From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [APTCH] polkit: version bump 0.96 -> 0.104
Date: Sat, 21 Mar 2015 18:21:13 +0100 [thread overview]
Message-ID: <20150321172113.GM20453@pengutronix.de> (raw)
In-Reply-To: <201503161424.05539.jbe@pengutronix.de>
On Mon, Mar 16, 2015 at 02:24:05PM +0100, Juergen Borleis wrote:
> Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
>
> diff --git a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch b/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
> deleted file mode 100644
> index 3c8efb61bdbd..000000000000
> --- a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
> +++ /dev/null
> @@ -1,68 +0,0 @@
> -From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001
> -From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
> -Date: Wed, 10 Mar 2010 12:46:19 -0500
> -Subject: [PATCH 1/3] =?UTF-8?q?Bug=2026982=20=E2=80=93=20pkexec=20information=20disclosure=20vulnerability?=
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -pkexec is vulnerable to a minor information disclosure vulnerability
> -that allows an attacker to verify whether or not arbitrary files
> -exist, violating directory permissions. I reproduced the issue on my
> -Karmic installation as follows:
> -
> - $ mkdir secret
> - $ sudo chown root:root secret
> - $ sudo chmod 400 secret
> - $ sudo touch secret/hidden
> - $ pkexec /home/drosenbe/secret/hidden
> - (password prompt)
> - $ pkexec /home/drosenbe/secret/doesnotexist
> - Error getting information about /home/drosenbe/secret/doesnotexist: No such
> - file or directory
> -
> -I've attached my patch for the issue. I replaced the stat() call
> -entirely with access() using F_OK, so rather than check that the
> -target exists, pkexec now checks if the user has permission to verify
> -the existence of the program. There might be another way of doing
> -this, such as chdir()'ing to the parent directory of the target and
> -calling lstat(), but this seemed like more code than necessary to
> -prevent such a minor problem. I see no reason to allow pkexec to
> -execute targets that are not accessible to the executing user because
> -of directory permissions. This is such a limited use case anyway that
> -this doesn't really affect functionality.
> -
> -http://bugs.freedesktop.org/show_bug.cgi?id=26982
> -
> -Signed-off-by: David Zeuthen <davidz@redhat.com>
> ----
> - src/programs/pkexec.c | 5 ++---
> - 1 files changed, 2 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
> -index 860e665..17c191e 100644
> ---- a/src/programs/pkexec.c
> -+++ b/src/programs/pkexec.c
> -@@ -411,7 +411,6 @@ main (int argc, char *argv[])
> - gchar *opt_user;
> - pid_t pid_of_caller;
> - uid_t uid_of_caller;
> -- struct stat statbuf;
> -
> - ret = 127;
> - authority = NULL;
> -@@ -520,9 +519,9 @@ main (int argc, char *argv[])
> - g_free (path);
> - argv[n] = path = s;
> - }
> -- if (stat (path, &statbuf) != 0)
> -+ if (access (path, F_OK) != 0)
> - {
> -- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
> -+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
> - goto out;
> - }
> - command_line = g_strjoinv (" ", argv + n);
> ---
> -1.7.1
> -
> diff --git a/patches/polkit-0.96/0002-Add-shadow-support.patch b/patches/polkit-0.96/0002-Add-shadow-support.patch
> deleted file mode 100644
> index b9119e13fb0f..000000000000
> --- a/patches/polkit-0.96/0002-Add-shadow-support.patch
> +++ /dev/null
> @@ -1,1083 +0,0 @@
> -From a2edcef54d2ab1a92f729e34dfa0c183b2533c61 Mon Sep 17 00:00:00 2001
> -From: Andrew Psaltis <ampsaltis@gmail.com>
> -Date: Mon, 28 Jun 2010 22:04:00 -0400
> -Subject: [PATCH 2/3] Add shadow support
> -
> -Added support for the shadow authentication framework instead of PAM.
> -Enable it by passing --with-authfw=shadow to configure.
> -
> -This is done by splitting the polkitagenthelper source into separate
> -parts, one that does auth with PAM, and another that does auth with
> -shadow, sharing functions where appropriate.
> -
> -Also, all PAM-dependendent code in all other files has been #ifdef'd.
> -The only affected file is src/programs/pkexec.c
> -
> -Signed-off-by: David Zeuthen <davidz@redhat.com>
> ----
> - src/polkitagent/Makefile.am | 9 +-
> - src/polkitagent/polkitagenthelper-pam.c | 264 ++++++++++++++++++++++
> - src/polkitagent/polkitagenthelper-shadow.c | 198 ++++++++++++++++
> - src/polkitagent/polkitagenthelper.c | 339 ----------------------------
> - src/polkitagent/polkitagenthelperprivate.c | 106 +++++++++
> - src/polkitagent/polkitagenthelperprivate.h | 45 ++++
> - src/programs/pkexec.c | 8 +
> - 7 files changed, 629 insertions(+), 340 deletions(-)
> - create mode 100644 src/polkitagent/polkitagenthelper-pam.c
> - create mode 100644 src/polkitagent/polkitagenthelper-shadow.c
> - delete mode 100644 src/polkitagent/polkitagenthelper.c
> - create mode 100644 src/polkitagent/polkitagenthelperprivate.c
> - create mode 100644 src/polkitagent/polkitagenthelperprivate.h
> -
> -diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am
> -index 3f38329..820be4d 100644
> ---- a/src/polkitagent/Makefile.am
> -+++ b/src/polkitagent/Makefile.am
> -@@ -68,9 +68,16 @@ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)'
> - libexec_PROGRAMS = polkit-agent-helper-1
> -
> - polkit_agent_helper_1_SOURCES = \
> -- polkitagenthelper.c \
> -+ polkitagenthelperprivate.c polkitagenthelperprivate.h \
> - $(NULL)
> -
> -+if POLKIT_AUTHFW_PAM
> -+polkit_agent_helper_1_SOURCES += polkitagenthelper-pam.c
> -+endif
> -+if POLKIT_AUTHFW_SHADOW
> -+polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c
> -+endif
> -+
> - polkit_agent_helper_1_CFLAGS = \
> - -D_POLKIT_COMPILATION \
> - $(GLIB_CFLAGS) \
> -diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/polkitagenthelper-pam.c
> -new file mode 100644
> -index 0000000..5e8b54c
> ---- /dev/null
> -+++ b/src/polkitagent/polkitagenthelper-pam.c
> -@@ -0,0 +1,264 @@
> -+/*
> -+ * Copyright (C) 2008, 2010 Red Hat, Inc.
> -+ *
> -+ * This library is free software; you can redistribute it and/or
> -+ * modify it under the terms of the GNU Lesser General Public
> -+ * License as published by the Free Software Foundation; either
> -+ * version 2 of the License, or (at your option) any later version.
> -+ *
> -+ * This library is distributed in the hope that it will be useful,
> -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -+ * Lesser General Public License for more details.
> -+ *
> -+ * You should have received a copy of the GNU Lesser General
> -+ * Public License along with this library; if not, write to the
> -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
> -+ * Boston, MA 02111-1307, USA.
> -+ *
> -+ * Author: David Zeuthen <davidz@redhat.com>
> -+ */
> -+
> -+#include "config.h"
> -+#include "polkitagenthelperprivate.h"
> -+
> -+#include <stdio.h>
> -+#include <stdlib.h>
> -+#include <string.h>
> -+#include <unistd.h>
> -+#include <sys/types.h>
> -+#include <sys/stat.h>
> -+#include <syslog.h>
> -+#include <security/pam_appl.h>
> -+
> -+#include <polkit/polkit.h>
> -+
> -+static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
> -+
> -+int
> -+main (int argc, char *argv[])
> -+{
> -+ int rc;
> -+ const char *user_to_auth;
> -+ const char *cookie;
> -+ struct pam_conv pam_conversation;
> -+ pam_handle_t *pam_h;
> -+ const void *authed_user;
> -+
> -+ rc = 0;
> -+ pam_h = NULL;
> -+
> -+ /* clear the entire environment to avoid attacks using with libraries honoring environment variables */
> -+ if (_polkit_clearenv () != 0)
> -+ goto error;
> -+
> -+ /* set a minimal environment */
> -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
> -+
> -+ /* check that we are setuid root */
> -+ if (geteuid () != 0)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
> -+ goto error;
> -+ }
> -+
> -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
> -+
> -+ /* check for correct invocation */
> -+ if (argc != 3)
> -+ {
> -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ user_to_auth = argv[1];
> -+ cookie = argv[2];
> -+
> -+ if (getuid () != 0)
> -+ {
> -+ /* check we're running with a non-tty stdin */
> -+ if (isatty (STDIN_FILENO) != 0)
> -+ {
> -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
> -+#endif /* PAH_DEBUG */
> -+
> -+ pam_conversation.conv = conversation_function;
> -+ pam_conversation.appdata_ptr = NULL;
> -+
> -+ /* start the pam stack */
> -+ rc = pam_start ("polkit-1",
> -+ user_to_auth,
> -+ &pam_conversation,
> -+ &pam_h);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ /* set the requesting user */
> -+ rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ /* is user really user? */
> -+ rc = pam_authenticate (pam_h, 0);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ /* permitted access? */
> -+ rc = pam_acct_mgmt (pam_h, 0);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ /* did we auth the right user? */
> -+ rc = pam_get_item (pam_h, PAM_USER, &authed_user);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ if (strcmp (authed_user, user_to_auth) != 0)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
> -+ user_to_auth, (const char *) authed_user);
> -+ goto error;
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth);
> -+#endif /* PAH_DEBUG */
> -+
> -+ pam_end (pam_h, rc);
> -+ pam_h = NULL;
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+
> -+ /* now send a D-Bus message to the PolicyKit daemon that
> -+ * includes a) the cookie; and b) the user we authenticated
> -+ */
> -+ if (!send_dbus_message (cookie, user_to_auth))
> -+ {
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+ goto error;
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+
> -+ fprintf (stdout, "SUCCESS\n");
> -+ flush_and_wait();
> -+ return 0;
> -+
> -+error:
> -+ if (pam_h != NULL)
> -+ pam_end (pam_h, rc);
> -+
> -+ fprintf (stdout, "FAILURE\n");
> -+ flush_and_wait();
> -+ return 1;
> -+}
> -+
> -+static int
> -+conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data)
> -+{
> -+ struct pam_response *aresp;
> -+ char buf[PAM_MAX_RESP_SIZE];
> -+ int i;
> -+
> -+ data = data;
> -+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
> -+ return PAM_CONV_ERR;
> -+
> -+ if ((aresp = calloc(n, sizeof *aresp)) == NULL)
> -+ return PAM_BUF_ERR;
> -+
> -+ for (i = 0; i < n; ++i)
> -+ {
> -+ aresp[i].resp_retcode = 0;
> -+ aresp[i].resp = NULL;
> -+ switch (msg[i]->msg_style)
> -+ {
> -+
> -+ case PAM_PROMPT_ECHO_OFF:
> -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF ");
> -+ goto conv1;
> -+
> -+ case PAM_PROMPT_ECHO_ON:
> -+ fprintf (stdout, "PAM_PROMPT_ECHO_ON ");
> -+ conv1:
> -+ fputs (msg[i]->msg, stdout);
> -+ if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
> -+ fputc ('\n', stdout);
> -+ fflush (stdout);
> -+
> -+ if (fgets (buf, sizeof buf, stdin) == NULL)
> -+ goto error;
> -+
> -+ if (strlen (buf) > 0 &&
> -+ buf[strlen (buf) - 1] == '\n')
> -+ buf[strlen (buf) - 1] = '\0';
> -+
> -+ aresp[i].resp = strdup (buf);
> -+ if (aresp[i].resp == NULL)
> -+ goto error;
> -+ break;
> -+
> -+ case PAM_ERROR_MSG:
> -+ fprintf (stdout, "PAM_ERROR_MSG ");
> -+ goto conv2;
> -+
> -+ case PAM_TEXT_INFO:
> -+ fprintf (stdout, "PAM_TEXT_INFO ");
> -+ conv2:
> -+ fputs (msg[i]->msg, stdout);
> -+ if (strlen (msg[i]->msg) > 0 &&
> -+ msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
> -+ fputc ('\n', stdout);
> -+ fflush (stdout);
> -+ break;
> -+
> -+ default:
> -+ goto error;
> -+ }
> -+ }
> -+
> -+ *resp = aresp;
> -+ return PAM_SUCCESS;
> -+
> -+error:
> -+
> -+ for (i = 0; i < n; ++i)
> -+ {
> -+ if (aresp[i].resp != NULL) {
> -+ memset (aresp[i].resp, 0, strlen(aresp[i].resp));
> -+ free (aresp[i].resp);
> -+ }
> -+ }
> -+ memset (aresp, 0, n * sizeof *aresp);
> -+ *resp = NULL;
> -+ return PAM_CONV_ERR;
> -+}
> -diff --git a/src/polkitagent/polkitagenthelper-shadow.c b/src/polkitagent/polkitagenthelper-shadow.c
> -new file mode 100644
> -index 0000000..a4f73ac
> ---- /dev/null
> -+++ b/src/polkitagent/polkitagenthelper-shadow.c
> -@@ -0,0 +1,198 @@
> -+/*
> -+ * Copyright (C) 2008 Red Hat, Inc.
> -+ * Copyright (C) 2009-2010 Andrew Psaltis <ampsaltis@gmail.com>
> -+ *
> -+ * This library is free software; you can redistribute it and/or
> -+ * modify it under the terms of the GNU Lesser General Public
> -+ * License as published by the Free Software Foundation; either
> -+ * version 2 of the License, or (at your option) any later version.
> -+ *
> -+ * This library is distributed in the hope that it will be useful,
> -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -+ * Lesser General Public License for more details.
> -+ *
> -+ * You should have received a copy of the GNU Lesser General
> -+ * Public License along with this library; if not, write to the
> -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
> -+ * Boston, MA 02111-1307, USA.
> -+ *
> -+ * Authors: Andrew Psaltis <ampsaltis@gmail.com>, based on
> -+ * polkitagenthelper.c which was written by
> -+ * David Zeuthen <davidz@redhat.com>
> -+ */
> -+
> -+#include "config.h"
> -+#include "polkitagenthelperprivate.h"
> -+
> -+#include <stdio.h>
> -+#include <stdlib.h>
> -+#include <string.h>
> -+#include <unistd.h>
> -+#include <sys/types.h>
> -+#include <sys/stat.h>
> -+#include <syslog.h>
> -+#include <shadow.h>
> -+#include <grp.h>
> -+#include <pwd.h>
> -+#include <time.h>
> -+
> -+#include <polkit/polkit.h>
> -+
> -+static gboolean shadow_authenticate (struct spwd *shadow);
> -+
> -+int
> -+main (int argc, char *argv[])
> -+{
> -+ struct spwd *shadow;
> -+ const char *user_to_auth;
> -+ const char *cookie;
> -+ time_t now;
> -+
> -+ /* clear the entire environment to avoid attacks with
> -+ libraries honoring environment variables */
> -+ if (_polkit_clearenv () != 0)
> -+ goto error;
> -+
> -+ /* set a minimal environment */
> -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
> -+
> -+ /* check that we are setuid root */
> -+ if (geteuid () != 0)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
> -+ goto error;
> -+ }
> -+
> -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
> -+
> -+ /* check for correct invocation */
> -+ if (argc != 3)
> -+ {
> -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ if (getuid () != 0)
> -+ {
> -+ /* check we're running with a non-tty stdin */
> -+ if (isatty (STDIN_FILENO) != 0)
> -+ {
> -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+ }
> -+
> -+ user_to_auth = argv[1];
> -+ cookie = argv[2];
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
> -+#endif /* PAH_DEBUG */
> -+
> -+
> -+ /* Ask shadow about the user requesting authentication */
> -+ shadow = getspnam (user_to_auth);
> -+
> -+ if (shadow == NULL)
> -+ {
> -+ syslog (LOG_NOTICE, "shadow file data information request for user '%s' [uid=%d] failed", user_to_auth, getuid ());
> -+ fprintf(stderr, "polkit-agent-helper-1: could not get shadow information for '%s'", user_to_auth);
> -+ goto error;
> -+ }
> -+
> -+ /* Check the user's identity */
> -+ if (shadow_authenticate (shadow) == FALSE)
> -+ {
> -+ syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth);
> -+ fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ /* Check whether the user's password has expired */
> -+ now = time (NULL);
> -+ if (shadow->sp_max >= 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 * 24 <= now)
> -+ {
> -+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ /* Check whether the user's password has aged (and account expired along
> -+ * with it)
> -+ */
> -+ if (shadow->sp_inact >= 0 && (shadow->sp_lstchg + shadow->sp_max + shadow->sp_inact) * 60 * 60 * 24 <= now)
> -+ {
> -+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ /* Check whether the user's account has expired */
> -+ if (shadow->sp_expire >= 0 && shadow->sp_expire * 60 * 60 * 24 <= now)
> -+ {
> -+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+
> -+ /* now send a D-Bus message to the PolicyKit daemon that
> -+ * includes a) the cookie; and b) the user we authenticated
> -+ */
> -+ if (!send_dbus_message (cookie, user_to_auth))
> -+ {
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+ goto error;
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+
> -+ fprintf (stdout, "SUCCESS\n");
> -+ flush_and_wait ();
> -+ return 0;
> -+
> -+error:
> -+ fprintf (stdout, "FAILURE\n");
> -+ flush_and_wait ();
> -+ return 1;
> -+}
> -+
> -+static gboolean
> -+shadow_authenticate (struct spwd *shadow)
> -+{
> -+ char passwd[512], *crypt_pass;
> -+
> -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n");
> -+ fflush (stdout);
> -+ usleep (10 * 1000); /* since fflush(3) seems buggy */
> -+
> -+ if (fgets (passwd, sizeof (passwd), stdin) == NULL)
> -+ goto error;
> -+
> -+ if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n')
> -+ passwd[strlen (passwd) - 1] = '\0';
> -+
> -+ /* Use the encrypted password as the salt, according to the crypt(3) man page,
> -+ * it will perform whatever encryption method is specified in /etc/shadow
> -+ */
> -+ crypt_pass = crypt (passwd, shadow->sp_pwdp);
> -+
> -+ if (crypt_pass == NULL)
> -+ goto error;
> -+
> -+ if (strcmp (shadow->sp_pwdp, crypt (passwd, shadow->sp_pwdp)) != 0)
> -+ goto error;
> -+ return 1;
> -+error:
> -+ return 0;
> -+}
> -diff --git a/src/polkitagent/polkitagenthelper.c b/src/polkitagent/polkitagenthelper.c
> -deleted file mode 100644
> -index cca86db..0000000
> ---- a/src/polkitagent/polkitagenthelper.c
> -+++ /dev/null
> -@@ -1,339 +0,0 @@
> --/*
> -- * Copyright (C) 2008 Red Hat, Inc.
> -- *
> -- * This library is free software; you can redistribute it and/or
> -- * modify it under the terms of the GNU Lesser General Public
> -- * License as published by the Free Software Foundation; either
> -- * version 2 of the License, or (at your option) any later version.
> -- *
> -- * This library is distributed in the hope that it will be useful,
> -- * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -- * Lesser General Public License for more details.
> -- *
> -- * You should have received a copy of the GNU Lesser General
> -- * Public License along with this library; if not, write to the
> -- * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
> -- * Boston, MA 02111-1307, USA.
> -- *
> -- * Author: David Zeuthen <davidz@redhat.com>
> -- */
> --
> --#include "config.h"
> --#include <stdio.h>
> --#include <stdlib.h>
> --#include <string.h>
> --#include <unistd.h>
> --#include <sys/types.h>
> --#include <sys/stat.h>
> --#include <syslog.h>
> --#include <security/pam_appl.h>
> --
> --#include <polkit/polkit.h>
> --
> --#ifdef HAVE_SOLARIS
> --# define LOG_AUTHPRIV (10<<3)
> --#endif
> --
> --#ifndef HAVE_CLEARENV
> --extern char **environ;
> --
> --static int
> --clearenv (void)
> --{
> -- if (environ != NULL)
> -- environ[0] = NULL;
> -- return 0;
> --}
> --#endif
> --
> --/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_
> -- * enable this in production builds; it may leak passwords and other
> -- * sensitive information.
> -- */
> --#undef PAH_DEBUG
> --// #define PAH_DEBUG
> --
> --static gboolean send_dbus_message (const char *cookie, const char *user);
> --
> --static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
> --
> --int
> --main (int argc, char *argv[])
> --{
> -- int rc;
> -- const char *user_to_auth;
> -- const char *cookie;
> -- struct pam_conv pam_conversation;
> -- pam_handle_t *pam_h;
> -- const void *authed_user;
> --
> -- rc = 0;
> -- pam_h = NULL;
> --
> -- /* clear the entire environment to avoid attacks using with libraries honoring environment variables */
> -- if (clearenv () != 0)
> -- goto error;
> --
> -- /* set a minimal environment */
> -- setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
> --
> -- /* check that we are setuid root */
> -- if (geteuid () != 0)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
> -- goto error;
> -- }
> --
> -- openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
> --
> -- /* check for correct invocation */
> -- if (argc != 3)
> -- {
> -- syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
> -- fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
> -- goto error;
> -- }
> --
> -- user_to_auth = argv[1];
> -- cookie = argv[2];
> --
> -- if (getuid () != 0)
> -- {
> -- /* check we're running with a non-tty stdin */
> -- if (isatty (STDIN_FILENO) != 0)
> -- {
> -- syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
> -- fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
> -- goto error;
> -- }
> -- }
> --
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
> --#endif /* PAH_DEBUG */
> --
> -- pam_conversation.conv = conversation_function;
> -- pam_conversation.appdata_ptr = NULL;
> --
> -- /* start the pam stack */
> -- rc = pam_start ("polkit-1",
> -- user_to_auth,
> -- &pam_conversation,
> -- &pam_h);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- /* set the requesting user */
> -- rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- /* is user really user? */
> -- rc = pam_authenticate (pam_h, 0);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- /* permitted access? */
> -- rc = pam_acct_mgmt (pam_h, 0);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- /* did we auth the right user? */
> -- rc = pam_get_item (pam_h, PAM_USER, &authed_user);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- if (strcmp (authed_user, user_to_auth) != 0)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
> -- user_to_auth, (const char *) authed_user);
> -- goto error;
> -- }
> --
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth);
> --#endif /* PAH_DEBUG */
> --
> -- pam_end (pam_h, rc);
> -- pam_h = NULL;
> --
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
> --#endif /* PAH_DEBUG */
> --
> -- /* now send a D-Bus message to the PolicyKit daemon that
> -- * includes a) the cookie; and b) the user we authenticated
> -- */
> -- if (!send_dbus_message (cookie, user_to_auth))
> -- {
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
> --#endif /* PAH_DEBUG */
> -- goto error;
> -- }
> --
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
> --#endif /* PAH_DEBUG */
> --
> -- fprintf (stdout, "SUCCESS\n");
> -- fflush (stdout);
> -- fflush (stderr);
> -- usleep (10 * 1000); /* since fflush(3) seems buggy */
> -- return 0;
> --
> --error:
> -- if (pam_h != NULL)
> -- pam_end (pam_h, rc);
> --
> -- fprintf (stdout, "FAILURE\n");
> -- fflush (stdout);
> -- fflush (stderr);
> -- usleep (10 * 1000); /* since fflush(3) seems buggy */
> -- return 1;
> --}
> --
> --static int
> --conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data)
> --{
> -- struct pam_response *aresp;
> -- char buf[PAM_MAX_RESP_SIZE];
> -- int i;
> --
> -- data = data;
> -- if (n <= 0 || n > PAM_MAX_NUM_MSG)
> -- return PAM_CONV_ERR;
> --
> -- if ((aresp = calloc(n, sizeof *aresp)) == NULL)
> -- return PAM_BUF_ERR;
> --
> -- for (i = 0; i < n; ++i)
> -- {
> -- aresp[i].resp_retcode = 0;
> -- aresp[i].resp = NULL;
> -- switch (msg[i]->msg_style)
> -- {
> --
> -- case PAM_PROMPT_ECHO_OFF:
> -- fprintf (stdout, "PAM_PROMPT_ECHO_OFF ");
> -- goto conv1;
> --
> -- case PAM_PROMPT_ECHO_ON:
> -- fprintf (stdout, "PAM_PROMPT_ECHO_ON ");
> -- conv1:
> -- fputs (msg[i]->msg, stdout);
> -- if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
> -- fputc ('\n', stdout);
> -- fflush (stdout);
> --
> -- if (fgets (buf, sizeof buf, stdin) == NULL)
> -- goto error;
> --
> -- if (strlen (buf) > 0 &&
> -- buf[strlen (buf) - 1] == '\n')
> -- buf[strlen (buf) - 1] = '\0';
> --
> -- aresp[i].resp = strdup (buf);
> -- if (aresp[i].resp == NULL)
> -- goto error;
> -- break;
> --
> -- case PAM_ERROR_MSG:
> -- fprintf (stdout, "PAM_ERROR_MSG ");
> -- goto conv2;
> --
> -- case PAM_TEXT_INFO:
> -- fprintf (stdout, "PAM_TEXT_INFO ");
> -- conv2:
> -- fputs (msg[i]->msg, stdout);
> -- if (strlen (msg[i]->msg) > 0 &&
> -- msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
> -- fputc ('\n', stdout);
> -- fflush (stdout);
> -- break;
> --
> -- default:
> -- goto error;
> -- }
> -- }
> --
> -- *resp = aresp;
> -- return PAM_SUCCESS;
> --
> --error:
> --
> -- for (i = 0; i < n; ++i)
> -- {
> -- if (aresp[i].resp != NULL) {
> -- memset (aresp[i].resp, 0, strlen(aresp[i].resp));
> -- free (aresp[i].resp);
> -- }
> -- }
> -- memset (aresp, 0, n * sizeof *aresp);
> -- *resp = NULL;
> -- return PAM_CONV_ERR;
> --}
> --
> --static gboolean
> --send_dbus_message (const char *cookie, const char *user)
> --{
> -- PolkitAuthority *authority;
> -- PolkitIdentity *identity;
> -- GError *error;
> -- gboolean ret;
> --
> -- ret = FALSE;
> --
> -- error = NULL;
> --
> -- g_type_init ();
> --
> -- authority = polkit_authority_get ();
> --
> -- identity = polkit_unix_user_new_for_name (user, &error);
> -- if (identity == NULL)
> -- {
> -- g_printerr ("Error constructing identity: %s\n", error->message);
> -- g_error_free (error);
> -- goto out;
> -- }
> --
> -- if (!polkit_authority_authentication_agent_response_sync (authority,
> -- cookie,
> -- identity,
> -- NULL,
> -- &error))
> -- {
> -- g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message);
> -- g_error_free (error);
> -- goto out;
> -- }
> --
> -- ret = TRUE;
> --
> -- out:
> --
> -- if (identity != NULL)
> -- g_object_unref (identity);
> --
> -- if (authority != NULL)
> -- g_object_unref (authority);
> --
> -- return ret;
> --}
> -diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c
> -new file mode 100644
> -index 0000000..be495e9
> ---- /dev/null
> -+++ b/src/polkitagent/polkitagenthelperprivate.c
> -@@ -0,0 +1,106 @@
> -+/*
> -+ * Copyright (C) 2009-2010 Red Hat, Inc.
> -+ *
> -+ * This library is free software; you can redistribute it and/or
> -+ * modify it under the terms of the GNU Lesser General Public
> -+ * License as published by the Free Software Foundation; either
> -+ * version 2 of the License, or (at your option) any later version.
> -+ *
> -+ * This library is distributed in the hope that it will be useful,
> -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -+ * Lesser General Public License for more details.
> -+ *
> -+ * You should have received a copy of the GNU Lesser General
> -+ * Public License along with this library; if not, write to the
> -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> -+ * Boston, MA 02110-1301, USA.
> -+ *
> -+ * Authors: David Zeuthen <davidz@redhat.com>,
> -+ * Andrew Psaltis <ampsaltis@gmail.com>
> -+ */
> -+
> -+#include "config.h"
> -+#include "polkitagenthelperprivate.h"
> -+#include <stdio.h>
> -+#include <stdlib.h>
> -+#include <unistd.h>
> -+
> -+#ifndef HAVE_CLEARENV
> -+extern char **environ;
> -+
> -+int
> -+_polkit_clearenv (void)
> -+{
> -+ if (environ != NULL)
> -+ environ[0] = NULL;
> -+ return 0;
> -+}
> -+#else
> -+int
> -+_polkit_clearenv (void)
> -+{
> -+ return clearenv ();
> -+}
> -+#endif
> -+
> -+
> -+gboolean
> -+send_dbus_message (const char *cookie, const char *user)
> -+{
> -+ PolkitAuthority *authority;
> -+ PolkitIdentity *identity;
> -+ GError *error;
> -+ gboolean ret;
> -+
> -+ ret = FALSE;
> -+
> -+ error = NULL;
> -+
> -+ g_type_init ();
> -+
> -+ authority = polkit_authority_get ();
> -+
> -+ identity = polkit_unix_user_new_for_name (user, &error);
> -+ if (identity == NULL)
> -+ {
> -+ g_printerr ("Error constructing identity: %s\n", error->message);
> -+ g_error_free (error);
> -+ goto out;
> -+ }
> -+
> -+ if (!polkit_authority_authentication_agent_response_sync (authority,
> -+ cookie,
> -+ identity,
> -+ NULL,
> -+ &error))
> -+ {
> -+ g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message);
> -+ g_error_free (error);
> -+ goto out;
> -+ }
> -+
> -+ ret = TRUE;
> -+
> -+ out:
> -+
> -+ if (identity != NULL)
> -+ g_object_unref (identity);
> -+
> -+ if (authority != NULL)
> -+ g_object_unref (authority);
> -+
> -+ return ret;
> -+}
> -+
> -+/* fflush(3) stdin and stdout and wait a little bit.
> -+ * This replaces the three-line commands at the bottom of
> -+ * polkit-agent-helper-1's main() function.
> -+ */
> -+void
> -+flush_and_wait ()
> -+{
> -+ fflush (stdout);
> -+ fflush (stderr);
> -+ usleep (10 * 1000); /* since fflush(3) seems buggy */
> -+}
> -diff --git a/src/polkitagent/polkitagenthelperprivate.h b/src/polkitagent/polkitagenthelperprivate.h
> -new file mode 100644
> -index 0000000..7294d46
> ---- /dev/null
> -+++ b/src/polkitagent/polkitagenthelperprivate.h
> -@@ -0,0 +1,45 @@
> -+/*
> -+ * Copyright (C) 2009-2010 Red Hat, Inc.
> -+ *
> -+ * This library is free software; you can redistribute it and/or
> -+ * modify it under the terms of the GNU Lesser General Public
> -+ * License as published by the Free Software Foundation; either
> -+ * version 2 of the License, or (at your option) any later version.
> -+ *
> -+ * This library is distributed in the hope that it will be useful,
> -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -+ * Lesser General Public License for more details.
> -+ *
> -+ * You should have received a copy of the GNU Lesser General
> -+ * Public License along with this library; if not, write to the
> -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> -+ * Boston, MA 02110-1301, USA.
> -+ *
> -+ * Authors: David Zeuthen <davidz@redhat.com>,
> -+ * Andrew Psaltis <ampsalits@gmail.com>
> -+ */
> -+#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H
> -+#define __POLKIT_AGENT_HELPER_PRIVATE_H
> -+
> -+#define _GNU_SOURCE
> -+#include <polkit/polkit.h>
> -+
> -+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_
> -+ * enable this in production builds; it may leak passwords and other
> -+ * sensitive information.
> -+ */
> -+#undef PAH_DEBUG
> -+// #define PAH_DEBUG
> -+
> -+#ifdef HAVE_SOLARIS
> -+# define LOG_AUTHPRIV (10<<3)
> -+#endif
> -+
> -+int _polkit_clearenv (void);
> -+
> -+gboolean send_dbus_message (const char *cookie, const char *user);
> -+
> -+void flush_and_wait ();
> -+
> -+#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */
> -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
> -index 17c191e..b0193f4 100644
> ---- a/src/programs/pkexec.c
> -+++ b/src/programs/pkexec.c
> -@@ -34,7 +34,11 @@
> - #include <grp.h>
> - #include <pwd.h>
> - #include <errno.h>
> -+
> -+#ifdef POLKIT_AUTHFW_PAM
> - #include <security/pam_appl.h>
> -+#endif /* POLKIT_AUTHFW_PAM */
> -+
> - #include <syslog.h>
> - #include <stdarg.h>
> -
> -@@ -115,6 +119,7 @@ log_message (gint level,
> -
> - /* ---------------------------------------------------------------------------------------------------- */
> -
> -+#ifdef POLKIT_AUTHFW_PAM
> - static int
> - pam_conversation_function (int n,
> - const struct pam_message **msg,
> -@@ -167,6 +172,7 @@ out:
> - pam_end (pam_h, rc);
> - return ret;
> - }
> -+#endif /* POLKIT_AUTHFW_PAM */
> -
> - /* ---------------------------------------------------------------------------------------------------- */
> -
> -@@ -741,10 +747,12 @@ main (int argc, char *argv[])
> - * TODO: The question here is whether we should clear the limits before applying them?
> - * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
> - */
> -+#ifdef POLKIT_AUTHFW_PAM
> - if (!open_session (pw->pw_name))
> - {
> - goto out;
> - }
> -+#endif /* POLKIT_AUTHFW_PAM */
> -
> - /* become the user */
> - if (setgroups (0, NULL) != 0)
> ---
> -1.7.1
> -
> diff --git a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch b/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch
> deleted file mode 100644
> index d9cf8c23bfd6..000000000000
> --- a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -From 779c0153fc0bd3c2e302dac1979d17638f054229 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?Petr=20Mr=C3=A1zek?= <peterix@gmail.com>
> -Date: Wed, 14 Jul 2010 02:59:12 +0200
> -Subject: [PATCH 3/3] =?UTF-8?q?Bug=2029051=20=E2=80=93=20Configuration=20reload=20on=20every=20query?=
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Set has_data to true after the data is loaded to prevent excessive
> -reloading of config files.
> -
> -Signed-off-by: David Zeuthen <davidz@redhat.com>
> ----
> - src/polkitbackend/polkitbackendconfigsource.c | 1 +
> - .../polkitbackendlocalauthorizationstore.c | 2 ++
> - 2 files changed, 3 insertions(+), 0 deletions(-)
> -
> -diff --git a/src/polkitbackend/polkitbackendconfigsource.c b/src/polkitbackend/polkitbackendconfigsource.c
> -index 224d0d0..465da96 100644
> ---- a/src/polkitbackend/polkitbackendconfigsource.c
> -+++ b/src/polkitbackend/polkitbackendconfigsource.c
> -@@ -386,6 +386,7 @@ polkit_backend_config_source_ensure (PolkitBackendConfigSource *source)
> - }
> -
> - source->priv->key_files = g_list_reverse (source->priv->key_files);
> -+ source->priv->has_data = TRUE;
> -
> - out:
> - g_list_foreach (files, (GFunc) g_object_unref, NULL);
> -diff --git a/src/polkitbackend/polkitbackendlocalauthorizationstore.c b/src/polkitbackend/polkitbackendlocalauthorizationstore.c
> -index 5d5dc14..b959269 100644
> ---- a/src/polkitbackend/polkitbackendlocalauthorizationstore.c
> -+++ b/src/polkitbackend/polkitbackendlocalauthorizationstore.c
> -@@ -641,6 +641,8 @@ polkit_backend_local_authorization_store_ensure (PolkitBackendLocalAuthorization
> - g_free (filename);
> - }
> -
> -+ store->priv->has_data = TRUE;
> -+
> - out:
> - g_list_foreach (files, (GFunc) g_object_unref, NULL);
> - g_list_free (files);
> ---
> -1.7.1
> -
> diff --git a/patches/polkit-0.96/autogen.sh b/patches/polkit-0.96/autogen.sh
> deleted file mode 120000
> index 9f8a4cb7ddcb..000000000000
> --- a/patches/polkit-0.96/autogen.sh
> +++ /dev/null
> @@ -1 +0,0 @@
> -../autogen.sh
> \ No newline at end of file
> diff --git a/patches/polkit-0.96/series b/patches/polkit-0.96/series
> deleted file mode 100644
> index ee29cd64eb79..000000000000
> --- a/patches/polkit-0.96/series
> +++ /dev/null
> @@ -1,3 +0,0 @@
> -0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
> -0002-Add-shadow-support.patch
> -0003-Bug-29051-Configuration-reload-on-every-query.patch
> diff --git a/rules/polkit.in b/rules/polkit.in
> index d28de7c67e91..4edfccd2194f 100644
> --- a/rules/polkit.in
> +++ b/rules/polkit.in
> @@ -1,14 +1,26 @@
> ## SECTION=system_libraries
>
> -config POLKIT
> +menuconfig POLKIT
> tristate
> - prompt "policykit-1"
> + prompt "policykit-1 "
> select LIBC_CRYPT
> select HOST_INTLTOOL
> select HOST_GTK_DOC
> + select EXPAT
> select GLIB
> select DBUS_GLIB
> select EGGDBUS
> + select SYSTEMD_LOGIND if POLKIT_SYSTEMD
This does not work. We need libsystemd-login and this does not generate the
necessary dependencies. Select 'SYSTEMD' here as well...
> help
> PolicyKit offers an infrastructure for security policies for
> dbus applications.
> +
> +if POLKIT
> +
> +config POLKIT_SYSTEMD
> + bool "systemd based session tracking"
> + default y if SYSTEMD
...and use 'default INITMETHOD_SYSTEMD' here. We do the same in dbus.
Michael
> + help
> + Use systemd for session tracking, else ConsoleKit is used
> +
> +endif
> diff --git a/rules/polkit.make b/rules/polkit.make
> index b702a1b50d90..376315f929f8 100644
> --- a/rules/polkit.make
> +++ b/rules/polkit.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_POLKIT) += polkit
> #
> # Paths and names
> #
> -POLKIT_VERSION := 0.96
> -POLKIT_MD5 := e0a06da501b04ed3bab986a9df5b5aa2
> +POLKIT_VERSION := 0.104
> +POLKIT_MD5 := e380b4c6fb1e7bccf854e92edc0a8ce1
> POLKIT := polkit-$(POLKIT_VERSION)
> POLKIT_SUFFIX := tar.gz
> POLKIT_URL := http://hal.freedesktop.org/releases/$(POLKIT).$(POLKIT_SUFFIX)
> @@ -28,19 +28,19 @@ POLKIT_DIR := $(BUILDDIR)/$(POLKIT)
> # Prepare
> # ----------------------------------------------------------------------------
>
> -#
> -# autoconf
> -#
> -POLKIT_AUTOCONF := \
> +POLKIT_CONF_TOOL := autoconf
> +POLKIT_CONF_OPT := \
> $(CROSS_AUTOCONF_USR) \
> - --enable-shared \
> - --enable-static \
> + $(GLOBAL_LARGE_FILE_OPTION) \
> --disable-ansi \
> --disable-verbose-mode \
> --disable-man-pages \
> --disable-gtk-doc \
> - --disable-examples \
> + --disable-gtk-doc-html \
> + --$(call ptx/endis, PTXCONF_POLKIT_SYSTEMD)-systemd \
> --disable-introspection \
> + --disable-examples \
> + --disable-nls \
> --with-gnu-ld \
> --with-authfw=shadow \
> --with-os-type=ptxdist
> @@ -65,6 +65,7 @@ $(STATEDIR)/polkit.targetinstall:
> /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service)
>
> # config
> + @$(call install_copy, polkit, 0, 0, 700, /etc/polkit-1/localauthority)
> @$(call install_copy, polkit, 0, 0, 0644, -, \
> /etc/polkit-1/localauthority.conf.d/50-localauthority.conf)
> @$(call install_copy, polkit, 0, 0, 0644, -, \
> @@ -79,8 +80,6 @@ $(STATEDIR)/polkit.targetinstall:
>
> @$(call install_copy, polkit, 0, 0, 0644, -, \
> /usr/lib/polkit-1/extensions/libnullbackend.so)
> - @$(call install_copy, polkit, 0, 0, 0644, -, \
> - /usr/lib/polkit-1/extensions/libpkexec-action-lookup.so)
>
> # binaries
> @$(call install_copy, polkit, 0, 0, 0755, -, /usr/bin/pkaction)
> @@ -93,6 +92,9 @@ $(STATEDIR)/polkit.targetinstall:
> @$(call install_copy, polkit, 0, 0, 4755, -, \
> /usr/libexec/polkit-agent-helper-1)
>
> +# run-time
> + @$(call install_copy, polkit, 0, 0, 700, /var/lib/polkit-1)
> +
> @$(call install_finish, polkit)
>
> @$(call touch)
> --
> Pengutronix e.K. | Juergen Borleis |
> Industrial Linux Solutions | http://www.pengutronix.de/ |
>
> --
> ptxdist mailing list
> ptxdist@pengutronix.de
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
--
ptxdist mailing list
ptxdist@pengutronix.de
prev parent reply other threads:[~2015-03-21 17:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-16 13:24 Juergen Borleis
2015-03-21 17:21 ` Michael Olbrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150321172113.GM20453@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox