Hello community, here is the log from the commit of package polkit-default-privs for openSUSE:12.3 checked in at 2013-02-22 16:57:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3/polkit-default-privs (Old) and /work/SRC/openSUSE:12.3/.polkit-default-privs.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polkit-default-privs", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.3/polkit-default-privs/polkit-default-privs.changes 2013-02-21 10:44:12.000000000 +0100 +++ /work/SRC/openSUSE:12.3/.polkit-default-privs.new/polkit-default-privs.changes 2013-02-22 16:57:35.000000000 +0100 @@ -1,0 +2,7 @@ +Thu Feb 21 15:52:52 UTC 2013 - [email protected] + +- fix restrictive privileges +- generate javascript files for new polkit (bnc#804376) +- implement check for overrides + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ polkit-default-privs.spec ++++++ --- /var/tmp/diff_new_pack.Qg2Rw4/_old 2013-02-22 16:57:36.000000000 +0100 +++ /var/tmp/diff_new_pack.Qg2Rw4/_new 2013-02-22 16:57:36.000000000 +0100 @@ -47,7 +47,7 @@ %install make install DESTDIR=$RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT/var/lib/polkit-1/localauthority/10-vendor.d +mkdir -p $RPM_BUILD_ROOT/etc/polkit-1/rules.d/ %post %{fillup_only -ns security polkit_default_privs} @@ -65,8 +65,7 @@ /sbin/set_polkit_default_privs %_mandir/man*/* /var/adm/fillup-templates/sysconfig.security-polkit_default_privs -%attr(0700,root,root) %dir /var/lib/polkit-1 -%dir /var/lib/polkit-1/localauthority -%dir /var/lib/polkit-1/localauthority/10-vendor.d +%attr(0755,root,root)%dir /etc/polkit-1/ +%attr(0755,root,root)%dir /etc/polkit-1/rules.d/ %changelog ++++++ polkit-default-privs-12.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-12.3/chkstat-polkit new/polkit-default-privs-12.3/chkstat-polkit --- old/polkit-default-privs-12.3/chkstat-polkit 2013-02-19 17:13:52.000000000 +0100 +++ new/polkit-default-privs-12.3/chkstat-polkit 2013-02-22 09:39:59.000000000 +0100 @@ -1,6 +1,6 @@ #!/usr/bin/perl -w # This module sets policykit permssions -# Copyright (C) 2008, 2009 SUSE Linux Products GmbH, Nuernberg, Germany. +# Copyright (C) 2008, 2009, 2013 SUSE Linux Products GmbH, Nuernberg, Germany. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -21,13 +21,8 @@ use strict; use File::Path; -use Digest::MD5 qw/md5_hex/; -my $polkit_public_dir = '/var/lib/PolicyKit-public'; -my $polkit1_localauthority_dir = '/var/lib/polkit-1/localauthority/10-vendor.d'; -my $suseconfig_dir = '/var/adm/SuSEconfig'; -my $md5_dir = $suseconfig_dir.'/md5'; -my $reload_file = '/var/lib/misc/PolicyKit.reload'; +my $file = '/etc/polkit-1/rules.d/50-default-privs.rules'; my $do_set; # privilege => value @@ -48,139 +43,6 @@ exit 1; } -my $policykit_ops = { - name => 'PolicyKit', - overridefile => sub { - my $priv = shift; - return $polkit_public_dir.'/'.$priv.'.defaults-override'; - }, - parse => sub { - my $priv = shift; - return shift; - }, - create => sub { - my $priv = shift; - return shift; - }, - pretty => sub { - my $perms = shift; - my @p = map { s/^auth/a/; s/_admin/a/; s/_self/s/; s/_keep/k/; s/_session/s/; s/_always/a/; $_ } split(/:/, $perms); - return join(':', @p); - }, -}; - -my $polkit1_ops = { - name => 'polkit1', - overridefile => sub { - my $priv = shift; - return $polkit1_localauthority_dir.'/'.$priv.'.pkla'; - }, - parse => sub { - my $priv = shift; - my @p; - for(@_) { - if(/^ResultAny=(.+)\n/) { - $p[0] = $1; - } elsif(/^ResultInactive=(.+)\n/) { - $p[1] = $1; - } elsif(/^ResultActive=(.+)\n/) { - $p[2] = $1; - } - } - return join(':', @p) if ($p[0] && $p[1] && $p[2]); - return undef; - }, - convert => sub { - my $perms = shift; - my @p = map { s/^(auth_(?:admin|self)_keep).+$/$1/; s/_one_shot//; $_ } split(/:/, $perms); - return join(':', @p); - }, - create => sub { - my $priv = shift; - my $perms = shift; - - my @p = split(/:/, $perms); - - my $txt = "[$priv]\nIdentity=unix-group:*\nAction=$priv\n" - . "ResultAny=$p[0]\nResultInactive=$p[1]\nResultActive=$p[2]\n"; - return $txt; - }, - pretty => sub { - my $perms = shift; - my @p = map { s/^auth/a/; s/_admin/a/; s/_self/s/; s/_keep/k/; s/_session//; s/_always//; $_ } split(/:/, $perms); - return join(':', @p); - }, -}; - - -sub override($$$) -{ - my ($privilege, $perms, $ops) = @_; - my $overridefile = $ops->{overridefile}($privilege); - my $old_perms; - my @old_content; - if(-e $overridefile) { - if(!open(F, '<', $overridefile)) { - print STDERR "can't open $overridefile: $!, skip.\n"; - return; - } - @old_content = <F>; - $old_perms = $ops->{parse}($privilege, @old_content); - close F; - } - - $perms = $ops->{convert}($perms) if $ops->{convert}; - - if(defined $old_perms && $perms eq $old_perms) { - return; - } - - if($do_set) { - print $ops->{name}.": setting $privilege to ".$ops->{pretty}($perms).($old_perms?" (wrong setting ".$ops->{pretty}($old_perms).")\n":"\n"); - if(-e $overridefile) { - if(!open(F, '<', $md5_dir.'/'.$overridefile)) { - print STDERR "$overridefile was created externally, skip.\n"; - return; - } - my $should_digest = <F>; - $should_digest = substr($should_digest, 0, 32); - close F; - my $digest = md5_hex(join('', @old_content)); - if($digest ne $should_digest) { - print "$should_digest $digest\n"; - print STDERR "$overridefile was modifed externally, skip.\n"; - return; - } - } - if(!open(F, '>', $overridefile.'.new')) { - print STDERR "can't create $overridefile.new: $!, skip.\n"; - return; - } - my $content = $ops->{create}($privilege, $perms); - print F $content; - close F; - my $digest = md5_hex($content); - if(!open(F, '>', $md5_dir.'/'.$overridefile)) { - print STDERR "can't save md5 check for $privilege: $!\n"; - unlink($overridefile.".new"); - return; - } - print F $digest." $overridefile\n"; - close F; - rename($overridefile.'.new', $overridefile); - } else { - print $ops->{name}.": $privilege should be ".$ops->{pretty}($perms).($old_perms?" (wrong setting ".$ops->{pretty}($old_perms).")\n":"\n"); - } -} - -if (-d $polkit_public_dir) { - mkpath($md5_dir.'/'.$polkit_public_dir) if $do_set; -} else { - $policykit_ops = undef; -} -mkpath($polkit1_localauthority_dir) if $do_set; -mkpath($md5_dir.'/'.$polkit1_localauthority_dir) if $do_set; - while(<>) { chomp; next unless $_; @@ -189,15 +51,55 @@ if($perms !~ /:/) { $perms = $perms.':'.$perms.':'.$perms; } - # backward compat with PolicyKit - my @p = map { s/^auth_(admin\|self)_keep$/auth_$1_keep_always/; $_ } split(/:/, $perms); - $perms = join(':', @p); - $to_set{$privilege} = $perms; + # convert PolicyKit syntax + my @p = map { s/^(auth_(?:admin|self)_keep).+$/$1/; s/_one_shot//; $_ } split(/:/, $perms); + for (@p) { + unless (/^(?:auth_(?:admin|self)(?:_keep)?|yes|no)$/) { + warn "invalid value $_ in line $.\n"; + next; + } + } + $to_set{$privilege} = [ @p ]; } + +my $rules = ''; while (my ($privilege, $perms) = each %to_set) { - override($privilege, $perms, $policykit_ops) if defined $policykit_ops; - override($privilege, $perms, $polkit1_ops); + my @p = @$perms; + $rules .= sprintf("\t\t'%s':\n\t\t\t[ '%s', '%s', '%s' ],\n", $privilege, $p[0], $p[1], $p[2]); } -utime undef, undef, $reload_file if $do_set; +exit(0) unless $do_set; + +open(F, '>', $file.'.new') or die "can't open $file.new: $!\n"; +while(<DATA>) { + if (/INSERT_RULES_HERE/) { + $_ = $rules; + } + print F; +} +close F; + +rename($file.'.new', $file) or die "can't rename $file.new: $!\n"; + +__END__ +/************************************\ +* AUTOMATICALY GENERATED DO NOT EDIT * +* see man set_polkit_default_privs * +\************************************/ +polkit.addRule(function(action, subject) { + rules = { + "INSERT_RULES_HERE" : [ "auth_admin", "auth_admin", "auth_admin" ], + }; + var i = 0; + if (subject.local) { + if (subject.active) { + i = 2; + } else { + i = 1; + } + } + if (rules[action.id]) { + return rules[action.id][i]; + } +}); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-12.3/listpolicies.pl new/polkit-default-privs-12.3/listpolicies.pl --- old/polkit-default-privs-12.3/listpolicies.pl 2013-02-19 17:13:52.000000000 +0100 +++ new/polkit-default-privs-12.3/listpolicies.pl 2013-02-22 09:39:59.000000000 +0100 @@ -9,76 +9,104 @@ use strict; use XML::Bare; -use Data::Dumper; +use Data::Dump; +use Getopt::Long; +Getopt::Long::Configure("no_ignore_case"); + +my %options; + +sub usage($) { + my $r = shift; + eval "use Pod::Usage; pod2usage($r);"; + if ($@) { + die "cannot display help, install perl(Pod::Usage)\n"; + } +} + +GetOptions( + \%options, + "verbose|v", + "policy=s@", + "check-override", + "help|h", +) or usage(1); + +usage(0) if ($options{'help'}); -my $permissions; my %known; my @policies; if ($#ARGV == -1) { my $buildroot = $ENV{'BUILD_ROOT'} || ''; my $rpm_buildroot = $ENV{'RPM_BUILD_ROOT'} || ''; - @ARGV = glob "$rpm_buildroot/usr/share/PolicyKit/policy/*.policy"; push @ARGV, glob "$rpm_buildroot/usr/share/polkit-1/actions/*.policy"; - push @ARGV, '--'; - push @ARGV, "$buildroot/etc/polkit-default-privs.standard"; + unless ($options{'policy'}) { + $options{'policy'} = [ "$buildroot/etc/polkit-default-privs.standard" ]; + } } for my $f (@ARGV) { - if ("$f" eq '--') { - $permissions = 1; - next; - } open (F, '<', $f) or die "$f: $!"; - if(!$permissions) { - #print STDERR "+++ ", $f,"\n"; - my $xml = XML::Bare->new(text => join('', <F>))->parse(); - - die "file is not a policykit config file" unless exists $xml->{'policyconfig'}->{'action'}; - - my $a; - if (ref $xml->{'policyconfig'}->{'action'} eq 'ARRAY') { - $a = $xml->{'policyconfig'}->{'action'} - } else { - $a = [$xml->{'policyconfig'}->{'action'}]; - } - for (@{$a}) { - next unless exists $_->{'id'}->{"value"}; - my $p = { name => $_->{'id'}->{'value'} }; - my @v; - for my $n (qw/any inactive active/) { - my $ref = $_->{'defaults'}->{'allow_'.$n}; - if (ref $ref eq 'ARRAY') { - warn $p->{'name'}.": duplicate allow_$n\n"; - $ref = $ref->[-1]; - } - push @v, $ref->{'value'} || 'no'; + #print STDERR "+++ ", $f,"\n"; + my $xml = XML::Bare->new(text => join('', <F>))->parse(); + + die "file is not a policykit config file" unless exists $xml->{'policyconfig'}->{'action'}; + + my $a; + if (ref $xml->{'policyconfig'}->{'action'} eq 'ARRAY') { + $a = $xml->{'policyconfig'}->{'action'} + } else { + $a = [$xml->{'policyconfig'}->{'action'}]; + } + for (@{$a}) { + next unless exists $_->{'id'}->{"value"}; + my $p = { name => $_->{'id'}->{'value'} }; + my $v = (); + for my $n (qw/any inactive active/) { + my $ref = $_->{'defaults'}->{'allow_'.$n}; + if (ref $ref eq 'ARRAY') { + warn $p->{'name'}.": duplicate allow_$n\n"; + $ref = $ref->[-1]; } - $p->{'value'} = join(':', @v); - push @policies, $p; + push @$v, $ref->{'value'} || 'no'; } - } else { - while(<F>) { - chomp; - next unless $_; - next if(/^#/); - my ($privilege, $perms) = split(/\s+/); - $known{$privilege} = 1; + $p->{'value'} = $v; + push @policies, $p; + } +} + +for my $f (@{$options{'policy'}}) { + open (F, '<', $f) or die "$f: $!"; + while(<F>) { + chomp; + next unless $_; + next if(/^#/); + my ($privilege, $perms) = split(/\s+/); + my @p = map { s/^(auth_(?:admin|self)_keep).+$/$1/; s/_one_shot//; $_ } split(/:/, $perms); + if (@p != 3) { + @p = ($p[0], $p[0], $p[0]); } + $known{$privilege} = [ @p ]; } close F; } -if(!$permissions) { +if (!$options{'policy'}) { map { print $_->{'name'}, "\n" } @policies; +} elsif ($options{'check-override'}) { + for my $p (@policies) { + next unless exists $known{$p->{'name'}}; + next if $known{$p->{'name'}}->[2] eq $p->{'value'}->[2]; + print sprintf('%-63s %s -> %s'."\n", $p->{'name'}, $p->{'value'}->[2], $known{$p->{'name'}}->[2]); + } } else { my $have_unknown; for (@policies) { next if exists $known{$_->{'name'}}; - print sprintf('%-63s %s'."\n", $_->{'name'}, $_->{'value'}); + print sprintf('%-63s %s'."\n", $_->{'name'}, join(':', @{$_->{'value'}})); $have_unknown = 1; } - if ($ENV{'VERBOSE'}) { + if ($options{'verbose'}) { my %seen = map { $_->{'name'} => 1} @policies; my @obs; for (keys %known) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-12.3/polkit-default-privs.restrictive new/polkit-default-privs-12.3/polkit-default-privs.restrictive --- old/polkit-default-privs-12.3/polkit-default-privs.restrictive 2013-02-19 17:13:52.000000000 +0100 +++ new/polkit-default-privs-12.3/polkit-default-privs.restrictive 2013-02-22 09:39:59.000000000 +0100 @@ -187,13 +187,13 @@ org.freedesktop.udisks2.modify-device auth_admin org.freedesktop.udisks2.ata-smart-update auth_admin # (bnc#761872) -org.freedesktop.udisks2.eject-media auth_admin:auth_admin:yes -org.freedesktop.udisks2.filesystem-mount-other-seat auth_admin:auth_admin:auth_admin_keep -org.freedesktop.udisks2.encrypted-unlock-other-seat auth_admin:auth_admin:auth_admin_keep -org.freedesktop.udisks2.loop-modify-others auth_admin:auth_admin:auth_admin_keep -org.freedesktop.udisks2.eject-media-system auth_admin:auth_admin:auth_admin_keep -org.freedesktop.udisks2.eject-media-other-seat auth_admin:auth_admin:auth_admin_keep -org.freedesktop.udisks2.modify-device-other-seat auth_admin:auth_admin:auth_admin_keep +org.freedesktop.udisks2.eject-media auth_admin +org.freedesktop.udisks2.filesystem-mount-other-seat auth_admin +org.freedesktop.udisks2.encrypted-unlock-other-seat auth_admin +org.freedesktop.udisks2.loop-modify-others auth_admin +org.freedesktop.udisks2.eject-media-system auth_admin +org.freedesktop.udisks2.eject-media-other-seat auth_admin +org.freedesktop.udisks2.modify-device-other-seat auth_admin # # upower @@ -364,14 +364,14 @@ # # GNOME control-center (bnc#779938) # -org.gnome.controlcenter.user-accounts.administration no:no:auth_admin_keep -org.gnome.controlcenter.datetime.configure no:no:auth_admin_keep +org.gnome.controlcenter.user-accounts.administration auth_admin_keep +org.gnome.controlcenter.datetime.configure auth_admin_keep # # PackageKit / systemd offline updates (bnc#798885) # -org.freedesktop.packagekit.trigger-offline-update no:no:auth_admin_keep -org.freedesktop.packagekit.clear-offline-update no:no:auth_admin_keep +org.freedesktop.packagekit.trigger-offline-update auth_admin_keep +org.freedesktop.packagekit.clear-offline-update auth_admin_keep ### -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
