On Mon, Mar 16, 2015 at 02:24:05PM +0100, Juergen Borleis wrote: > Signed-off-by: Juergen Borleis <j...@pengutronix.de> > > diff --git > a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch > > b/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch > deleted file mode 100644 > index 3c8efb61bdbd..000000000000 > --- > a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch > +++ /dev/null > @@ -1,68 +0,0 @@ > -From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 > -From: Dan Rosenberg <dan.j.rosenb...@gmail.com> > -Date: Wed, 10 Mar 2010 12:46:19 -0500 > -Subject: [PATCH 1/3] > =?UTF-8?q?Bug=2026982=20=E2=80=93=20pkexec=20information=20disclosure=20vulnerability?= > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=UTF-8 > -Content-Transfer-Encoding: 8bit > - > -pkexec is vulnerable to a minor information disclosure vulnerability > -that allows an attacker to verify whether or not arbitrary files > -exist, violating directory permissions. I reproduced the issue on my > -Karmic installation as follows: > - > - $ mkdir secret > - $ sudo chown root:root secret > - $ sudo chmod 400 secret > - $ sudo touch secret/hidden > - $ pkexec /home/drosenbe/secret/hidden > - (password prompt) > - $ pkexec /home/drosenbe/secret/doesnotexist > - Error getting information about /home/drosenbe/secret/doesnotexist: No such > - file or directory > - > -I've attached my patch for the issue. I replaced the stat() call > -entirely with access() using F_OK, so rather than check that the > -target exists, pkexec now checks if the user has permission to verify > -the existence of the program. There might be another way of doing > -this, such as chdir()'ing to the parent directory of the target and > -calling lstat(), but this seemed like more code than necessary to > -prevent such a minor problem. I see no reason to allow pkexec to > -execute targets that are not accessible to the executing user because > -of directory permissions. This is such a limited use case anyway that > -this doesn't really affect functionality. > - > -http://bugs.freedesktop.org/show_bug.cgi?id=26982 > - > -Signed-off-by: David Zeuthen <dav...@redhat.com> > ---- > - src/programs/pkexec.c | 5 ++--- > - 1 files changed, 2 insertions(+), 3 deletions(-) > - > -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c > -index 860e665..17c191e 100644 > ---- a/src/programs/pkexec.c > -+++ b/src/programs/pkexec.c > -@@ -411,7 +411,6 @@ main (int argc, char *argv[]) > - gchar *opt_user; > - pid_t pid_of_caller; > - uid_t uid_of_caller; > -- struct stat statbuf; > - > - ret = 127; > - authority = NULL; > -@@ -520,9 +519,9 @@ main (int argc, char *argv[]) > - g_free (path); > - argv[n] = path = s; > - } > -- if (stat (path, &statbuf) != 0) > -+ if (access (path, F_OK) != 0) > - { > -- g_printerr ("Error getting information about %s: %s\n", path, > g_strerror (errno)); > -+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); > - goto out; > - } > - command_line = g_strjoinv (" ", argv + n); > --- > -1.7.1 > - > diff --git a/patches/polkit-0.96/0002-Add-shadow-support.patch > b/patches/polkit-0.96/0002-Add-shadow-support.patch > deleted file mode 100644 > index b9119e13fb0f..000000000000 > --- a/patches/polkit-0.96/0002-Add-shadow-support.patch > +++ /dev/null > @@ -1,1083 +0,0 @@ > -From a2edcef54d2ab1a92f729e34dfa0c183b2533c61 Mon Sep 17 00:00:00 2001 > -From: Andrew Psaltis <ampsal...@gmail.com> > -Date: Mon, 28 Jun 2010 22:04:00 -0400 > -Subject: [PATCH 2/3] Add shadow support > - > -Added support for the shadow authentication framework instead of PAM. > -Enable it by passing --with-authfw=shadow to configure. > - > -This is done by splitting the polkitagenthelper source into separate > -parts, one that does auth with PAM, and another that does auth with > -shadow, sharing functions where appropriate. > - > -Also, all PAM-dependendent code in all other files has been #ifdef'd. > -The only affected file is src/programs/pkexec.c > - > -Signed-off-by: David Zeuthen <dav...@redhat.com> > ---- > - src/polkitagent/Makefile.am | 9 +- > - src/polkitagent/polkitagenthelper-pam.c | 264 ++++++++++++++++++++++ > - src/polkitagent/polkitagenthelper-shadow.c | 198 ++++++++++++++++ > - src/polkitagent/polkitagenthelper.c | 339 > ---------------------------- > - src/polkitagent/polkitagenthelperprivate.c | 106 +++++++++ > - src/polkitagent/polkitagenthelperprivate.h | 45 ++++ > - src/programs/pkexec.c | 8 + > - 7 files changed, 629 insertions(+), 340 deletions(-) > - create mode 100644 src/polkitagent/polkitagenthelper-pam.c > - create mode 100644 src/polkitagent/polkitagenthelper-shadow.c > - delete mode 100644 src/polkitagent/polkitagenthelper.c > - create mode 100644 src/polkitagent/polkitagenthelperprivate.c > - create mode 100644 src/polkitagent/polkitagenthelperprivate.h > - > -diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am > -index 3f38329..820be4d 100644 > ---- a/src/polkitagent/Makefile.am > -+++ b/src/polkitagent/Makefile.am > -@@ -68,9 +68,16 @@ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex > '(^polkit_.*)' > - libexec_PROGRAMS = polkit-agent-helper-1 > - > - polkit_agent_helper_1_SOURCES = \ > -- polkitagenthelper.c \ > -+ polkitagenthelperprivate.c polkitagenthelperprivate.h \ > - $(NULL) > - > -+if POLKIT_AUTHFW_PAM > -+polkit_agent_helper_1_SOURCES += polkitagenthelper-pam.c > -+endif > -+if POLKIT_AUTHFW_SHADOW > -+polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c > -+endif > -+ > - polkit_agent_helper_1_CFLAGS = \ > - -D_POLKIT_COMPILATION > \ > - $(GLIB_CFLAGS) \ > -diff --git a/src/polkitagent/polkitagenthelper-pam.c > b/src/polkitagent/polkitagenthelper-pam.c > -new file mode 100644 > -index 0000000..5e8b54c > ---- /dev/null > -+++ b/src/polkitagent/polkitagenthelper-pam.c > -@@ -0,0 +1,264 @@ > -+/* > -+ * Copyright (C) 2008, 2010 Red Hat, Inc. > -+ * > -+ * This library is free software; you can redistribute it and/or > -+ * modify it under the terms of the GNU Lesser General Public > -+ * License as published by the Free Software Foundation; either > -+ * version 2 of the License, or (at your option) any later version. > -+ * > -+ * This library is distributed in the hope that it will be useful, > -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -+ * Lesser General Public License for more details. > -+ * > -+ * You should have received a copy of the GNU Lesser General > -+ * Public License along with this library; if not, write to the > -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330, > -+ * Boston, MA 02111-1307, USA. > -+ * > -+ * Author: David Zeuthen <dav...@redhat.com> > -+ */ > -+ > -+#include "config.h" > -+#include "polkitagenthelperprivate.h" > -+ > -+#include <stdio.h> > -+#include <stdlib.h> > -+#include <string.h> > -+#include <unistd.h> > -+#include <sys/types.h> > -+#include <sys/stat.h> > -+#include <syslog.h> > -+#include <security/pam_appl.h> > -+ > -+#include <polkit/polkit.h> > -+ > -+static int conversation_function (int n, const struct pam_message **msg, > struct pam_response **resp, void *data); > -+ > -+int > -+main (int argc, char *argv[]) > -+{ > -+ int rc; > -+ const char *user_to_auth; > -+ const char *cookie; > -+ struct pam_conv pam_conversation; > -+ pam_handle_t *pam_h; > -+ const void *authed_user; > -+ > -+ rc = 0; > -+ pam_h = NULL; > -+ > -+ /* clear the entire environment to avoid attacks using with libraries > honoring environment variables */ > -+ if (_polkit_clearenv () != 0) > -+ goto error; > -+ > -+ /* set a minimal environment */ > -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); > -+ > -+ /* check that we are setuid root */ > -+ if (geteuid () != 0) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); > -+ goto error; > -+ } > -+ > -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); > -+ > -+ /* check for correct invocation */ > -+ if (argc != 3) > -+ { > -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of > arguments [uid=%d]", getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. > This incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ user_to_auth = argv[1]; > -+ cookie = argv[2]; > -+ > -+ if (getuid () != 0) > -+ { > -+ /* check we're running with a non-tty stdin */ > -+ if (isatty (STDIN_FILENO) != 0) > -+ { > -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty > [uid=%d]", getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of > helper, stdin is a tty. This incident has been logged.\n"); > -+ goto error; > -+ } > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", > user_to_auth); > -+#endif /* PAH_DEBUG */ > -+ > -+ pam_conversation.conv = conversation_function; > -+ pam_conversation.appdata_ptr = NULL; > -+ > -+ /* start the pam stack */ > -+ rc = pam_start ("polkit-1", > -+ user_to_auth, > -+ &pam_conversation, > -+ &pam_h); > -+ if (rc != PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", > pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ /* set the requesting user */ > -+ rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth); > -+ if (rc != PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", > pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ /* is user really user? */ > -+ rc = pam_authenticate (pam_h, 0); > -+ if (rc != PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: > %s\n", pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ /* permitted access? */ > -+ rc = pam_acct_mgmt (pam_h, 0); > -+ if (rc != PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", > pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ /* did we auth the right user? */ > -+ rc = pam_get_item (pam_h, PAM_USER, &authed_user); > -+ if (rc != PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", > pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ if (strcmp (authed_user, user_to_auth) != 0) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but > we got auth for user '%s' instead", > -+ user_to_auth, (const char *) authed_user); > -+ goto error; > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user > '%s'.\n", user_to_auth); > -+#endif /* PAH_DEBUG */ > -+ > -+ pam_end (pam_h, rc); > -+ pam_h = NULL; > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to > PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ > -+ /* now send a D-Bus message to the PolicyKit daemon that > -+ * includes a) the cookie; and b) the user we authenticated > -+ */ > -+ if (!send_dbus_message (cookie, user_to_auth)) > -+ { > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message > to PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ goto error; > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message > to PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ > -+ fprintf (stdout, "SUCCESS\n"); > -+ flush_and_wait(); > -+ return 0; > -+ > -+error: > -+ if (pam_h != NULL) > -+ pam_end (pam_h, rc); > -+ > -+ fprintf (stdout, "FAILURE\n"); > -+ flush_and_wait(); > -+ return 1; > -+} > -+ > -+static int > -+conversation_function (int n, const struct pam_message **msg, struct > pam_response **resp, void *data) > -+{ > -+ struct pam_response *aresp; > -+ char buf[PAM_MAX_RESP_SIZE]; > -+ int i; > -+ > -+ data = data; > -+ if (n <= 0 || n > PAM_MAX_NUM_MSG) > -+ return PAM_CONV_ERR; > -+ > -+ if ((aresp = calloc(n, sizeof *aresp)) == NULL) > -+ return PAM_BUF_ERR; > -+ > -+ for (i = 0; i < n; ++i) > -+ { > -+ aresp[i].resp_retcode = 0; > -+ aresp[i].resp = NULL; > -+ switch (msg[i]->msg_style) > -+ { > -+ > -+ case PAM_PROMPT_ECHO_OFF: > -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); > -+ goto conv1; > -+ > -+ case PAM_PROMPT_ECHO_ON: > -+ fprintf (stdout, "PAM_PROMPT_ECHO_ON "); > -+ conv1: > -+ fputs (msg[i]->msg, stdout); > -+ if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) > - 1] != '\n') > -+ fputc ('\n', stdout); > -+ fflush (stdout); > -+ > -+ if (fgets (buf, sizeof buf, stdin) == NULL) > -+ goto error; > -+ > -+ if (strlen (buf) > 0 && > -+ buf[strlen (buf) - 1] == '\n') > -+ buf[strlen (buf) - 1] = '\0'; > -+ > -+ aresp[i].resp = strdup (buf); > -+ if (aresp[i].resp == NULL) > -+ goto error; > -+ break; > -+ > -+ case PAM_ERROR_MSG: > -+ fprintf (stdout, "PAM_ERROR_MSG "); > -+ goto conv2; > -+ > -+ case PAM_TEXT_INFO: > -+ fprintf (stdout, "PAM_TEXT_INFO "); > -+ conv2: > -+ fputs (msg[i]->msg, stdout); > -+ if (strlen (msg[i]->msg) > 0 && > -+ msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n') > -+ fputc ('\n', stdout); > -+ fflush (stdout); > -+ break; > -+ > -+ default: > -+ goto error; > -+ } > -+ } > -+ > -+ *resp = aresp; > -+ return PAM_SUCCESS; > -+ > -+error: > -+ > -+ for (i = 0; i < n; ++i) > -+ { > -+ if (aresp[i].resp != NULL) { > -+ memset (aresp[i].resp, 0, strlen(aresp[i].resp)); > -+ free (aresp[i].resp); > -+ } > -+ } > -+ memset (aresp, 0, n * sizeof *aresp); > -+ *resp = NULL; > -+ return PAM_CONV_ERR; > -+} > -diff --git a/src/polkitagent/polkitagenthelper-shadow.c > b/src/polkitagent/polkitagenthelper-shadow.c > -new file mode 100644 > -index 0000000..a4f73ac > ---- /dev/null > -+++ b/src/polkitagent/polkitagenthelper-shadow.c > -@@ -0,0 +1,198 @@ > -+/* > -+ * Copyright (C) 2008 Red Hat, Inc. > -+ * Copyright (C) 2009-2010 Andrew Psaltis <ampsal...@gmail.com> > -+ * > -+ * This library is free software; you can redistribute it and/or > -+ * modify it under the terms of the GNU Lesser General Public > -+ * License as published by the Free Software Foundation; either > -+ * version 2 of the License, or (at your option) any later version. > -+ * > -+ * This library is distributed in the hope that it will be useful, > -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -+ * Lesser General Public License for more details. > -+ * > -+ * You should have received a copy of the GNU Lesser General > -+ * Public License along with this library; if not, write to the > -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330, > -+ * Boston, MA 02111-1307, USA. > -+ * > -+ * Authors: Andrew Psaltis <ampsal...@gmail.com>, based on > -+ * polkitagenthelper.c which was written by > -+ * David Zeuthen <dav...@redhat.com> > -+ */ > -+ > -+#include "config.h" > -+#include "polkitagenthelperprivate.h" > -+ > -+#include <stdio.h> > -+#include <stdlib.h> > -+#include <string.h> > -+#include <unistd.h> > -+#include <sys/types.h> > -+#include <sys/stat.h> > -+#include <syslog.h> > -+#include <shadow.h> > -+#include <grp.h> > -+#include <pwd.h> > -+#include <time.h> > -+ > -+#include <polkit/polkit.h> > -+ > -+static gboolean shadow_authenticate (struct spwd *shadow); > -+ > -+int > -+main (int argc, char *argv[]) > -+{ > -+ struct spwd *shadow; > -+ const char *user_to_auth; > -+ const char *cookie; > -+ time_t now; > -+ > -+ /* clear the entire environment to avoid attacks with > -+ libraries honoring environment variables */ > -+ if (_polkit_clearenv () != 0) > -+ goto error; > -+ > -+ /* set a minimal environment */ > -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); > -+ > -+ /* check that we are setuid root */ > -+ if (geteuid () != 0) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); > -+ goto error; > -+ } > -+ > -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); > -+ > -+ /* check for correct invocation */ > -+ if (argc != 3) > -+ { > -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of > arguments [uid=%d]", getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. > This incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ if (getuid () != 0) > -+ { > -+ /* check we're running with a non-tty stdin */ > -+ if (isatty (STDIN_FILENO) != 0) > -+ { > -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty > [uid=%d]", getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of > helper, stdin is a tty. This incident has been logged.\n"); > -+ goto error; > -+ } > -+ } > -+ > -+ user_to_auth = argv[1]; > -+ cookie = argv[2]; > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", > user_to_auth); > -+#endif /* PAH_DEBUG */ > -+ > -+ > -+ /* Ask shadow about the user requesting authentication */ > -+ shadow = getspnam (user_to_auth); > -+ > -+ if (shadow == NULL) > -+ { > -+ syslog (LOG_NOTICE, "shadow file data information request for user > '%s' [uid=%d] failed", user_to_auth, getuid ()); > -+ fprintf(stderr, "polkit-agent-helper-1: could not get shadow > information for '%s'", user_to_auth); > -+ goto error; > -+ } > -+ > -+ /* Check the user's identity */ > -+ if (shadow_authenticate (shadow) == FALSE) > -+ { > -+ syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to > authenticate '%s'", getuid (), user_to_auth); > -+ fprintf (stderr, "polkit-agent-helper-1: authentication failure. This > incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ /* Check whether the user's password has expired */ > -+ now = time (NULL); > -+ if (shadow->sp_max >= 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 > * 24 <= now) > -+ { > -+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying > to authenticate", user_to_auth, getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This > incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ /* Check whether the user's password has aged (and account expired along > -+ * with it) > -+ */ > -+ if (shadow->sp_inact >= 0 && (shadow->sp_lstchg + shadow->sp_max + > shadow->sp_inact) * 60 * 60 * 24 <= now) > -+ { > -+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to > authenticate", user_to_auth, getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This > incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ /* Check whether the user's account has expired */ > -+ if (shadow->sp_expire >= 0 && shadow->sp_expire * 60 * 60 * 24 <= now) > -+ { > -+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to > authenticate", user_to_auth, getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This > incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to > PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ > -+ /* now send a D-Bus message to the PolicyKit daemon that > -+ * includes a) the cookie; and b) the user we authenticated > -+ */ > -+ if (!send_dbus_message (cookie, user_to_auth)) > -+ { > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message > to PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ goto error; > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message > to PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ > -+ fprintf (stdout, "SUCCESS\n"); > -+ flush_and_wait (); > -+ return 0; > -+ > -+error: > -+ fprintf (stdout, "FAILURE\n"); > -+ flush_and_wait (); > -+ return 1; > -+} > -+ > -+static gboolean > -+shadow_authenticate (struct spwd *shadow) > -+{ > -+ char passwd[512], *crypt_pass; > -+ > -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n"); > -+ fflush (stdout); > -+ usleep (10 * 1000); /* since fflush(3) seems buggy */ > -+ > -+ if (fgets (passwd, sizeof (passwd), stdin) == NULL) > -+ goto error; > -+ > -+ if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n') > -+ passwd[strlen (passwd) - 1] = '\0'; > -+ > -+ /* Use the encrypted password as the salt, according to the crypt(3) man > page, > -+ * it will perform whatever encryption method is specified in /etc/shadow > -+ */ > -+ crypt_pass = crypt (passwd, shadow->sp_pwdp); > -+ > -+ if (crypt_pass == NULL) > -+ goto error; > -+ > -+ if (strcmp (shadow->sp_pwdp, crypt (passwd, shadow->sp_pwdp)) != 0) > -+ goto error; > -+ return 1; > -+error: > -+ return 0; > -+} > -diff --git a/src/polkitagent/polkitagenthelper.c > b/src/polkitagent/polkitagenthelper.c > -deleted file mode 100644 > -index cca86db..0000000 > ---- a/src/polkitagent/polkitagenthelper.c > -+++ /dev/null > -@@ -1,339 +0,0 @@ > --/* > -- * Copyright (C) 2008 Red Hat, Inc. > -- * > -- * This library is free software; you can redistribute it and/or > -- * modify it under the terms of the GNU Lesser General Public > -- * License as published by the Free Software Foundation; either > -- * version 2 of the License, or (at your option) any later version. > -- * > -- * This library is distributed in the hope that it will be useful, > -- * but WITHOUT ANY WARRANTY; without even the implied warranty of > -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -- * Lesser General Public License for more details. > -- * > -- * You should have received a copy of the GNU Lesser General > -- * Public License along with this library; if not, write to the > -- * Free Software Foundation, Inc., 59 Temple Place, Suite 330, > -- * Boston, MA 02111-1307, USA. > -- * > -- * Author: David Zeuthen <dav...@redhat.com> > -- */ > -- > --#include "config.h" > --#include <stdio.h> > --#include <stdlib.h> > --#include <string.h> > --#include <unistd.h> > --#include <sys/types.h> > --#include <sys/stat.h> > --#include <syslog.h> > --#include <security/pam_appl.h> > -- > --#include <polkit/polkit.h> > -- > --#ifdef HAVE_SOLARIS > --# define LOG_AUTHPRIV (10<<3) > --#endif > -- > --#ifndef HAVE_CLEARENV > --extern char **environ; > -- > --static int > --clearenv (void) > --{ > -- if (environ != NULL) > -- environ[0] = NULL; > -- return 0; > --} > --#endif > -- > --/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ > -- * enable this in production builds; it may leak passwords and other > -- * sensitive information. > -- */ > --#undef PAH_DEBUG > --// #define PAH_DEBUG > -- > --static gboolean send_dbus_message (const char *cookie, const char *user); > -- > --static int conversation_function (int n, const struct pam_message **msg, > struct pam_response **resp, void *data); > -- > --int > --main (int argc, char *argv[]) > --{ > -- int rc; > -- const char *user_to_auth; > -- const char *cookie; > -- struct pam_conv pam_conversation; > -- pam_handle_t *pam_h; > -- const void *authed_user; > -- > -- rc = 0; > -- pam_h = NULL; > -- > -- /* clear the entire environment to avoid attacks using with libraries > honoring environment variables */ > -- if (clearenv () != 0) > -- goto error; > -- > -- /* set a minimal environment */ > -- setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); > -- > -- /* check that we are setuid root */ > -- if (geteuid () != 0) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); > -- goto error; > -- } > -- > -- openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); > -- > -- /* check for correct invocation */ > -- if (argc != 3) > -- { > -- syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of > arguments [uid=%d]", getuid ()); > -- fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. > This incident has been logged.\n"); > -- goto error; > -- } > -- > -- user_to_auth = argv[1]; > -- cookie = argv[2]; > -- > -- if (getuid () != 0) > -- { > -- /* check we're running with a non-tty stdin */ > -- if (isatty (STDIN_FILENO) != 0) > -- { > -- syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty > [uid=%d]", getuid ()); > -- fprintf (stderr, "polkit-agent-helper-1: inappropriate use of > helper, stdin is a tty. This incident has been logged.\n"); > -- goto error; > -- } > -- } > -- > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", > user_to_auth); > --#endif /* PAH_DEBUG */ > -- > -- pam_conversation.conv = conversation_function; > -- pam_conversation.appdata_ptr = NULL; > -- > -- /* start the pam stack */ > -- rc = pam_start ("polkit-1", > -- user_to_auth, > -- &pam_conversation, > -- &pam_h); > -- if (rc != PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", > pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- /* set the requesting user */ > -- rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth); > -- if (rc != PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", > pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- /* is user really user? */ > -- rc = pam_authenticate (pam_h, 0); > -- if (rc != PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: > %s\n", pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- /* permitted access? */ > -- rc = pam_acct_mgmt (pam_h, 0); > -- if (rc != PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", > pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- /* did we auth the right user? */ > -- rc = pam_get_item (pam_h, PAM_USER, &authed_user); > -- if (rc != PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", > pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- if (strcmp (authed_user, user_to_auth) != 0) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but > we got auth for user '%s' instead", > -- user_to_auth, (const char *) authed_user); > -- goto error; > -- } > -- > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user > '%s'.\n", user_to_auth); > --#endif /* PAH_DEBUG */ > -- > -- pam_end (pam_h, rc); > -- pam_h = NULL; > -- > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to > PolicyKit daemon\n"); > --#endif /* PAH_DEBUG */ > -- > -- /* now send a D-Bus message to the PolicyKit daemon that > -- * includes a) the cookie; and b) the user we authenticated > -- */ > -- if (!send_dbus_message (cookie, user_to_auth)) > -- { > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message > to PolicyKit daemon\n"); > --#endif /* PAH_DEBUG */ > -- goto error; > -- } > -- > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message > to PolicyKit daemon\n"); > --#endif /* PAH_DEBUG */ > -- > -- fprintf (stdout, "SUCCESS\n"); > -- fflush (stdout); > -- fflush (stderr); > -- usleep (10 * 1000); /* since fflush(3) seems buggy */ > -- return 0; > -- > --error: > -- if (pam_h != NULL) > -- pam_end (pam_h, rc); > -- > -- fprintf (stdout, "FAILURE\n"); > -- fflush (stdout); > -- fflush (stderr); > -- usleep (10 * 1000); /* since fflush(3) seems buggy */ > -- return 1; > --} > -- > --static int > --conversation_function (int n, const struct pam_message **msg, struct > pam_response **resp, void *data) > --{ > -- struct pam_response *aresp; > -- char buf[PAM_MAX_RESP_SIZE]; > -- int i; > -- > -- data = data; > -- if (n <= 0 || n > PAM_MAX_NUM_MSG) > -- return PAM_CONV_ERR; > -- > -- if ((aresp = calloc(n, sizeof *aresp)) == NULL) > -- return PAM_BUF_ERR; > -- > -- for (i = 0; i < n; ++i) > -- { > -- aresp[i].resp_retcode = 0; > -- aresp[i].resp = NULL; > -- switch (msg[i]->msg_style) > -- { > -- > -- case PAM_PROMPT_ECHO_OFF: > -- fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); > -- goto conv1; > -- > -- case PAM_PROMPT_ECHO_ON: > -- fprintf (stdout, "PAM_PROMPT_ECHO_ON "); > -- conv1: > -- fputs (msg[i]->msg, stdout); > -- if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) > - 1] != '\n') > -- fputc ('\n', stdout); > -- fflush (stdout); > -- > -- if (fgets (buf, sizeof buf, stdin) == NULL) > -- goto error; > -- > -- if (strlen (buf) > 0 && > -- buf[strlen (buf) - 1] == '\n') > -- buf[strlen (buf) - 1] = '\0'; > -- > -- aresp[i].resp = strdup (buf); > -- if (aresp[i].resp == NULL) > -- goto error; > -- break; > -- > -- case PAM_ERROR_MSG: > -- fprintf (stdout, "PAM_ERROR_MSG "); > -- goto conv2; > -- > -- case PAM_TEXT_INFO: > -- fprintf (stdout, "PAM_TEXT_INFO "); > -- conv2: > -- fputs (msg[i]->msg, stdout); > -- if (strlen (msg[i]->msg) > 0 && > -- msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n') > -- fputc ('\n', stdout); > -- fflush (stdout); > -- break; > -- > -- default: > -- goto error; > -- } > -- } > -- > -- *resp = aresp; > -- return PAM_SUCCESS; > -- > --error: > -- > -- for (i = 0; i < n; ++i) > -- { > -- if (aresp[i].resp != NULL) { > -- memset (aresp[i].resp, 0, strlen(aresp[i].resp)); > -- free (aresp[i].resp); > -- } > -- } > -- memset (aresp, 0, n * sizeof *aresp); > -- *resp = NULL; > -- return PAM_CONV_ERR; > --} > -- > --static gboolean > --send_dbus_message (const char *cookie, const char *user) > --{ > -- PolkitAuthority *authority; > -- PolkitIdentity *identity; > -- GError *error; > -- gboolean ret; > -- > -- ret = FALSE; > -- > -- error = NULL; > -- > -- g_type_init (); > -- > -- authority = polkit_authority_get (); > -- > -- identity = polkit_unix_user_new_for_name (user, &error); > -- if (identity == NULL) > -- { > -- g_printerr ("Error constructing identity: %s\n", error->message); > -- g_error_free (error); > -- goto out; > -- } > -- > -- if (!polkit_authority_authentication_agent_response_sync (authority, > -- cookie, > -- identity, > -- NULL, > -- &error)) > -- { > -- g_printerr ("polkit-agent-helper-1: error response to PolicyKit > daemon: %s\n", error->message); > -- g_error_free (error); > -- goto out; > -- } > -- > -- ret = TRUE; > -- > -- out: > -- > -- if (identity != NULL) > -- g_object_unref (identity); > -- > -- if (authority != NULL) > -- g_object_unref (authority); > -- > -- return ret; > --} > -diff --git a/src/polkitagent/polkitagenthelperprivate.c > b/src/polkitagent/polkitagenthelperprivate.c > -new file mode 100644 > -index 0000000..be495e9 > ---- /dev/null > -+++ b/src/polkitagent/polkitagenthelperprivate.c > -@@ -0,0 +1,106 @@ > -+/* > -+ * Copyright (C) 2009-2010 Red Hat, Inc. > -+ * > -+ * This library is free software; you can redistribute it and/or > -+ * modify it under the terms of the GNU Lesser General Public > -+ * License as published by the Free Software Foundation; either > -+ * version 2 of the License, or (at your option) any later version. > -+ * > -+ * This library is distributed in the hope that it will be useful, > -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -+ * Lesser General Public License for more details. > -+ * > -+ * You should have received a copy of the GNU Lesser General > -+ * Public License along with this library; if not, write to the > -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, > -+ * Boston, MA 02110-1301, USA. > -+ * > -+ * Authors: David Zeuthen <dav...@redhat.com>, > -+ * Andrew Psaltis <ampsal...@gmail.com> > -+ */ > -+ > -+#include "config.h" > -+#include "polkitagenthelperprivate.h" > -+#include <stdio.h> > -+#include <stdlib.h> > -+#include <unistd.h> > -+ > -+#ifndef HAVE_CLEARENV > -+extern char **environ; > -+ > -+int > -+_polkit_clearenv (void) > -+{ > -+ if (environ != NULL) > -+ environ[0] = NULL; > -+ return 0; > -+} > -+#else > -+int > -+_polkit_clearenv (void) > -+{ > -+ return clearenv (); > -+} > -+#endif > -+ > -+ > -+gboolean > -+send_dbus_message (const char *cookie, const char *user) > -+{ > -+ PolkitAuthority *authority; > -+ PolkitIdentity *identity; > -+ GError *error; > -+ gboolean ret; > -+ > -+ ret = FALSE; > -+ > -+ error = NULL; > -+ > -+ g_type_init (); > -+ > -+ authority = polkit_authority_get (); > -+ > -+ identity = polkit_unix_user_new_for_name (user, &error); > -+ if (identity == NULL) > -+ { > -+ g_printerr ("Error constructing identity: %s\n", error->message); > -+ g_error_free (error); > -+ goto out; > -+ } > -+ > -+ if (!polkit_authority_authentication_agent_response_sync (authority, > -+ cookie, > -+ identity, > -+ NULL, > -+ &error)) > -+ { > -+ g_printerr ("polkit-agent-helper-1: error response to PolicyKit > daemon: %s\n", error->message); > -+ g_error_free (error); > -+ goto out; > -+ } > -+ > -+ ret = TRUE; > -+ > -+ out: > -+ > -+ if (identity != NULL) > -+ g_object_unref (identity); > -+ > -+ if (authority != NULL) > -+ g_object_unref (authority); > -+ > -+ return ret; > -+} > -+ > -+/* fflush(3) stdin and stdout and wait a little bit. > -+ * This replaces the three-line commands at the bottom of > -+ * polkit-agent-helper-1's main() function. > -+ */ > -+void > -+flush_and_wait () > -+{ > -+ fflush (stdout); > -+ fflush (stderr); > -+ usleep (10 * 1000); /* since fflush(3) seems buggy */ > -+} > -diff --git a/src/polkitagent/polkitagenthelperprivate.h > b/src/polkitagent/polkitagenthelperprivate.h > -new file mode 100644 > -index 0000000..7294d46 > ---- /dev/null > -+++ b/src/polkitagent/polkitagenthelperprivate.h > -@@ -0,0 +1,45 @@ > -+/* > -+ * Copyright (C) 2009-2010 Red Hat, Inc. > -+ * > -+ * This library is free software; you can redistribute it and/or > -+ * modify it under the terms of the GNU Lesser General Public > -+ * License as published by the Free Software Foundation; either > -+ * version 2 of the License, or (at your option) any later version. > -+ * > -+ * This library is distributed in the hope that it will be useful, > -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -+ * Lesser General Public License for more details. > -+ * > -+ * You should have received a copy of the GNU Lesser General > -+ * Public License along with this library; if not, write to the > -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, > -+ * Boston, MA 02110-1301, USA. > -+ * > -+ * Authors: David Zeuthen <dav...@redhat.com>, > -+ * Andrew Psaltis <ampsal...@gmail.com> > -+ */ > -+#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H > -+#define __POLKIT_AGENT_HELPER_PRIVATE_H > -+ > -+#define _GNU_SOURCE > -+#include <polkit/polkit.h> > -+ > -+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ > -+ * enable this in production builds; it may leak passwords and other > -+ * sensitive information. > -+ */ > -+#undef PAH_DEBUG > -+// #define PAH_DEBUG > -+ > -+#ifdef HAVE_SOLARIS > -+# define LOG_AUTHPRIV (10<<3) > -+#endif > -+ > -+int _polkit_clearenv (void); > -+ > -+gboolean send_dbus_message (const char *cookie, const char *user); > -+ > -+void flush_and_wait (); > -+ > -+#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */ > -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c > -index 17c191e..b0193f4 100644 > ---- a/src/programs/pkexec.c > -+++ b/src/programs/pkexec.c > -@@ -34,7 +34,11 @@ > - #include <grp.h> > - #include <pwd.h> > - #include <errno.h> > -+ > -+#ifdef POLKIT_AUTHFW_PAM > - #include <security/pam_appl.h> > -+#endif /* POLKIT_AUTHFW_PAM */ > -+ > - #include <syslog.h> > - #include <stdarg.h> > - > -@@ -115,6 +119,7 @@ log_message (gint level, > - > - /* > ---------------------------------------------------------------------------------------------------- > */ > - > -+#ifdef POLKIT_AUTHFW_PAM > - static int > - pam_conversation_function (int n, > - const struct pam_message **msg, > -@@ -167,6 +172,7 @@ out: > - pam_end (pam_h, rc); > - return ret; > - } > -+#endif /* POLKIT_AUTHFW_PAM */ > - > - /* > ---------------------------------------------------------------------------------------------------- > */ > - > -@@ -741,10 +747,12 @@ main (int argc, char *argv[]) > - * TODO: The question here is whether we should clear the limits before > applying them? > - * As evident above, neither su(1) (and, for that matter, nor sudo(8)) > does this. > - */ > -+#ifdef POLKIT_AUTHFW_PAM > - if (!open_session (pw->pw_name)) > - { > - goto out; > - } > -+#endif /* POLKIT_AUTHFW_PAM */ > - > - /* become the user */ > - if (setgroups (0, NULL) != 0) > --- > -1.7.1 > - > diff --git > a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch > > b/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch > deleted file mode 100644 > index d9cf8c23bfd6..000000000000 > --- > a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch > +++ /dev/null > @@ -1,45 +0,0 @@ > -From 779c0153fc0bd3c2e302dac1979d17638f054229 Mon Sep 17 00:00:00 2001 > -From: =?UTF-8?q?Petr=20Mr=C3=A1zek?= <pete...@gmail.com> > -Date: Wed, 14 Jul 2010 02:59:12 +0200 > -Subject: [PATCH 3/3] > =?UTF-8?q?Bug=2029051=20=E2=80=93=20Configuration=20reload=20on=20every=20query?= > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=UTF-8 > -Content-Transfer-Encoding: 8bit > - > -Set has_data to true after the data is loaded to prevent excessive > -reloading of config files. > - > -Signed-off-by: David Zeuthen <dav...@redhat.com> > ---- > - src/polkitbackend/polkitbackendconfigsource.c | 1 + > - .../polkitbackendlocalauthorizationstore.c | 2 ++ > - 2 files changed, 3 insertions(+), 0 deletions(-) > - > -diff --git a/src/polkitbackend/polkitbackendconfigsource.c > b/src/polkitbackend/polkitbackendconfigsource.c > -index 224d0d0..465da96 100644 > ---- a/src/polkitbackend/polkitbackendconfigsource.c > -+++ b/src/polkitbackend/polkitbackendconfigsource.c > -@@ -386,6 +386,7 @@ polkit_backend_config_source_ensure > (PolkitBackendConfigSource *source) > - } > - > - source->priv->key_files = g_list_reverse (source->priv->key_files); > -+ source->priv->has_data = TRUE; > - > - out: > - g_list_foreach (files, (GFunc) g_object_unref, NULL); > -diff --git a/src/polkitbackend/polkitbackendlocalauthorizationstore.c > b/src/polkitbackend/polkitbackendlocalauthorizationstore.c > -index 5d5dc14..b959269 100644 > ---- a/src/polkitbackend/polkitbackendlocalauthorizationstore.c > -+++ b/src/polkitbackend/polkitbackendlocalauthorizationstore.c > -@@ -641,6 +641,8 @@ polkit_backend_local_authorization_store_ensure > (PolkitBackendLocalAuthorization > - g_free (filename); > - } > - > -+ store->priv->has_data = TRUE; > -+ > - out: > - g_list_foreach (files, (GFunc) g_object_unref, NULL); > - g_list_free (files); > --- > -1.7.1 > - > diff --git a/patches/polkit-0.96/autogen.sh b/patches/polkit-0.96/autogen.sh > deleted file mode 120000 > index 9f8a4cb7ddcb..000000000000 > --- a/patches/polkit-0.96/autogen.sh > +++ /dev/null > @@ -1 +0,0 @@ > -../autogen.sh > \ No newline at end of file > diff --git a/patches/polkit-0.96/series b/patches/polkit-0.96/series > deleted file mode 100644 > index ee29cd64eb79..000000000000 > --- a/patches/polkit-0.96/series > +++ /dev/null > @@ -1,3 +0,0 @@ > -0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch > -0002-Add-shadow-support.patch > -0003-Bug-29051-Configuration-reload-on-every-query.patch > diff --git a/rules/polkit.in b/rules/polkit.in > index d28de7c67e91..4edfccd2194f 100644 > --- a/rules/polkit.in > +++ b/rules/polkit.in > @@ -1,14 +1,26 @@ > ## SECTION=system_libraries > > -config POLKIT > +menuconfig POLKIT > tristate > - prompt "policykit-1" > + prompt "policykit-1 " > select LIBC_CRYPT > select HOST_INTLTOOL > select HOST_GTK_DOC > + select EXPAT > select GLIB > select DBUS_GLIB > select EGGDBUS > + select SYSTEMD_LOGIND if POLKIT_SYSTEMD
This does not work. We need libsystemd-login and this does not generate the necessary dependencies. Select 'SYSTEMD' here as well... > help > PolicyKit offers an infrastructure for security policies for > dbus applications. > + > +if POLKIT > + > +config POLKIT_SYSTEMD > + bool "systemd based session tracking" > + default y if SYSTEMD ...and use 'default INITMETHOD_SYSTEMD' here. We do the same in dbus. Michael > + help > + Use systemd for session tracking, else ConsoleKit is used > + > +endif > diff --git a/rules/polkit.make b/rules/polkit.make > index b702a1b50d90..376315f929f8 100644 > --- a/rules/polkit.make > +++ b/rules/polkit.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_POLKIT) += polkit > # > # Paths and names > # > -POLKIT_VERSION := 0.96 > -POLKIT_MD5 := e0a06da501b04ed3bab986a9df5b5aa2 > +POLKIT_VERSION := 0.104 > +POLKIT_MD5 := e380b4c6fb1e7bccf854e92edc0a8ce1 > POLKIT := polkit-$(POLKIT_VERSION) > POLKIT_SUFFIX := tar.gz > POLKIT_URL := > http://hal.freedesktop.org/releases/$(POLKIT).$(POLKIT_SUFFIX) > @@ -28,19 +28,19 @@ POLKIT_DIR := $(BUILDDIR)/$(POLKIT) > # Prepare > # > ---------------------------------------------------------------------------- > > -# > -# autoconf > -# > -POLKIT_AUTOCONF := \ > +POLKIT_CONF_TOOL := autoconf > +POLKIT_CONF_OPT := \ > $(CROSS_AUTOCONF_USR) \ > - --enable-shared \ > - --enable-static \ > + $(GLOBAL_LARGE_FILE_OPTION) \ > --disable-ansi \ > --disable-verbose-mode \ > --disable-man-pages \ > --disable-gtk-doc \ > - --disable-examples \ > + --disable-gtk-doc-html \ > + --$(call ptx/endis, PTXCONF_POLKIT_SYSTEMD)-systemd \ > --disable-introspection \ > + --disable-examples \ > + --disable-nls \ > --with-gnu-ld \ > --with-authfw=shadow \ > --with-os-type=ptxdist > @@ -65,6 +65,7 @@ $(STATEDIR)/polkit.targetinstall: > > /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service) > > # config > + @$(call install_copy, polkit, 0, 0, 700, /etc/polkit-1/localauthority) > @$(call install_copy, polkit, 0, 0, 0644, -, \ > /etc/polkit-1/localauthority.conf.d/50-localauthority.conf) > @$(call install_copy, polkit, 0, 0, 0644, -, \ > @@ -79,8 +80,6 @@ $(STATEDIR)/polkit.targetinstall: > > @$(call install_copy, polkit, 0, 0, 0644, -, \ > /usr/lib/polkit-1/extensions/libnullbackend.so) > - @$(call install_copy, polkit, 0, 0, 0644, -, \ > - /usr/lib/polkit-1/extensions/libpkexec-action-lookup.so) > > # binaries > @$(call install_copy, polkit, 0, 0, 0755, -, /usr/bin/pkaction) > @@ -93,6 +92,9 @@ $(STATEDIR)/polkit.targetinstall: > @$(call install_copy, polkit, 0, 0, 4755, -, \ > /usr/libexec/polkit-agent-helper-1) > > +# run-time > + @$(call install_copy, polkit, 0, 0, 700, /var/lib/polkit-1) > + > @$(call install_finish, polkit) > > @$(call touch) > -- > Pengutronix e.K. | Juergen Borleis | > Industrial Linux Solutions | http://www.pengutronix.de/ | > > -- > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de
