret; ++} ++ ++/* fflush(3) stdin and stdout and wait a little bit. ++ * This replaces the three-line commands at the bottom of ++ * polkit-agent-helper-1's main() function. ++ */ ++void ++flush_and_wait () ++{ ++ fflush (stdout); ++ fflush (stderr); ++ usleep (10 * 1000); /* since fflush(3) seems buggy */ ++} +diff --git a/src/polkitagent/polkitagenthelperprivate.h b/src/polkitagent/polkitagenthelperprivate.h +new file mode 100644 +index 0000000..16f7ba4 +--- /dev/null ++++ b/src/polkitagent/polkitagenthelperprivate.h +@@ -0,0 +1,42 @@ ++/* ++ * Copyright (C) 2009-2010 Red Hat, Inc. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General ++ * Public License along with this library; if not, write to the ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++ * Boston, MA 02110-1301, USA. ++ * ++ * Authors: David Zeuthen <davidz@redhat.com>, ++ * Andrew Psaltis <ampsalits@gmail.com> ++ */ ++#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H ++#define __POLKIT_AGENT_HELPER_PRIVATE_H ++ ++#include <polkit/polkit.h> ++ ++/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ ++ * enable this in production builds; it may leak passwords and other ++ * sensitive information. ++ */ ++#undef PAH_DEBUG ++// #define PAH_DEBUG ++ ++#ifdef HAVE_SOLARIS ++# define LOG_AUTHPRIV (10<<3) ++#endif ++ ++gboolean send_dbus_message (const char *cookie, const char *user); ++ ++void flush_and_wait (); ++ ++#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */ +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 17c191e..3e096bf 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -34,7 +34,11 @@ + #include <grp.h> + #include <pwd.h> + #include <errno.h> ++ ++#ifdef POLKIT_AUTHFW_PAM + #include <security/pam_appl.h> ++#endif /* POLKIT_AUTHFW_PAM */ ++ + #include <syslog.h> + #include <stdarg.h> + +@@ -115,6 +119,7 @@ log_message (gint level, + + /* ---------------------------------------------------------------------------------------------------- */ + ++#ifdef POLKIT_AUTHFW_PAM + static int + pam_conversation_function (int n, + const struct pam_message **msg, +@@ -167,6 +172,7 @@ out: + pam_end (pam_h, rc); + return ret; + } ++#endif /* POLKIT_AUTHFW_PAM */ + + /* ---------------------------------------------------------------------------------------------------- */ + +@@ -741,11 +747,13 @@ main (int argc, char *argv[]) + * TODO: The question here is whether we should clear the limits before applying them? + * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this. + */ ++#ifdef POLKIT_AUTHW_PAM + if (!open_session (pw->pw_name)) + { + goto out; + } +- ++#endif /* POLKIT_AUTHFW_PAM */ ++ + /* become the user */ + if (setgroups (0, NULL) != 0) + { diff --git a/source/l/polkit/polkit.SlackBuild b/source/l/polkit/polkit.SlackBuild new file mode 100755 index 00000000..74193f13 --- /dev/null +++ b/source/l/polkit/polkit.SlackBuild @@ -0,0 +1,144 @@ +#!/bin/sh + +# Copyright 2009 Robby Workman, Northport, Alabama, USA +# Copyright 2010 Eric Hameleers, Eindhoven, NL +# Copyright 2009, 2010 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. + +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +PKGNAM=polkit +VERSION=${VERSION:-1_14bdfd8} +BUILD=${BUILD:-1} +NUMJOBS=${NUMJOBS:--j6} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i486 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/package-$PKGNAM + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +rm -rf $PKG +mkdir -p $TMP $PKG +cd $TMP +rm -rf $PKGNAM-$VERSION +tar xvf $CWD/$PKGNAM-$VERSION.tar.bz2 || exit 1 +cd $PKGNAM-$VERSION || exit 1 + +# Apply the patch that makes --with-authfw=shadow work +cat $CWD/polkit-1-shadow.diff | patch -p1 --verbose || exit 1 + +# Make sure ownerships and permissions are sane: +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +# Configure: +# Using polkit-user=hald for now for easier transition; I don't think the +# separate user account is actually required any more, but I could be wrong +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./autogen.sh \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --enable-gtk-doc \ + --docdir=/usr/doc/$PKGNAM-$VERSION \ + --enable-man-pages \ + --mandir=/usr/man \ + --disable-static \ + --disable-introspection \ + --with-authfw=shadow \ + --enable-verbose-mode \ + --build=$ARCH-slackware-linux + # Deprecated: + #--with-polkit-user=hald \ + +#NOTE: The directory /etc/polkit-1/localauthority must be owned +# by root and have mode 700 +#NOTE: The directory /var/lib/polkit-1 must be owned +# by root and have mode 700 +#NOTE: The file ${exec_prefix}/libexec/polkit-agent-helper-1 must be owned +# by root and have mode 4755 (setuid root binary) +#NOTE: The file ${exec_prefix}/bin/pkexec must be owned by root and +# have mode 4755 (setuid root binary) + +# Build and install: +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 + +# Strip binaries: +find $PKG | xargs file | grep -e "executable" -e "shared object" \ + | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +# Compress and link manpages, if any: +if [ -d $PKG/usr/man ]; then + ( cd $PKG/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.* + ) + done + ) +fi + +# Add a documentation directory: +mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION +cp -a \ + AUTHORS COPYING ChangeLog HACKING INSTALL NEWS README \ + $PKG/usr/doc/$PKGNAM-$VERSION +( cd $PKG/usr/doc/$PKGNAM-$VERSION; ln -s ../../share/gtk-doc/html/polkit-1 html +) + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz + diff --git a/source/l/polkit/slack-desc b/source/l/polkit/slack-desc new file mode 100644 index 00000000..006d8a8e --- /dev/null +++ b/source/l/polkit/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler-----------------------------------------------------| +polkit: polkit (authentication framework) +polkit: +polkit: PolicyKit is an application-level toolkit for defining and handling +polkit: the policy that allows unprivileged processes to speak to privileged +polkit: processes. PolicyKit is specifically targeting applications in rich +polkit: desktop environments on multi-user UNIX-like operating systems. +polkit: +polkit: +polkit: +polkit: Home: http://www.freedesktop.org/wiki/Software/PolicyKit +polkit: |