* [ptxdist] [APTCH] polkit: version bump 0.96 -> 0.104
@ 2015-03-16 13:24 Juergen Borleis
2015-03-21 17:21 ` Michael Olbrich
0 siblings, 1 reply; 2+ messages in thread
From: Juergen Borleis @ 2015-03-16 13:24 UTC (permalink / raw)
To: ptxdist
Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
diff --git a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch b/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
deleted file mode 100644
index 3c8efb61bdbd..000000000000
--- a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001
-From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
-Date: Wed, 10 Mar 2010 12:46:19 -0500
-Subject: [PATCH 1/3] =?UTF-8?q?Bug=2026982=20=E2=80=93=20pkexec=20information=20disclosure=20vulnerability?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-pkexec is vulnerable to a minor information disclosure vulnerability
-that allows an attacker to verify whether or not arbitrary files
-exist, violating directory permissions. I reproduced the issue on my
-Karmic installation as follows:
-
- $ mkdir secret
- $ sudo chown root:root secret
- $ sudo chmod 400 secret
- $ sudo touch secret/hidden
- $ pkexec /home/drosenbe/secret/hidden
- (password prompt)
- $ pkexec /home/drosenbe/secret/doesnotexist
- Error getting information about /home/drosenbe/secret/doesnotexist: No such
- file or directory
-
-I've attached my patch for the issue. I replaced the stat() call
-entirely with access() using F_OK, so rather than check that the
-target exists, pkexec now checks if the user has permission to verify
-the existence of the program. There might be another way of doing
-this, such as chdir()'ing to the parent directory of the target and
-calling lstat(), but this seemed like more code than necessary to
-prevent such a minor problem. I see no reason to allow pkexec to
-execute targets that are not accessible to the executing user because
-of directory permissions. This is such a limited use case anyway that
-this doesn't really affect functionality.
-
-http://bugs.freedesktop.org/show_bug.cgi?id=26982
-
-Signed-off-by: David Zeuthen <davidz@redhat.com>
----
- src/programs/pkexec.c | 5 ++---
- 1 files changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
-index 860e665..17c191e 100644
---- a/src/programs/pkexec.c
-+++ b/src/programs/pkexec.c
-@@ -411,7 +411,6 @@ main (int argc, char *argv[])
- gchar *opt_user;
- pid_t pid_of_caller;
- uid_t uid_of_caller;
-- struct stat statbuf;
-
- ret = 127;
- authority = NULL;
-@@ -520,9 +519,9 @@ main (int argc, char *argv[])
- g_free (path);
- argv[n] = path = s;
- }
-- if (stat (path, &statbuf) != 0)
-+ if (access (path, F_OK) != 0)
- {
-- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
-+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
- goto out;
- }
- command_line = g_strjoinv (" ", argv + n);
---
-1.7.1
-
diff --git a/patches/polkit-0.96/0002-Add-shadow-support.patch b/patches/polkit-0.96/0002-Add-shadow-support.patch
deleted file mode 100644
index b9119e13fb0f..000000000000
--- a/patches/polkit-0.96/0002-Add-shadow-support.patch
+++ /dev/null
@@ -1,1083 +0,0 @@
-From a2edcef54d2ab1a92f729e34dfa0c183b2533c61 Mon Sep 17 00:00:00 2001
-From: Andrew Psaltis <ampsaltis@gmail.com>
-Date: Mon, 28 Jun 2010 22:04:00 -0400
-Subject: [PATCH 2/3] Add shadow support
-
-Added support for the shadow authentication framework instead of PAM.
-Enable it by passing --with-authfw=shadow to configure.
-
-This is done by splitting the polkitagenthelper source into separate
-parts, one that does auth with PAM, and another that does auth with
-shadow, sharing functions where appropriate.
-
-Also, all PAM-dependendent code in all other files has been #ifdef'd.
-The only affected file is src/programs/pkexec.c
-
-Signed-off-by: David Zeuthen <davidz@redhat.com>
----
- src/polkitagent/Makefile.am | 9 +-
- src/polkitagent/polkitagenthelper-pam.c | 264 ++++++++++++++++++++++
- src/polkitagent/polkitagenthelper-shadow.c | 198 ++++++++++++++++
- src/polkitagent/polkitagenthelper.c | 339 ----------------------------
- src/polkitagent/polkitagenthelperprivate.c | 106 +++++++++
- src/polkitagent/polkitagenthelperprivate.h | 45 ++++
- src/programs/pkexec.c | 8 +
- 7 files changed, 629 insertions(+), 340 deletions(-)
- create mode 100644 src/polkitagent/polkitagenthelper-pam.c
- create mode 100644 src/polkitagent/polkitagenthelper-shadow.c
- delete mode 100644 src/polkitagent/polkitagenthelper.c
- create mode 100644 src/polkitagent/polkitagenthelperprivate.c
- create mode 100644 src/polkitagent/polkitagenthelperprivate.h
-
-diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am
-index 3f38329..820be4d 100644
---- a/src/polkitagent/Makefile.am
-+++ b/src/polkitagent/Makefile.am
-@@ -68,9 +68,16 @@ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)'
- libexec_PROGRAMS = polkit-agent-helper-1
-
- polkit_agent_helper_1_SOURCES = \
-- polkitagenthelper.c \
-+ polkitagenthelperprivate.c polkitagenthelperprivate.h \
- $(NULL)
-
-+if POLKIT_AUTHFW_PAM
-+polkit_agent_helper_1_SOURCES += polkitagenthelper-pam.c
-+endif
-+if POLKIT_AUTHFW_SHADOW
-+polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c
-+endif
-+
- polkit_agent_helper_1_CFLAGS = \
- -D_POLKIT_COMPILATION \
- $(GLIB_CFLAGS) \
-diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/polkitagenthelper-pam.c
-new file mode 100644
-index 0000000..5e8b54c
---- /dev/null
-+++ b/src/polkitagent/polkitagenthelper-pam.c
-@@ -0,0 +1,264 @@
-+/*
-+ * Copyright (C) 2008, 2010 Red Hat, Inc.
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General
-+ * Public License along with this library; if not, write to the
-+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
-+ * Boston, MA 02111-1307, USA.
-+ *
-+ * Author: David Zeuthen <davidz@redhat.com>
-+ */
-+
-+#include "config.h"
-+#include "polkitagenthelperprivate.h"
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <syslog.h>
-+#include <security/pam_appl.h>
-+
-+#include <polkit/polkit.h>
-+
-+static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
-+
-+int
-+main (int argc, char *argv[])
-+{
-+ int rc;
-+ const char *user_to_auth;
-+ const char *cookie;
-+ struct pam_conv pam_conversation;
-+ pam_handle_t *pam_h;
-+ const void *authed_user;
-+
-+ rc = 0;
-+ pam_h = NULL;
-+
-+ /* clear the entire environment to avoid attacks using with libraries honoring environment variables */
-+ if (_polkit_clearenv () != 0)
-+ goto error;
-+
-+ /* set a minimal environment */
-+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
-+
-+ /* check that we are setuid root */
-+ if (geteuid () != 0)
-+ {
-+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
-+ goto error;
-+ }
-+
-+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-+
-+ /* check for correct invocation */
-+ if (argc != 3)
-+ {
-+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
-+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
-+ goto error;
-+ }
-+
-+ user_to_auth = argv[1];
-+ cookie = argv[2];
-+
-+ if (getuid () != 0)
-+ {
-+ /* check we're running with a non-tty stdin */
-+ if (isatty (STDIN_FILENO) != 0)
-+ {
-+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
-+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
-+ goto error;
-+ }
-+ }
-+
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
-+#endif /* PAH_DEBUG */
-+
-+ pam_conversation.conv = conversation_function;
-+ pam_conversation.appdata_ptr = NULL;
-+
-+ /* start the pam stack */
-+ rc = pam_start ("polkit-1",
-+ user_to_auth,
-+ &pam_conversation,
-+ &pam_h);
-+ if (rc != PAM_SUCCESS)
-+ {
-+ fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc));
-+ goto error;
-+ }
-+
-+ /* set the requesting user */
-+ rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth);
-+ if (rc != PAM_SUCCESS)
-+ {
-+ fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc));
-+ goto error;
-+ }
-+
-+ /* is user really user? */
-+ rc = pam_authenticate (pam_h, 0);
-+ if (rc != PAM_SUCCESS)
-+ {
-+ fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
-+ goto error;
-+ }
-+
-+ /* permitted access? */
-+ rc = pam_acct_mgmt (pam_h, 0);
-+ if (rc != PAM_SUCCESS)
-+ {
-+ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
-+ goto error;
-+ }
-+
-+ /* did we auth the right user? */
-+ rc = pam_get_item (pam_h, PAM_USER, &authed_user);
-+ if (rc != PAM_SUCCESS)
-+ {
-+ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
-+ goto error;
-+ }
-+
-+ if (strcmp (authed_user, user_to_auth) != 0)
-+ {
-+ fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
-+ user_to_auth, (const char *) authed_user);
-+ goto error;
-+ }
-+
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth);
-+#endif /* PAH_DEBUG */
-+
-+ pam_end (pam_h, rc);
-+ pam_h = NULL;
-+
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
-+#endif /* PAH_DEBUG */
-+
-+ /* now send a D-Bus message to the PolicyKit daemon that
-+ * includes a) the cookie; and b) the user we authenticated
-+ */
-+ if (!send_dbus_message (cookie, user_to_auth))
-+ {
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
-+#endif /* PAH_DEBUG */
-+ goto error;
-+ }
-+
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
-+#endif /* PAH_DEBUG */
-+
-+ fprintf (stdout, "SUCCESS\n");
-+ flush_and_wait();
-+ return 0;
-+
-+error:
-+ if (pam_h != NULL)
-+ pam_end (pam_h, rc);
-+
-+ fprintf (stdout, "FAILURE\n");
-+ flush_and_wait();
-+ return 1;
-+}
-+
-+static int
-+conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data)
-+{
-+ struct pam_response *aresp;
-+ char buf[PAM_MAX_RESP_SIZE];
-+ int i;
-+
-+ data = data;
-+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
-+ return PAM_CONV_ERR;
-+
-+ if ((aresp = calloc(n, sizeof *aresp)) == NULL)
-+ return PAM_BUF_ERR;
-+
-+ for (i = 0; i < n; ++i)
-+ {
-+ aresp[i].resp_retcode = 0;
-+ aresp[i].resp = NULL;
-+ switch (msg[i]->msg_style)
-+ {
-+
-+ case PAM_PROMPT_ECHO_OFF:
-+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF ");
-+ goto conv1;
-+
-+ case PAM_PROMPT_ECHO_ON:
-+ fprintf (stdout, "PAM_PROMPT_ECHO_ON ");
-+ conv1:
-+ fputs (msg[i]->msg, stdout);
-+ if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
-+ fputc ('\n', stdout);
-+ fflush (stdout);
-+
-+ if (fgets (buf, sizeof buf, stdin) == NULL)
-+ goto error;
-+
-+ if (strlen (buf) > 0 &&
-+ buf[strlen (buf) - 1] == '\n')
-+ buf[strlen (buf) - 1] = '\0';
-+
-+ aresp[i].resp = strdup (buf);
-+ if (aresp[i].resp == NULL)
-+ goto error;
-+ break;
-+
-+ case PAM_ERROR_MSG:
-+ fprintf (stdout, "PAM_ERROR_MSG ");
-+ goto conv2;
-+
-+ case PAM_TEXT_INFO:
-+ fprintf (stdout, "PAM_TEXT_INFO ");
-+ conv2:
-+ fputs (msg[i]->msg, stdout);
-+ if (strlen (msg[i]->msg) > 0 &&
-+ msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
-+ fputc ('\n', stdout);
-+ fflush (stdout);
-+ break;
-+
-+ default:
-+ goto error;
-+ }
-+ }
-+
-+ *resp = aresp;
-+ return PAM_SUCCESS;
-+
-+error:
-+
-+ for (i = 0; i < n; ++i)
-+ {
-+ if (aresp[i].resp != NULL) {
-+ memset (aresp[i].resp, 0, strlen(aresp[i].resp));
-+ free (aresp[i].resp);
-+ }
-+ }
-+ memset (aresp, 0, n * sizeof *aresp);
-+ *resp = NULL;
-+ return PAM_CONV_ERR;
-+}
-diff --git a/src/polkitagent/polkitagenthelper-shadow.c b/src/polkitagent/polkitagenthelper-shadow.c
-new file mode 100644
-index 0000000..a4f73ac
---- /dev/null
-+++ b/src/polkitagent/polkitagenthelper-shadow.c
-@@ -0,0 +1,198 @@
-+/*
-+ * Copyright (C) 2008 Red Hat, Inc.
-+ * Copyright (C) 2009-2010 Andrew Psaltis <ampsaltis@gmail.com>
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General
-+ * Public License along with this library; if not, write to the
-+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
-+ * Boston, MA 02111-1307, USA.
-+ *
-+ * Authors: Andrew Psaltis <ampsaltis@gmail.com>, based on
-+ * polkitagenthelper.c which was written by
-+ * David Zeuthen <davidz@redhat.com>
-+ */
-+
-+#include "config.h"
-+#include "polkitagenthelperprivate.h"
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <syslog.h>
-+#include <shadow.h>
-+#include <grp.h>
-+#include <pwd.h>
-+#include <time.h>
-+
-+#include <polkit/polkit.h>
-+
-+static gboolean shadow_authenticate (struct spwd *shadow);
-+
-+int
-+main (int argc, char *argv[])
-+{
-+ struct spwd *shadow;
-+ const char *user_to_auth;
-+ const char *cookie;
-+ time_t now;
-+
-+ /* clear the entire environment to avoid attacks with
-+ libraries honoring environment variables */
-+ if (_polkit_clearenv () != 0)
-+ goto error;
-+
-+ /* set a minimal environment */
-+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
-+
-+ /* check that we are setuid root */
-+ if (geteuid () != 0)
-+ {
-+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
-+ goto error;
-+ }
-+
-+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
-+
-+ /* check for correct invocation */
-+ if (argc != 3)
-+ {
-+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
-+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
-+ goto error;
-+ }
-+
-+ if (getuid () != 0)
-+ {
-+ /* check we're running with a non-tty stdin */
-+ if (isatty (STDIN_FILENO) != 0)
-+ {
-+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
-+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
-+ goto error;
-+ }
-+ }
-+
-+ user_to_auth = argv[1];
-+ cookie = argv[2];
-+
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
-+#endif /* PAH_DEBUG */
-+
-+
-+ /* Ask shadow about the user requesting authentication */
-+ shadow = getspnam (user_to_auth);
-+
-+ if (shadow == NULL)
-+ {
-+ syslog (LOG_NOTICE, "shadow file data information request for user '%s' [uid=%d] failed", user_to_auth, getuid ());
-+ fprintf(stderr, "polkit-agent-helper-1: could not get shadow information for '%s'", user_to_auth);
-+ goto error;
-+ }
-+
-+ /* Check the user's identity */
-+ if (shadow_authenticate (shadow) == FALSE)
-+ {
-+ syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth);
-+ fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n");
-+ goto error;
-+ }
-+
-+ /* Check whether the user's password has expired */
-+ now = time (NULL);
-+ if (shadow->sp_max >= 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 * 24 <= now)
-+ {
-+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
-+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
-+ goto error;
-+ }
-+
-+ /* Check whether the user's password has aged (and account expired along
-+ * with it)
-+ */
-+ if (shadow->sp_inact >= 0 && (shadow->sp_lstchg + shadow->sp_max + shadow->sp_inact) * 60 * 60 * 24 <= now)
-+ {
-+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
-+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
-+ goto error;
-+ }
-+
-+ /* Check whether the user's account has expired */
-+ if (shadow->sp_expire >= 0 && shadow->sp_expire * 60 * 60 * 24 <= now)
-+ {
-+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
-+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
-+ goto error;
-+ }
-+
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
-+#endif /* PAH_DEBUG */
-+
-+ /* now send a D-Bus message to the PolicyKit daemon that
-+ * includes a) the cookie; and b) the user we authenticated
-+ */
-+ if (!send_dbus_message (cookie, user_to_auth))
-+ {
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
-+#endif /* PAH_DEBUG */
-+ goto error;
-+ }
-+
-+#ifdef PAH_DEBUG
-+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
-+#endif /* PAH_DEBUG */
-+
-+ fprintf (stdout, "SUCCESS\n");
-+ flush_and_wait ();
-+ return 0;
-+
-+error:
-+ fprintf (stdout, "FAILURE\n");
-+ flush_and_wait ();
-+ return 1;
-+}
-+
-+static gboolean
-+shadow_authenticate (struct spwd *shadow)
-+{
-+ char passwd[512], *crypt_pass;
-+
-+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n");
-+ fflush (stdout);
-+ usleep (10 * 1000); /* since fflush(3) seems buggy */
-+
-+ if (fgets (passwd, sizeof (passwd), stdin) == NULL)
-+ goto error;
-+
-+ if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n')
-+ passwd[strlen (passwd) - 1] = '\0';
-+
-+ /* Use the encrypted password as the salt, according to the crypt(3) man page,
-+ * it will perform whatever encryption method is specified in /etc/shadow
-+ */
-+ crypt_pass = crypt (passwd, shadow->sp_pwdp);
-+
-+ if (crypt_pass == NULL)
-+ goto error;
-+
-+ if (strcmp (shadow->sp_pwdp, crypt (passwd, shadow->sp_pwdp)) != 0)
-+ goto error;
-+ return 1;
-+error:
-+ return 0;
-+}
-diff --git a/src/polkitagent/polkitagenthelper.c b/src/polkitagent/polkitagenthelper.c
-deleted file mode 100644
-index cca86db..0000000
---- a/src/polkitagent/polkitagenthelper.c
-+++ /dev/null
-@@ -1,339 +0,0 @@
--/*
-- * Copyright (C) 2008 Red Hat, Inc.
-- *
-- * This library is free software; you can redistribute it and/or
-- * modify it under the terms of the GNU Lesser General Public
-- * License as published by the Free Software Foundation; either
-- * version 2 of the License, or (at your option) any later version.
-- *
-- * This library is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-- * Lesser General Public License for more details.
-- *
-- * You should have received a copy of the GNU Lesser General
-- * Public License along with this library; if not, write to the
-- * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
-- * Boston, MA 02111-1307, USA.
-- *
-- * Author: David Zeuthen <davidz@redhat.com>
-- */
--
--#include "config.h"
--#include <stdio.h>
--#include <stdlib.h>
--#include <string.h>
--#include <unistd.h>
--#include <sys/types.h>
--#include <sys/stat.h>
--#include <syslog.h>
--#include <security/pam_appl.h>
--
--#include <polkit/polkit.h>
--
--#ifdef HAVE_SOLARIS
--# define LOG_AUTHPRIV (10<<3)
--#endif
--
--#ifndef HAVE_CLEARENV
--extern char **environ;
--
--static int
--clearenv (void)
--{
-- if (environ != NULL)
-- environ[0] = NULL;
-- return 0;
--}
--#endif
--
--/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_
-- * enable this in production builds; it may leak passwords and other
-- * sensitive information.
-- */
--#undef PAH_DEBUG
--// #define PAH_DEBUG
--
--static gboolean send_dbus_message (const char *cookie, const char *user);
--
--static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
--
--int
--main (int argc, char *argv[])
--{
-- int rc;
-- const char *user_to_auth;
-- const char *cookie;
-- struct pam_conv pam_conversation;
-- pam_handle_t *pam_h;
-- const void *authed_user;
--
-- rc = 0;
-- pam_h = NULL;
--
-- /* clear the entire environment to avoid attacks using with libraries honoring environment variables */
-- if (clearenv () != 0)
-- goto error;
--
-- /* set a minimal environment */
-- setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
--
-- /* check that we are setuid root */
-- if (geteuid () != 0)
-- {
-- fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
-- goto error;
-- }
--
-- openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
--
-- /* check for correct invocation */
-- if (argc != 3)
-- {
-- syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
-- fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
-- goto error;
-- }
--
-- user_to_auth = argv[1];
-- cookie = argv[2];
--
-- if (getuid () != 0)
-- {
-- /* check we're running with a non-tty stdin */
-- if (isatty (STDIN_FILENO) != 0)
-- {
-- syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
-- fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
-- goto error;
-- }
-- }
--
--#ifdef PAH_DEBUG
-- fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
--#endif /* PAH_DEBUG */
--
-- pam_conversation.conv = conversation_function;
-- pam_conversation.appdata_ptr = NULL;
--
-- /* start the pam stack */
-- rc = pam_start ("polkit-1",
-- user_to_auth,
-- &pam_conversation,
-- &pam_h);
-- if (rc != PAM_SUCCESS)
-- {
-- fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc));
-- goto error;
-- }
--
-- /* set the requesting user */
-- rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth);
-- if (rc != PAM_SUCCESS)
-- {
-- fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc));
-- goto error;
-- }
--
-- /* is user really user? */
-- rc = pam_authenticate (pam_h, 0);
-- if (rc != PAM_SUCCESS)
-- {
-- fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
-- goto error;
-- }
--
-- /* permitted access? */
-- rc = pam_acct_mgmt (pam_h, 0);
-- if (rc != PAM_SUCCESS)
-- {
-- fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
-- goto error;
-- }
--
-- /* did we auth the right user? */
-- rc = pam_get_item (pam_h, PAM_USER, &authed_user);
-- if (rc != PAM_SUCCESS)
-- {
-- fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
-- goto error;
-- }
--
-- if (strcmp (authed_user, user_to_auth) != 0)
-- {
-- fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
-- user_to_auth, (const char *) authed_user);
-- goto error;
-- }
--
--#ifdef PAH_DEBUG
-- fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth);
--#endif /* PAH_DEBUG */
--
-- pam_end (pam_h, rc);
-- pam_h = NULL;
--
--#ifdef PAH_DEBUG
-- fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
--#endif /* PAH_DEBUG */
--
-- /* now send a D-Bus message to the PolicyKit daemon that
-- * includes a) the cookie; and b) the user we authenticated
-- */
-- if (!send_dbus_message (cookie, user_to_auth))
-- {
--#ifdef PAH_DEBUG
-- fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
--#endif /* PAH_DEBUG */
-- goto error;
-- }
--
--#ifdef PAH_DEBUG
-- fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
--#endif /* PAH_DEBUG */
--
-- fprintf (stdout, "SUCCESS\n");
-- fflush (stdout);
-- fflush (stderr);
-- usleep (10 * 1000); /* since fflush(3) seems buggy */
-- return 0;
--
--error:
-- if (pam_h != NULL)
-- pam_end (pam_h, rc);
--
-- fprintf (stdout, "FAILURE\n");
-- fflush (stdout);
-- fflush (stderr);
-- usleep (10 * 1000); /* since fflush(3) seems buggy */
-- return 1;
--}
--
--static int
--conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data)
--{
-- struct pam_response *aresp;
-- char buf[PAM_MAX_RESP_SIZE];
-- int i;
--
-- data = data;
-- if (n <= 0 || n > PAM_MAX_NUM_MSG)
-- return PAM_CONV_ERR;
--
-- if ((aresp = calloc(n, sizeof *aresp)) == NULL)
-- return PAM_BUF_ERR;
--
-- for (i = 0; i < n; ++i)
-- {
-- aresp[i].resp_retcode = 0;
-- aresp[i].resp = NULL;
-- switch (msg[i]->msg_style)
-- {
--
-- case PAM_PROMPT_ECHO_OFF:
-- fprintf (stdout, "PAM_PROMPT_ECHO_OFF ");
-- goto conv1;
--
-- case PAM_PROMPT_ECHO_ON:
-- fprintf (stdout, "PAM_PROMPT_ECHO_ON ");
-- conv1:
-- fputs (msg[i]->msg, stdout);
-- if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
-- fputc ('\n', stdout);
-- fflush (stdout);
--
-- if (fgets (buf, sizeof buf, stdin) == NULL)
-- goto error;
--
-- if (strlen (buf) > 0 &&
-- buf[strlen (buf) - 1] == '\n')
-- buf[strlen (buf) - 1] = '\0';
--
-- aresp[i].resp = strdup (buf);
-- if (aresp[i].resp == NULL)
-- goto error;
-- break;
--
-- case PAM_ERROR_MSG:
-- fprintf (stdout, "PAM_ERROR_MSG ");
-- goto conv2;
--
-- case PAM_TEXT_INFO:
-- fprintf (stdout, "PAM_TEXT_INFO ");
-- conv2:
-- fputs (msg[i]->msg, stdout);
-- if (strlen (msg[i]->msg) > 0 &&
-- msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
-- fputc ('\n', stdout);
-- fflush (stdout);
-- break;
--
-- default:
-- goto error;
-- }
-- }
--
-- *resp = aresp;
-- return PAM_SUCCESS;
--
--error:
--
-- for (i = 0; i < n; ++i)
-- {
-- if (aresp[i].resp != NULL) {
-- memset (aresp[i].resp, 0, strlen(aresp[i].resp));
-- free (aresp[i].resp);
-- }
-- }
-- memset (aresp, 0, n * sizeof *aresp);
-- *resp = NULL;
-- return PAM_CONV_ERR;
--}
--
--static gboolean
--send_dbus_message (const char *cookie, const char *user)
--{
-- PolkitAuthority *authority;
-- PolkitIdentity *identity;
-- GError *error;
-- gboolean ret;
--
-- ret = FALSE;
--
-- error = NULL;
--
-- g_type_init ();
--
-- authority = polkit_authority_get ();
--
-- identity = polkit_unix_user_new_for_name (user, &error);
-- if (identity == NULL)
-- {
-- g_printerr ("Error constructing identity: %s\n", error->message);
-- g_error_free (error);
-- goto out;
-- }
--
-- if (!polkit_authority_authentication_agent_response_sync (authority,
-- cookie,
-- identity,
-- NULL,
-- &error))
-- {
-- g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message);
-- g_error_free (error);
-- goto out;
-- }
--
-- ret = TRUE;
--
-- out:
--
-- if (identity != NULL)
-- g_object_unref (identity);
--
-- if (authority != NULL)
-- g_object_unref (authority);
--
-- return ret;
--}
-diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c
-new file mode 100644
-index 0000000..be495e9
---- /dev/null
-+++ b/src/polkitagent/polkitagenthelperprivate.c
-@@ -0,0 +1,106 @@
-+/*
-+ * Copyright (C) 2009-2010 Red Hat, Inc.
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General
-+ * Public License along with this library; if not, write to the
-+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-+ * Boston, MA 02110-1301, USA.
-+ *
-+ * Authors: David Zeuthen <davidz@redhat.com>,
-+ * Andrew Psaltis <ampsaltis@gmail.com>
-+ */
-+
-+#include "config.h"
-+#include "polkitagenthelperprivate.h"
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+
-+#ifndef HAVE_CLEARENV
-+extern char **environ;
-+
-+int
-+_polkit_clearenv (void)
-+{
-+ if (environ != NULL)
-+ environ[0] = NULL;
-+ return 0;
-+}
-+#else
-+int
-+_polkit_clearenv (void)
-+{
-+ return clearenv ();
-+}
-+#endif
-+
-+
-+gboolean
-+send_dbus_message (const char *cookie, const char *user)
-+{
-+ PolkitAuthority *authority;
-+ PolkitIdentity *identity;
-+ GError *error;
-+ gboolean ret;
-+
-+ ret = FALSE;
-+
-+ error = NULL;
-+
-+ g_type_init ();
-+
-+ authority = polkit_authority_get ();
-+
-+ identity = polkit_unix_user_new_for_name (user, &error);
-+ if (identity == NULL)
-+ {
-+ g_printerr ("Error constructing identity: %s\n", error->message);
-+ g_error_free (error);
-+ goto out;
-+ }
-+
-+ if (!polkit_authority_authentication_agent_response_sync (authority,
-+ cookie,
-+ identity,
-+ NULL,
-+ &error))
-+ {
-+ g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message);
-+ g_error_free (error);
-+ goto out;
-+ }
-+
-+ ret = TRUE;
-+
-+ out:
-+
-+ if (identity != NULL)
-+ g_object_unref (identity);
-+
-+ if (authority != NULL)
-+ g_object_unref (authority);
-+
-+ return ret;
-+}
-+
-+/* fflush(3) stdin and stdout and wait a little bit.
-+ * This replaces the three-line commands at the bottom of
-+ * polkit-agent-helper-1's main() function.
-+ */
-+void
-+flush_and_wait ()
-+{
-+ fflush (stdout);
-+ fflush (stderr);
-+ usleep (10 * 1000); /* since fflush(3) seems buggy */
-+}
-diff --git a/src/polkitagent/polkitagenthelperprivate.h b/src/polkitagent/polkitagenthelperprivate.h
-new file mode 100644
-index 0000000..7294d46
---- /dev/null
-+++ b/src/polkitagent/polkitagenthelperprivate.h
-@@ -0,0 +1,45 @@
-+/*
-+ * Copyright (C) 2009-2010 Red Hat, Inc.
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General
-+ * Public License along with this library; if not, write to the
-+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-+ * Boston, MA 02110-1301, USA.
-+ *
-+ * Authors: David Zeuthen <davidz@redhat.com>,
-+ * Andrew Psaltis <ampsalits@gmail.com>
-+ */
-+#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H
-+#define __POLKIT_AGENT_HELPER_PRIVATE_H
-+
-+#define _GNU_SOURCE
-+#include <polkit/polkit.h>
-+
-+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_
-+ * enable this in production builds; it may leak passwords and other
-+ * sensitive information.
-+ */
-+#undef PAH_DEBUG
-+// #define PAH_DEBUG
-+
-+#ifdef HAVE_SOLARIS
-+# define LOG_AUTHPRIV (10<<3)
-+#endif
-+
-+int _polkit_clearenv (void);
-+
-+gboolean send_dbus_message (const char *cookie, const char *user);
-+
-+void flush_and_wait ();
-+
-+#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */
-diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
-index 17c191e..b0193f4 100644
---- a/src/programs/pkexec.c
-+++ b/src/programs/pkexec.c
-@@ -34,7 +34,11 @@
- #include <grp.h>
- #include <pwd.h>
- #include <errno.h>
-+
-+#ifdef POLKIT_AUTHFW_PAM
- #include <security/pam_appl.h>
-+#endif /* POLKIT_AUTHFW_PAM */
-+
- #include <syslog.h>
- #include <stdarg.h>
-
-@@ -115,6 +119,7 @@ log_message (gint level,
-
- /* ---------------------------------------------------------------------------------------------------- */
-
-+#ifdef POLKIT_AUTHFW_PAM
- static int
- pam_conversation_function (int n,
- const struct pam_message **msg,
-@@ -167,6 +172,7 @@ out:
- pam_end (pam_h, rc);
- return ret;
- }
-+#endif /* POLKIT_AUTHFW_PAM */
-
- /* ---------------------------------------------------------------------------------------------------- */
-
-@@ -741,10 +747,12 @@ main (int argc, char *argv[])
- * TODO: The question here is whether we should clear the limits before applying them?
- * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
- */
-+#ifdef POLKIT_AUTHFW_PAM
- if (!open_session (pw->pw_name))
- {
- goto out;
- }
-+#endif /* POLKIT_AUTHFW_PAM */
-
- /* become the user */
- if (setgroups (0, NULL) != 0)
---
-1.7.1
-
diff --git a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch b/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch
deleted file mode 100644
index d9cf8c23bfd6..000000000000
--- a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 779c0153fc0bd3c2e302dac1979d17638f054229 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Mr=C3=A1zek?= <peterix@gmail.com>
-Date: Wed, 14 Jul 2010 02:59:12 +0200
-Subject: [PATCH 3/3] =?UTF-8?q?Bug=2029051=20=E2=80=93=20Configuration=20reload=20on=20every=20query?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Set has_data to true after the data is loaded to prevent excessive
-reloading of config files.
-
-Signed-off-by: David Zeuthen <davidz@redhat.com>
----
- src/polkitbackend/polkitbackendconfigsource.c | 1 +
- .../polkitbackendlocalauthorizationstore.c | 2 ++
- 2 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/src/polkitbackend/polkitbackendconfigsource.c b/src/polkitbackend/polkitbackendconfigsource.c
-index 224d0d0..465da96 100644
---- a/src/polkitbackend/polkitbackendconfigsource.c
-+++ b/src/polkitbackend/polkitbackendconfigsource.c
-@@ -386,6 +386,7 @@ polkit_backend_config_source_ensure (PolkitBackendConfigSource *source)
- }
-
- source->priv->key_files = g_list_reverse (source->priv->key_files);
-+ source->priv->has_data = TRUE;
-
- out:
- g_list_foreach (files, (GFunc) g_object_unref, NULL);
-diff --git a/src/polkitbackend/polkitbackendlocalauthorizationstore.c b/src/polkitbackend/polkitbackendlocalauthorizationstore.c
-index 5d5dc14..b959269 100644
---- a/src/polkitbackend/polkitbackendlocalauthorizationstore.c
-+++ b/src/polkitbackend/polkitbackendlocalauthorizationstore.c
-@@ -641,6 +641,8 @@ polkit_backend_local_authorization_store_ensure (PolkitBackendLocalAuthorization
- g_free (filename);
- }
-
-+ store->priv->has_data = TRUE;
-+
- out:
- g_list_foreach (files, (GFunc) g_object_unref, NULL);
- g_list_free (files);
---
-1.7.1
-
diff --git a/patches/polkit-0.96/autogen.sh b/patches/polkit-0.96/autogen.sh
deleted file mode 120000
index 9f8a4cb7ddcb..000000000000
--- a/patches/polkit-0.96/autogen.sh
+++ /dev/null
@@ -1 +0,0 @@
-../autogen.sh
\ No newline at end of file
diff --git a/patches/polkit-0.96/series b/patches/polkit-0.96/series
deleted file mode 100644
index ee29cd64eb79..000000000000
--- a/patches/polkit-0.96/series
+++ /dev/null
@@ -1,3 +0,0 @@
-0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
-0002-Add-shadow-support.patch
-0003-Bug-29051-Configuration-reload-on-every-query.patch
diff --git a/rules/polkit.in b/rules/polkit.in
index d28de7c67e91..4edfccd2194f 100644
--- a/rules/polkit.in
+++ b/rules/polkit.in
@@ -1,14 +1,26 @@
## SECTION=system_libraries
-config POLKIT
+menuconfig POLKIT
tristate
- prompt "policykit-1"
+ prompt "policykit-1 "
select LIBC_CRYPT
select HOST_INTLTOOL
select HOST_GTK_DOC
+ select EXPAT
select GLIB
select DBUS_GLIB
select EGGDBUS
+ select SYSTEMD_LOGIND if POLKIT_SYSTEMD
help
PolicyKit offers an infrastructure for security policies for
dbus applications.
+
+if POLKIT
+
+config POLKIT_SYSTEMD
+ bool "systemd based session tracking"
+ default y if SYSTEMD
+ help
+ Use systemd for session tracking, else ConsoleKit is used
+
+endif
diff --git a/rules/polkit.make b/rules/polkit.make
index b702a1b50d90..376315f929f8 100644
--- a/rules/polkit.make
+++ b/rules/polkit.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_POLKIT) += polkit
#
# Paths and names
#
-POLKIT_VERSION := 0.96
-POLKIT_MD5 := e0a06da501b04ed3bab986a9df5b5aa2
+POLKIT_VERSION := 0.104
+POLKIT_MD5 := e380b4c6fb1e7bccf854e92edc0a8ce1
POLKIT := polkit-$(POLKIT_VERSION)
POLKIT_SUFFIX := tar.gz
POLKIT_URL := http://hal.freedesktop.org/releases/$(POLKIT).$(POLKIT_SUFFIX)
@@ -28,19 +28,19 @@ POLKIT_DIR := $(BUILDDIR)/$(POLKIT)
# Prepare
# ----------------------------------------------------------------------------
-#
-# autoconf
-#
-POLKIT_AUTOCONF := \
+POLKIT_CONF_TOOL := autoconf
+POLKIT_CONF_OPT := \
$(CROSS_AUTOCONF_USR) \
- --enable-shared \
- --enable-static \
+ $(GLOBAL_LARGE_FILE_OPTION) \
--disable-ansi \
--disable-verbose-mode \
--disable-man-pages \
--disable-gtk-doc \
- --disable-examples \
+ --disable-gtk-doc-html \
+ --$(call ptx/endis, PTXCONF_POLKIT_SYSTEMD)-systemd \
--disable-introspection \
+ --disable-examples \
+ --disable-nls \
--with-gnu-ld \
--with-authfw=shadow \
--with-os-type=ptxdist
@@ -65,6 +65,7 @@ $(STATEDIR)/polkit.targetinstall:
/usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service)
# config
+ @$(call install_copy, polkit, 0, 0, 700, /etc/polkit-1/localauthority)
@$(call install_copy, polkit, 0, 0, 0644, -, \
/etc/polkit-1/localauthority.conf.d/50-localauthority.conf)
@$(call install_copy, polkit, 0, 0, 0644, -, \
@@ -79,8 +80,6 @@ $(STATEDIR)/polkit.targetinstall:
@$(call install_copy, polkit, 0, 0, 0644, -, \
/usr/lib/polkit-1/extensions/libnullbackend.so)
- @$(call install_copy, polkit, 0, 0, 0644, -, \
- /usr/lib/polkit-1/extensions/libpkexec-action-lookup.so)
# binaries
@$(call install_copy, polkit, 0, 0, 0755, -, /usr/bin/pkaction)
@@ -93,6 +92,9 @@ $(STATEDIR)/polkit.targetinstall:
@$(call install_copy, polkit, 0, 0, 4755, -, \
/usr/libexec/polkit-agent-helper-1)
+# run-time
+ @$(call install_copy, polkit, 0, 0, 700, /var/lib/polkit-1)
+
@$(call install_finish, polkit)
@$(call touch)
--
Pengutronix e.K. | Juergen Borleis |
Industrial Linux Solutions | http://www.pengutronix.de/ |
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [ptxdist] [APTCH] polkit: version bump 0.96 -> 0.104
2015-03-16 13:24 [ptxdist] [APTCH] polkit: version bump 0.96 -> 0.104 Juergen Borleis
@ 2015-03-21 17:21 ` Michael Olbrich
0 siblings, 0 replies; 2+ messages in thread
From: Michael Olbrich @ 2015-03-21 17:21 UTC (permalink / raw)
To: ptxdist
On Mon, Mar 16, 2015 at 02:24:05PM +0100, Juergen Borleis wrote:
> Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
>
> diff --git a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch b/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
> deleted file mode 100644
> index 3c8efb61bdbd..000000000000
> --- a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
> +++ /dev/null
> @@ -1,68 +0,0 @@
> -From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001
> -From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
> -Date: Wed, 10 Mar 2010 12:46:19 -0500
> -Subject: [PATCH 1/3] =?UTF-8?q?Bug=2026982=20=E2=80=93=20pkexec=20information=20disclosure=20vulnerability?=
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -pkexec is vulnerable to a minor information disclosure vulnerability
> -that allows an attacker to verify whether or not arbitrary files
> -exist, violating directory permissions. I reproduced the issue on my
> -Karmic installation as follows:
> -
> - $ mkdir secret
> - $ sudo chown root:root secret
> - $ sudo chmod 400 secret
> - $ sudo touch secret/hidden
> - $ pkexec /home/drosenbe/secret/hidden
> - (password prompt)
> - $ pkexec /home/drosenbe/secret/doesnotexist
> - Error getting information about /home/drosenbe/secret/doesnotexist: No such
> - file or directory
> -
> -I've attached my patch for the issue. I replaced the stat() call
> -entirely with access() using F_OK, so rather than check that the
> -target exists, pkexec now checks if the user has permission to verify
> -the existence of the program. There might be another way of doing
> -this, such as chdir()'ing to the parent directory of the target and
> -calling lstat(), but this seemed like more code than necessary to
> -prevent such a minor problem. I see no reason to allow pkexec to
> -execute targets that are not accessible to the executing user because
> -of directory permissions. This is such a limited use case anyway that
> -this doesn't really affect functionality.
> -
> -http://bugs.freedesktop.org/show_bug.cgi?id=26982
> -
> -Signed-off-by: David Zeuthen <davidz@redhat.com>
> ----
> - src/programs/pkexec.c | 5 ++---
> - 1 files changed, 2 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
> -index 860e665..17c191e 100644
> ---- a/src/programs/pkexec.c
> -+++ b/src/programs/pkexec.c
> -@@ -411,7 +411,6 @@ main (int argc, char *argv[])
> - gchar *opt_user;
> - pid_t pid_of_caller;
> - uid_t uid_of_caller;
> -- struct stat statbuf;
> -
> - ret = 127;
> - authority = NULL;
> -@@ -520,9 +519,9 @@ main (int argc, char *argv[])
> - g_free (path);
> - argv[n] = path = s;
> - }
> -- if (stat (path, &statbuf) != 0)
> -+ if (access (path, F_OK) != 0)
> - {
> -- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
> -+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
> - goto out;
> - }
> - command_line = g_strjoinv (" ", argv + n);
> ---
> -1.7.1
> -
> diff --git a/patches/polkit-0.96/0002-Add-shadow-support.patch b/patches/polkit-0.96/0002-Add-shadow-support.patch
> deleted file mode 100644
> index b9119e13fb0f..000000000000
> --- a/patches/polkit-0.96/0002-Add-shadow-support.patch
> +++ /dev/null
> @@ -1,1083 +0,0 @@
> -From a2edcef54d2ab1a92f729e34dfa0c183b2533c61 Mon Sep 17 00:00:00 2001
> -From: Andrew Psaltis <ampsaltis@gmail.com>
> -Date: Mon, 28 Jun 2010 22:04:00 -0400
> -Subject: [PATCH 2/3] Add shadow support
> -
> -Added support for the shadow authentication framework instead of PAM.
> -Enable it by passing --with-authfw=shadow to configure.
> -
> -This is done by splitting the polkitagenthelper source into separate
> -parts, one that does auth with PAM, and another that does auth with
> -shadow, sharing functions where appropriate.
> -
> -Also, all PAM-dependendent code in all other files has been #ifdef'd.
> -The only affected file is src/programs/pkexec.c
> -
> -Signed-off-by: David Zeuthen <davidz@redhat.com>
> ----
> - src/polkitagent/Makefile.am | 9 +-
> - src/polkitagent/polkitagenthelper-pam.c | 264 ++++++++++++++++++++++
> - src/polkitagent/polkitagenthelper-shadow.c | 198 ++++++++++++++++
> - src/polkitagent/polkitagenthelper.c | 339 ----------------------------
> - src/polkitagent/polkitagenthelperprivate.c | 106 +++++++++
> - src/polkitagent/polkitagenthelperprivate.h | 45 ++++
> - src/programs/pkexec.c | 8 +
> - 7 files changed, 629 insertions(+), 340 deletions(-)
> - create mode 100644 src/polkitagent/polkitagenthelper-pam.c
> - create mode 100644 src/polkitagent/polkitagenthelper-shadow.c
> - delete mode 100644 src/polkitagent/polkitagenthelper.c
> - create mode 100644 src/polkitagent/polkitagenthelperprivate.c
> - create mode 100644 src/polkitagent/polkitagenthelperprivate.h
> -
> -diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am
> -index 3f38329..820be4d 100644
> ---- a/src/polkitagent/Makefile.am
> -+++ b/src/polkitagent/Makefile.am
> -@@ -68,9 +68,16 @@ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)'
> - libexec_PROGRAMS = polkit-agent-helper-1
> -
> - polkit_agent_helper_1_SOURCES = \
> -- polkitagenthelper.c \
> -+ polkitagenthelperprivate.c polkitagenthelperprivate.h \
> - $(NULL)
> -
> -+if POLKIT_AUTHFW_PAM
> -+polkit_agent_helper_1_SOURCES += polkitagenthelper-pam.c
> -+endif
> -+if POLKIT_AUTHFW_SHADOW
> -+polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c
> -+endif
> -+
> - polkit_agent_helper_1_CFLAGS = \
> - -D_POLKIT_COMPILATION \
> - $(GLIB_CFLAGS) \
> -diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/polkitagenthelper-pam.c
> -new file mode 100644
> -index 0000000..5e8b54c
> ---- /dev/null
> -+++ b/src/polkitagent/polkitagenthelper-pam.c
> -@@ -0,0 +1,264 @@
> -+/*
> -+ * Copyright (C) 2008, 2010 Red Hat, Inc.
> -+ *
> -+ * This library is free software; you can redistribute it and/or
> -+ * modify it under the terms of the GNU Lesser General Public
> -+ * License as published by the Free Software Foundation; either
> -+ * version 2 of the License, or (at your option) any later version.
> -+ *
> -+ * This library is distributed in the hope that it will be useful,
> -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -+ * Lesser General Public License for more details.
> -+ *
> -+ * You should have received a copy of the GNU Lesser General
> -+ * Public License along with this library; if not, write to the
> -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
> -+ * Boston, MA 02111-1307, USA.
> -+ *
> -+ * Author: David Zeuthen <davidz@redhat.com>
> -+ */
> -+
> -+#include "config.h"
> -+#include "polkitagenthelperprivate.h"
> -+
> -+#include <stdio.h>
> -+#include <stdlib.h>
> -+#include <string.h>
> -+#include <unistd.h>
> -+#include <sys/types.h>
> -+#include <sys/stat.h>
> -+#include <syslog.h>
> -+#include <security/pam_appl.h>
> -+
> -+#include <polkit/polkit.h>
> -+
> -+static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
> -+
> -+int
> -+main (int argc, char *argv[])
> -+{
> -+ int rc;
> -+ const char *user_to_auth;
> -+ const char *cookie;
> -+ struct pam_conv pam_conversation;
> -+ pam_handle_t *pam_h;
> -+ const void *authed_user;
> -+
> -+ rc = 0;
> -+ pam_h = NULL;
> -+
> -+ /* clear the entire environment to avoid attacks using with libraries honoring environment variables */
> -+ if (_polkit_clearenv () != 0)
> -+ goto error;
> -+
> -+ /* set a minimal environment */
> -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
> -+
> -+ /* check that we are setuid root */
> -+ if (geteuid () != 0)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
> -+ goto error;
> -+ }
> -+
> -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
> -+
> -+ /* check for correct invocation */
> -+ if (argc != 3)
> -+ {
> -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ user_to_auth = argv[1];
> -+ cookie = argv[2];
> -+
> -+ if (getuid () != 0)
> -+ {
> -+ /* check we're running with a non-tty stdin */
> -+ if (isatty (STDIN_FILENO) != 0)
> -+ {
> -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
> -+#endif /* PAH_DEBUG */
> -+
> -+ pam_conversation.conv = conversation_function;
> -+ pam_conversation.appdata_ptr = NULL;
> -+
> -+ /* start the pam stack */
> -+ rc = pam_start ("polkit-1",
> -+ user_to_auth,
> -+ &pam_conversation,
> -+ &pam_h);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ /* set the requesting user */
> -+ rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ /* is user really user? */
> -+ rc = pam_authenticate (pam_h, 0);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ /* permitted access? */
> -+ rc = pam_acct_mgmt (pam_h, 0);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ /* did we auth the right user? */
> -+ rc = pam_get_item (pam_h, PAM_USER, &authed_user);
> -+ if (rc != PAM_SUCCESS)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
> -+ goto error;
> -+ }
> -+
> -+ if (strcmp (authed_user, user_to_auth) != 0)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
> -+ user_to_auth, (const char *) authed_user);
> -+ goto error;
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth);
> -+#endif /* PAH_DEBUG */
> -+
> -+ pam_end (pam_h, rc);
> -+ pam_h = NULL;
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+
> -+ /* now send a D-Bus message to the PolicyKit daemon that
> -+ * includes a) the cookie; and b) the user we authenticated
> -+ */
> -+ if (!send_dbus_message (cookie, user_to_auth))
> -+ {
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+ goto error;
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+
> -+ fprintf (stdout, "SUCCESS\n");
> -+ flush_and_wait();
> -+ return 0;
> -+
> -+error:
> -+ if (pam_h != NULL)
> -+ pam_end (pam_h, rc);
> -+
> -+ fprintf (stdout, "FAILURE\n");
> -+ flush_and_wait();
> -+ return 1;
> -+}
> -+
> -+static int
> -+conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data)
> -+{
> -+ struct pam_response *aresp;
> -+ char buf[PAM_MAX_RESP_SIZE];
> -+ int i;
> -+
> -+ data = data;
> -+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
> -+ return PAM_CONV_ERR;
> -+
> -+ if ((aresp = calloc(n, sizeof *aresp)) == NULL)
> -+ return PAM_BUF_ERR;
> -+
> -+ for (i = 0; i < n; ++i)
> -+ {
> -+ aresp[i].resp_retcode = 0;
> -+ aresp[i].resp = NULL;
> -+ switch (msg[i]->msg_style)
> -+ {
> -+
> -+ case PAM_PROMPT_ECHO_OFF:
> -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF ");
> -+ goto conv1;
> -+
> -+ case PAM_PROMPT_ECHO_ON:
> -+ fprintf (stdout, "PAM_PROMPT_ECHO_ON ");
> -+ conv1:
> -+ fputs (msg[i]->msg, stdout);
> -+ if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
> -+ fputc ('\n', stdout);
> -+ fflush (stdout);
> -+
> -+ if (fgets (buf, sizeof buf, stdin) == NULL)
> -+ goto error;
> -+
> -+ if (strlen (buf) > 0 &&
> -+ buf[strlen (buf) - 1] == '\n')
> -+ buf[strlen (buf) - 1] = '\0';
> -+
> -+ aresp[i].resp = strdup (buf);
> -+ if (aresp[i].resp == NULL)
> -+ goto error;
> -+ break;
> -+
> -+ case PAM_ERROR_MSG:
> -+ fprintf (stdout, "PAM_ERROR_MSG ");
> -+ goto conv2;
> -+
> -+ case PAM_TEXT_INFO:
> -+ fprintf (stdout, "PAM_TEXT_INFO ");
> -+ conv2:
> -+ fputs (msg[i]->msg, stdout);
> -+ if (strlen (msg[i]->msg) > 0 &&
> -+ msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
> -+ fputc ('\n', stdout);
> -+ fflush (stdout);
> -+ break;
> -+
> -+ default:
> -+ goto error;
> -+ }
> -+ }
> -+
> -+ *resp = aresp;
> -+ return PAM_SUCCESS;
> -+
> -+error:
> -+
> -+ for (i = 0; i < n; ++i)
> -+ {
> -+ if (aresp[i].resp != NULL) {
> -+ memset (aresp[i].resp, 0, strlen(aresp[i].resp));
> -+ free (aresp[i].resp);
> -+ }
> -+ }
> -+ memset (aresp, 0, n * sizeof *aresp);
> -+ *resp = NULL;
> -+ return PAM_CONV_ERR;
> -+}
> -diff --git a/src/polkitagent/polkitagenthelper-shadow.c b/src/polkitagent/polkitagenthelper-shadow.c
> -new file mode 100644
> -index 0000000..a4f73ac
> ---- /dev/null
> -+++ b/src/polkitagent/polkitagenthelper-shadow.c
> -@@ -0,0 +1,198 @@
> -+/*
> -+ * Copyright (C) 2008 Red Hat, Inc.
> -+ * Copyright (C) 2009-2010 Andrew Psaltis <ampsaltis@gmail.com>
> -+ *
> -+ * This library is free software; you can redistribute it and/or
> -+ * modify it under the terms of the GNU Lesser General Public
> -+ * License as published by the Free Software Foundation; either
> -+ * version 2 of the License, or (at your option) any later version.
> -+ *
> -+ * This library is distributed in the hope that it will be useful,
> -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -+ * Lesser General Public License for more details.
> -+ *
> -+ * You should have received a copy of the GNU Lesser General
> -+ * Public License along with this library; if not, write to the
> -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
> -+ * Boston, MA 02111-1307, USA.
> -+ *
> -+ * Authors: Andrew Psaltis <ampsaltis@gmail.com>, based on
> -+ * polkitagenthelper.c which was written by
> -+ * David Zeuthen <davidz@redhat.com>
> -+ */
> -+
> -+#include "config.h"
> -+#include "polkitagenthelperprivate.h"
> -+
> -+#include <stdio.h>
> -+#include <stdlib.h>
> -+#include <string.h>
> -+#include <unistd.h>
> -+#include <sys/types.h>
> -+#include <sys/stat.h>
> -+#include <syslog.h>
> -+#include <shadow.h>
> -+#include <grp.h>
> -+#include <pwd.h>
> -+#include <time.h>
> -+
> -+#include <polkit/polkit.h>
> -+
> -+static gboolean shadow_authenticate (struct spwd *shadow);
> -+
> -+int
> -+main (int argc, char *argv[])
> -+{
> -+ struct spwd *shadow;
> -+ const char *user_to_auth;
> -+ const char *cookie;
> -+ time_t now;
> -+
> -+ /* clear the entire environment to avoid attacks with
> -+ libraries honoring environment variables */
> -+ if (_polkit_clearenv () != 0)
> -+ goto error;
> -+
> -+ /* set a minimal environment */
> -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
> -+
> -+ /* check that we are setuid root */
> -+ if (geteuid () != 0)
> -+ {
> -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
> -+ goto error;
> -+ }
> -+
> -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
> -+
> -+ /* check for correct invocation */
> -+ if (argc != 3)
> -+ {
> -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ if (getuid () != 0)
> -+ {
> -+ /* check we're running with a non-tty stdin */
> -+ if (isatty (STDIN_FILENO) != 0)
> -+ {
> -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+ }
> -+
> -+ user_to_auth = argv[1];
> -+ cookie = argv[2];
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
> -+#endif /* PAH_DEBUG */
> -+
> -+
> -+ /* Ask shadow about the user requesting authentication */
> -+ shadow = getspnam (user_to_auth);
> -+
> -+ if (shadow == NULL)
> -+ {
> -+ syslog (LOG_NOTICE, "shadow file data information request for user '%s' [uid=%d] failed", user_to_auth, getuid ());
> -+ fprintf(stderr, "polkit-agent-helper-1: could not get shadow information for '%s'", user_to_auth);
> -+ goto error;
> -+ }
> -+
> -+ /* Check the user's identity */
> -+ if (shadow_authenticate (shadow) == FALSE)
> -+ {
> -+ syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth);
> -+ fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ /* Check whether the user's password has expired */
> -+ now = time (NULL);
> -+ if (shadow->sp_max >= 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 * 24 <= now)
> -+ {
> -+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ /* Check whether the user's password has aged (and account expired along
> -+ * with it)
> -+ */
> -+ if (shadow->sp_inact >= 0 && (shadow->sp_lstchg + shadow->sp_max + shadow->sp_inact) * 60 * 60 * 24 <= now)
> -+ {
> -+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+ /* Check whether the user's account has expired */
> -+ if (shadow->sp_expire >= 0 && shadow->sp_expire * 60 * 60 * 24 <= now)
> -+ {
> -+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ());
> -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n");
> -+ goto error;
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+
> -+ /* now send a D-Bus message to the PolicyKit daemon that
> -+ * includes a) the cookie; and b) the user we authenticated
> -+ */
> -+ if (!send_dbus_message (cookie, user_to_auth))
> -+ {
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+ goto error;
> -+ }
> -+
> -+#ifdef PAH_DEBUG
> -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
> -+#endif /* PAH_DEBUG */
> -+
> -+ fprintf (stdout, "SUCCESS\n");
> -+ flush_and_wait ();
> -+ return 0;
> -+
> -+error:
> -+ fprintf (stdout, "FAILURE\n");
> -+ flush_and_wait ();
> -+ return 1;
> -+}
> -+
> -+static gboolean
> -+shadow_authenticate (struct spwd *shadow)
> -+{
> -+ char passwd[512], *crypt_pass;
> -+
> -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n");
> -+ fflush (stdout);
> -+ usleep (10 * 1000); /* since fflush(3) seems buggy */
> -+
> -+ if (fgets (passwd, sizeof (passwd), stdin) == NULL)
> -+ goto error;
> -+
> -+ if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n')
> -+ passwd[strlen (passwd) - 1] = '\0';
> -+
> -+ /* Use the encrypted password as the salt, according to the crypt(3) man page,
> -+ * it will perform whatever encryption method is specified in /etc/shadow
> -+ */
> -+ crypt_pass = crypt (passwd, shadow->sp_pwdp);
> -+
> -+ if (crypt_pass == NULL)
> -+ goto error;
> -+
> -+ if (strcmp (shadow->sp_pwdp, crypt (passwd, shadow->sp_pwdp)) != 0)
> -+ goto error;
> -+ return 1;
> -+error:
> -+ return 0;
> -+}
> -diff --git a/src/polkitagent/polkitagenthelper.c b/src/polkitagent/polkitagenthelper.c
> -deleted file mode 100644
> -index cca86db..0000000
> ---- a/src/polkitagent/polkitagenthelper.c
> -+++ /dev/null
> -@@ -1,339 +0,0 @@
> --/*
> -- * Copyright (C) 2008 Red Hat, Inc.
> -- *
> -- * This library is free software; you can redistribute it and/or
> -- * modify it under the terms of the GNU Lesser General Public
> -- * License as published by the Free Software Foundation; either
> -- * version 2 of the License, or (at your option) any later version.
> -- *
> -- * This library is distributed in the hope that it will be useful,
> -- * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -- * Lesser General Public License for more details.
> -- *
> -- * You should have received a copy of the GNU Lesser General
> -- * Public License along with this library; if not, write to the
> -- * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
> -- * Boston, MA 02111-1307, USA.
> -- *
> -- * Author: David Zeuthen <davidz@redhat.com>
> -- */
> --
> --#include "config.h"
> --#include <stdio.h>
> --#include <stdlib.h>
> --#include <string.h>
> --#include <unistd.h>
> --#include <sys/types.h>
> --#include <sys/stat.h>
> --#include <syslog.h>
> --#include <security/pam_appl.h>
> --
> --#include <polkit/polkit.h>
> --
> --#ifdef HAVE_SOLARIS
> --# define LOG_AUTHPRIV (10<<3)
> --#endif
> --
> --#ifndef HAVE_CLEARENV
> --extern char **environ;
> --
> --static int
> --clearenv (void)
> --{
> -- if (environ != NULL)
> -- environ[0] = NULL;
> -- return 0;
> --}
> --#endif
> --
> --/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_
> -- * enable this in production builds; it may leak passwords and other
> -- * sensitive information.
> -- */
> --#undef PAH_DEBUG
> --// #define PAH_DEBUG
> --
> --static gboolean send_dbus_message (const char *cookie, const char *user);
> --
> --static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data);
> --
> --int
> --main (int argc, char *argv[])
> --{
> -- int rc;
> -- const char *user_to_auth;
> -- const char *cookie;
> -- struct pam_conv pam_conversation;
> -- pam_handle_t *pam_h;
> -- const void *authed_user;
> --
> -- rc = 0;
> -- pam_h = NULL;
> --
> -- /* clear the entire environment to avoid attacks using with libraries honoring environment variables */
> -- if (clearenv () != 0)
> -- goto error;
> --
> -- /* set a minimal environment */
> -- setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1);
> --
> -- /* check that we are setuid root */
> -- if (geteuid () != 0)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n");
> -- goto error;
> -- }
> --
> -- openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
> --
> -- /* check for correct invocation */
> -- if (argc != 3)
> -- {
> -- syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
> -- fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
> -- goto error;
> -- }
> --
> -- user_to_auth = argv[1];
> -- cookie = argv[2];
> --
> -- if (getuid () != 0)
> -- {
> -- /* check we're running with a non-tty stdin */
> -- if (isatty (STDIN_FILENO) != 0)
> -- {
> -- syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ());
> -- fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n");
> -- goto error;
> -- }
> -- }
> --
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
> --#endif /* PAH_DEBUG */
> --
> -- pam_conversation.conv = conversation_function;
> -- pam_conversation.appdata_ptr = NULL;
> --
> -- /* start the pam stack */
> -- rc = pam_start ("polkit-1",
> -- user_to_auth,
> -- &pam_conversation,
> -- &pam_h);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- /* set the requesting user */
> -- rc = pam_set_item (pam_h, PAM_RUSER, user_to_auth);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- /* is user really user? */
> -- rc = pam_authenticate (pam_h, 0);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- /* permitted access? */
> -- rc = pam_acct_mgmt (pam_h, 0);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- /* did we auth the right user? */
> -- rc = pam_get_item (pam_h, PAM_USER, &authed_user);
> -- if (rc != PAM_SUCCESS)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n", pam_strerror (pam_h, rc));
> -- goto error;
> -- }
> --
> -- if (strcmp (authed_user, user_to_auth) != 0)
> -- {
> -- fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' but we got auth for user '%s' instead",
> -- user_to_auth, (const char *) authed_user);
> -- goto error;
> -- }
> --
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: successfully authenticated user '%s'.\n", user_to_auth);
> --#endif /* PAH_DEBUG */
> --
> -- pam_end (pam_h, rc);
> -- pam_h = NULL;
> --
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to PolicyKit daemon\n");
> --#endif /* PAH_DEBUG */
> --
> -- /* now send a D-Bus message to the PolicyKit daemon that
> -- * includes a) the cookie; and b) the user we authenticated
> -- */
> -- if (!send_dbus_message (cookie, user_to_auth))
> -- {
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus message to PolicyKit daemon\n");
> --#endif /* PAH_DEBUG */
> -- goto error;
> -- }
> --
> --#ifdef PAH_DEBUG
> -- fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
> --#endif /* PAH_DEBUG */
> --
> -- fprintf (stdout, "SUCCESS\n");
> -- fflush (stdout);
> -- fflush (stderr);
> -- usleep (10 * 1000); /* since fflush(3) seems buggy */
> -- return 0;
> --
> --error:
> -- if (pam_h != NULL)
> -- pam_end (pam_h, rc);
> --
> -- fprintf (stdout, "FAILURE\n");
> -- fflush (stdout);
> -- fflush (stderr);
> -- usleep (10 * 1000); /* since fflush(3) seems buggy */
> -- return 1;
> --}
> --
> --static int
> --conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data)
> --{
> -- struct pam_response *aresp;
> -- char buf[PAM_MAX_RESP_SIZE];
> -- int i;
> --
> -- data = data;
> -- if (n <= 0 || n > PAM_MAX_NUM_MSG)
> -- return PAM_CONV_ERR;
> --
> -- if ((aresp = calloc(n, sizeof *aresp)) == NULL)
> -- return PAM_BUF_ERR;
> --
> -- for (i = 0; i < n; ++i)
> -- {
> -- aresp[i].resp_retcode = 0;
> -- aresp[i].resp = NULL;
> -- switch (msg[i]->msg_style)
> -- {
> --
> -- case PAM_PROMPT_ECHO_OFF:
> -- fprintf (stdout, "PAM_PROMPT_ECHO_OFF ");
> -- goto conv1;
> --
> -- case PAM_PROMPT_ECHO_ON:
> -- fprintf (stdout, "PAM_PROMPT_ECHO_ON ");
> -- conv1:
> -- fputs (msg[i]->msg, stdout);
> -- if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
> -- fputc ('\n', stdout);
> -- fflush (stdout);
> --
> -- if (fgets (buf, sizeof buf, stdin) == NULL)
> -- goto error;
> --
> -- if (strlen (buf) > 0 &&
> -- buf[strlen (buf) - 1] == '\n')
> -- buf[strlen (buf) - 1] = '\0';
> --
> -- aresp[i].resp = strdup (buf);
> -- if (aresp[i].resp == NULL)
> -- goto error;
> -- break;
> --
> -- case PAM_ERROR_MSG:
> -- fprintf (stdout, "PAM_ERROR_MSG ");
> -- goto conv2;
> --
> -- case PAM_TEXT_INFO:
> -- fprintf (stdout, "PAM_TEXT_INFO ");
> -- conv2:
> -- fputs (msg[i]->msg, stdout);
> -- if (strlen (msg[i]->msg) > 0 &&
> -- msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
> -- fputc ('\n', stdout);
> -- fflush (stdout);
> -- break;
> --
> -- default:
> -- goto error;
> -- }
> -- }
> --
> -- *resp = aresp;
> -- return PAM_SUCCESS;
> --
> --error:
> --
> -- for (i = 0; i < n; ++i)
> -- {
> -- if (aresp[i].resp != NULL) {
> -- memset (aresp[i].resp, 0, strlen(aresp[i].resp));
> -- free (aresp[i].resp);
> -- }
> -- }
> -- memset (aresp, 0, n * sizeof *aresp);
> -- *resp = NULL;
> -- return PAM_CONV_ERR;
> --}
> --
> --static gboolean
> --send_dbus_message (const char *cookie, const char *user)
> --{
> -- PolkitAuthority *authority;
> -- PolkitIdentity *identity;
> -- GError *error;
> -- gboolean ret;
> --
> -- ret = FALSE;
> --
> -- error = NULL;
> --
> -- g_type_init ();
> --
> -- authority = polkit_authority_get ();
> --
> -- identity = polkit_unix_user_new_for_name (user, &error);
> -- if (identity == NULL)
> -- {
> -- g_printerr ("Error constructing identity: %s\n", error->message);
> -- g_error_free (error);
> -- goto out;
> -- }
> --
> -- if (!polkit_authority_authentication_agent_response_sync (authority,
> -- cookie,
> -- identity,
> -- NULL,
> -- &error))
> -- {
> -- g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message);
> -- g_error_free (error);
> -- goto out;
> -- }
> --
> -- ret = TRUE;
> --
> -- out:
> --
> -- if (identity != NULL)
> -- g_object_unref (identity);
> --
> -- if (authority != NULL)
> -- g_object_unref (authority);
> --
> -- return ret;
> --}
> -diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c
> -new file mode 100644
> -index 0000000..be495e9
> ---- /dev/null
> -+++ b/src/polkitagent/polkitagenthelperprivate.c
> -@@ -0,0 +1,106 @@
> -+/*
> -+ * Copyright (C) 2009-2010 Red Hat, Inc.
> -+ *
> -+ * This library is free software; you can redistribute it and/or
> -+ * modify it under the terms of the GNU Lesser General Public
> -+ * License as published by the Free Software Foundation; either
> -+ * version 2 of the License, or (at your option) any later version.
> -+ *
> -+ * This library is distributed in the hope that it will be useful,
> -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -+ * Lesser General Public License for more details.
> -+ *
> -+ * You should have received a copy of the GNU Lesser General
> -+ * Public License along with this library; if not, write to the
> -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> -+ * Boston, MA 02110-1301, USA.
> -+ *
> -+ * Authors: David Zeuthen <davidz@redhat.com>,
> -+ * Andrew Psaltis <ampsaltis@gmail.com>
> -+ */
> -+
> -+#include "config.h"
> -+#include "polkitagenthelperprivate.h"
> -+#include <stdio.h>
> -+#include <stdlib.h>
> -+#include <unistd.h>
> -+
> -+#ifndef HAVE_CLEARENV
> -+extern char **environ;
> -+
> -+int
> -+_polkit_clearenv (void)
> -+{
> -+ if (environ != NULL)
> -+ environ[0] = NULL;
> -+ return 0;
> -+}
> -+#else
> -+int
> -+_polkit_clearenv (void)
> -+{
> -+ return clearenv ();
> -+}
> -+#endif
> -+
> -+
> -+gboolean
> -+send_dbus_message (const char *cookie, const char *user)
> -+{
> -+ PolkitAuthority *authority;
> -+ PolkitIdentity *identity;
> -+ GError *error;
> -+ gboolean ret;
> -+
> -+ ret = FALSE;
> -+
> -+ error = NULL;
> -+
> -+ g_type_init ();
> -+
> -+ authority = polkit_authority_get ();
> -+
> -+ identity = polkit_unix_user_new_for_name (user, &error);
> -+ if (identity == NULL)
> -+ {
> -+ g_printerr ("Error constructing identity: %s\n", error->message);
> -+ g_error_free (error);
> -+ goto out;
> -+ }
> -+
> -+ if (!polkit_authority_authentication_agent_response_sync (authority,
> -+ cookie,
> -+ identity,
> -+ NULL,
> -+ &error))
> -+ {
> -+ g_printerr ("polkit-agent-helper-1: error response to PolicyKit daemon: %s\n", error->message);
> -+ g_error_free (error);
> -+ goto out;
> -+ }
> -+
> -+ ret = TRUE;
> -+
> -+ out:
> -+
> -+ if (identity != NULL)
> -+ g_object_unref (identity);
> -+
> -+ if (authority != NULL)
> -+ g_object_unref (authority);
> -+
> -+ return ret;
> -+}
> -+
> -+/* fflush(3) stdin and stdout and wait a little bit.
> -+ * This replaces the three-line commands at the bottom of
> -+ * polkit-agent-helper-1's main() function.
> -+ */
> -+void
> -+flush_and_wait ()
> -+{
> -+ fflush (stdout);
> -+ fflush (stderr);
> -+ usleep (10 * 1000); /* since fflush(3) seems buggy */
> -+}
> -diff --git a/src/polkitagent/polkitagenthelperprivate.h b/src/polkitagent/polkitagenthelperprivate.h
> -new file mode 100644
> -index 0000000..7294d46
> ---- /dev/null
> -+++ b/src/polkitagent/polkitagenthelperprivate.h
> -@@ -0,0 +1,45 @@
> -+/*
> -+ * Copyright (C) 2009-2010 Red Hat, Inc.
> -+ *
> -+ * This library is free software; you can redistribute it and/or
> -+ * modify it under the terms of the GNU Lesser General Public
> -+ * License as published by the Free Software Foundation; either
> -+ * version 2 of the License, or (at your option) any later version.
> -+ *
> -+ * This library is distributed in the hope that it will be useful,
> -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
> -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -+ * Lesser General Public License for more details.
> -+ *
> -+ * You should have received a copy of the GNU Lesser General
> -+ * Public License along with this library; if not, write to the
> -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> -+ * Boston, MA 02110-1301, USA.
> -+ *
> -+ * Authors: David Zeuthen <davidz@redhat.com>,
> -+ * Andrew Psaltis <ampsalits@gmail.com>
> -+ */
> -+#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H
> -+#define __POLKIT_AGENT_HELPER_PRIVATE_H
> -+
> -+#define _GNU_SOURCE
> -+#include <polkit/polkit.h>
> -+
> -+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_
> -+ * enable this in production builds; it may leak passwords and other
> -+ * sensitive information.
> -+ */
> -+#undef PAH_DEBUG
> -+// #define PAH_DEBUG
> -+
> -+#ifdef HAVE_SOLARIS
> -+# define LOG_AUTHPRIV (10<<3)
> -+#endif
> -+
> -+int _polkit_clearenv (void);
> -+
> -+gboolean send_dbus_message (const char *cookie, const char *user);
> -+
> -+void flush_and_wait ();
> -+
> -+#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */
> -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
> -index 17c191e..b0193f4 100644
> ---- a/src/programs/pkexec.c
> -+++ b/src/programs/pkexec.c
> -@@ -34,7 +34,11 @@
> - #include <grp.h>
> - #include <pwd.h>
> - #include <errno.h>
> -+
> -+#ifdef POLKIT_AUTHFW_PAM
> - #include <security/pam_appl.h>
> -+#endif /* POLKIT_AUTHFW_PAM */
> -+
> - #include <syslog.h>
> - #include <stdarg.h>
> -
> -@@ -115,6 +119,7 @@ log_message (gint level,
> -
> - /* ---------------------------------------------------------------------------------------------------- */
> -
> -+#ifdef POLKIT_AUTHFW_PAM
> - static int
> - pam_conversation_function (int n,
> - const struct pam_message **msg,
> -@@ -167,6 +172,7 @@ out:
> - pam_end (pam_h, rc);
> - return ret;
> - }
> -+#endif /* POLKIT_AUTHFW_PAM */
> -
> - /* ---------------------------------------------------------------------------------------------------- */
> -
> -@@ -741,10 +747,12 @@ main (int argc, char *argv[])
> - * TODO: The question here is whether we should clear the limits before applying them?
> - * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
> - */
> -+#ifdef POLKIT_AUTHFW_PAM
> - if (!open_session (pw->pw_name))
> - {
> - goto out;
> - }
> -+#endif /* POLKIT_AUTHFW_PAM */
> -
> - /* become the user */
> - if (setgroups (0, NULL) != 0)
> ---
> -1.7.1
> -
> diff --git a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch b/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch
> deleted file mode 100644
> index d9cf8c23bfd6..000000000000
> --- a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -From 779c0153fc0bd3c2e302dac1979d17638f054229 Mon Sep 17 00:00:00 2001
> -From: =?UTF-8?q?Petr=20Mr=C3=A1zek?= <peterix@gmail.com>
> -Date: Wed, 14 Jul 2010 02:59:12 +0200
> -Subject: [PATCH 3/3] =?UTF-8?q?Bug=2029051=20=E2=80=93=20Configuration=20reload=20on=20every=20query?=
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Set has_data to true after the data is loaded to prevent excessive
> -reloading of config files.
> -
> -Signed-off-by: David Zeuthen <davidz@redhat.com>
> ----
> - src/polkitbackend/polkitbackendconfigsource.c | 1 +
> - .../polkitbackendlocalauthorizationstore.c | 2 ++
> - 2 files changed, 3 insertions(+), 0 deletions(-)
> -
> -diff --git a/src/polkitbackend/polkitbackendconfigsource.c b/src/polkitbackend/polkitbackendconfigsource.c
> -index 224d0d0..465da96 100644
> ---- a/src/polkitbackend/polkitbackendconfigsource.c
> -+++ b/src/polkitbackend/polkitbackendconfigsource.c
> -@@ -386,6 +386,7 @@ polkit_backend_config_source_ensure (PolkitBackendConfigSource *source)
> - }
> -
> - source->priv->key_files = g_list_reverse (source->priv->key_files);
> -+ source->priv->has_data = TRUE;
> -
> - out:
> - g_list_foreach (files, (GFunc) g_object_unref, NULL);
> -diff --git a/src/polkitbackend/polkitbackendlocalauthorizationstore.c b/src/polkitbackend/polkitbackendlocalauthorizationstore.c
> -index 5d5dc14..b959269 100644
> ---- a/src/polkitbackend/polkitbackendlocalauthorizationstore.c
> -+++ b/src/polkitbackend/polkitbackendlocalauthorizationstore.c
> -@@ -641,6 +641,8 @@ polkit_backend_local_authorization_store_ensure (PolkitBackendLocalAuthorization
> - g_free (filename);
> - }
> -
> -+ store->priv->has_data = TRUE;
> -+
> - out:
> - g_list_foreach (files, (GFunc) g_object_unref, NULL);
> - g_list_free (files);
> ---
> -1.7.1
> -
> diff --git a/patches/polkit-0.96/autogen.sh b/patches/polkit-0.96/autogen.sh
> deleted file mode 120000
> index 9f8a4cb7ddcb..000000000000
> --- a/patches/polkit-0.96/autogen.sh
> +++ /dev/null
> @@ -1 +0,0 @@
> -../autogen.sh
> \ No newline at end of file
> diff --git a/patches/polkit-0.96/series b/patches/polkit-0.96/series
> deleted file mode 100644
> index ee29cd64eb79..000000000000
> --- a/patches/polkit-0.96/series
> +++ /dev/null
> @@ -1,3 +0,0 @@
> -0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
> -0002-Add-shadow-support.patch
> -0003-Bug-29051-Configuration-reload-on-every-query.patch
> diff --git a/rules/polkit.in b/rules/polkit.in
> index d28de7c67e91..4edfccd2194f 100644
> --- a/rules/polkit.in
> +++ b/rules/polkit.in
> @@ -1,14 +1,26 @@
> ## SECTION=system_libraries
>
> -config POLKIT
> +menuconfig POLKIT
> tristate
> - prompt "policykit-1"
> + prompt "policykit-1 "
> select LIBC_CRYPT
> select HOST_INTLTOOL
> select HOST_GTK_DOC
> + select EXPAT
> select GLIB
> select DBUS_GLIB
> select EGGDBUS
> + select SYSTEMD_LOGIND if POLKIT_SYSTEMD
This does not work. We need libsystemd-login and this does not generate the
necessary dependencies. Select 'SYSTEMD' here as well...
> help
> PolicyKit offers an infrastructure for security policies for
> dbus applications.
> +
> +if POLKIT
> +
> +config POLKIT_SYSTEMD
> + bool "systemd based session tracking"
> + default y if SYSTEMD
...and use 'default INITMETHOD_SYSTEMD' here. We do the same in dbus.
Michael
> + help
> + Use systemd for session tracking, else ConsoleKit is used
> +
> +endif
> diff --git a/rules/polkit.make b/rules/polkit.make
> index b702a1b50d90..376315f929f8 100644
> --- a/rules/polkit.make
> +++ b/rules/polkit.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_POLKIT) += polkit
> #
> # Paths and names
> #
> -POLKIT_VERSION := 0.96
> -POLKIT_MD5 := e0a06da501b04ed3bab986a9df5b5aa2
> +POLKIT_VERSION := 0.104
> +POLKIT_MD5 := e380b4c6fb1e7bccf854e92edc0a8ce1
> POLKIT := polkit-$(POLKIT_VERSION)
> POLKIT_SUFFIX := tar.gz
> POLKIT_URL := http://hal.freedesktop.org/releases/$(POLKIT).$(POLKIT_SUFFIX)
> @@ -28,19 +28,19 @@ POLKIT_DIR := $(BUILDDIR)/$(POLKIT)
> # Prepare
> # ----------------------------------------------------------------------------
>
> -#
> -# autoconf
> -#
> -POLKIT_AUTOCONF := \
> +POLKIT_CONF_TOOL := autoconf
> +POLKIT_CONF_OPT := \
> $(CROSS_AUTOCONF_USR) \
> - --enable-shared \
> - --enable-static \
> + $(GLOBAL_LARGE_FILE_OPTION) \
> --disable-ansi \
> --disable-verbose-mode \
> --disable-man-pages \
> --disable-gtk-doc \
> - --disable-examples \
> + --disable-gtk-doc-html \
> + --$(call ptx/endis, PTXCONF_POLKIT_SYSTEMD)-systemd \
> --disable-introspection \
> + --disable-examples \
> + --disable-nls \
> --with-gnu-ld \
> --with-authfw=shadow \
> --with-os-type=ptxdist
> @@ -65,6 +65,7 @@ $(STATEDIR)/polkit.targetinstall:
> /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service)
>
> # config
> + @$(call install_copy, polkit, 0, 0, 700, /etc/polkit-1/localauthority)
> @$(call install_copy, polkit, 0, 0, 0644, -, \
> /etc/polkit-1/localauthority.conf.d/50-localauthority.conf)
> @$(call install_copy, polkit, 0, 0, 0644, -, \
> @@ -79,8 +80,6 @@ $(STATEDIR)/polkit.targetinstall:
>
> @$(call install_copy, polkit, 0, 0, 0644, -, \
> /usr/lib/polkit-1/extensions/libnullbackend.so)
> - @$(call install_copy, polkit, 0, 0, 0644, -, \
> - /usr/lib/polkit-1/extensions/libpkexec-action-lookup.so)
>
> # binaries
> @$(call install_copy, polkit, 0, 0, 0755, -, /usr/bin/pkaction)
> @@ -93,6 +92,9 @@ $(STATEDIR)/polkit.targetinstall:
> @$(call install_copy, polkit, 0, 0, 4755, -, \
> /usr/libexec/polkit-agent-helper-1)
>
> +# run-time
> + @$(call install_copy, polkit, 0, 0, 700, /var/lib/polkit-1)
> +
> @$(call install_finish, polkit)
>
> @$(call touch)
> --
> Pengutronix e.K. | Juergen Borleis |
> Industrial Linux Solutions | http://www.pengutronix.de/ |
>
> --
> ptxdist mailing list
> ptxdist@pengutronix.de
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-03-21 17:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-16 13:24 [ptxdist] [APTCH] polkit: version bump 0.96 -> 0.104 Juergen Borleis
2015-03-21 17:21 ` Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox