From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0] ident=Debian-exim) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1YZN5F-0004tK-TT for ptxdist@pengutronix.de; Sat, 21 Mar 2015 18:21:13 +0100 Received: from mol by ptx.hi.pengutronix.de with local (Exim 4.80) (envelope-from ) id 1YZN5F-00014m-Ri for ptxdist@pengutronix.de; Sat, 21 Mar 2015 18:21:13 +0100 Date: Sat, 21 Mar 2015 18:21:13 +0100 From: Michael Olbrich Message-ID: <20150321172113.GM20453@pengutronix.de> References: <201503161424.05539.jbe@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <201503161424.05539.jbe@pengutronix.de> Subject: Re: [ptxdist] [APTCH] polkit: version bump 0.96 -> 0.104 Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de On Mon, Mar 16, 2015 at 02:24:05PM +0100, Juergen Borleis wrote: > Signed-off-by: Juergen Borleis > = > diff --git a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclo= sure-vulnerabilit.patch b/patches/polkit-0.96/0001-Bug-26982-pkexec-informa= tion-disclosure-vulnerabilit.patch > deleted file mode 100644 > index 3c8efb61bdbd..000000000000 > --- a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vu= lnerabilit.patch > +++ /dev/null > @@ -1,68 +0,0 @@ > -From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 > -From: Dan Rosenberg > -Date: Wed, 10 Mar 2010 12:46:19 -0500 > -Subject: [PATCH 1/3] =3D?UTF-8?q?Bug=3D2026982=3D20=3DE2=3D80=3D93=3D20p= kexec=3D20information=3D20disclosure=3D20vulnerability?=3D > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=3DUTF-8 > -Content-Transfer-Encoding: 8bit > - > -pkexec is vulnerable to a minor information disclosure vulnerability > -that allows an attacker to verify whether or not arbitrary files > -exist, violating directory permissions. I reproduced the issue on my > -Karmic installation as follows: > - > - $ mkdir secret > - $ sudo chown root:root secret > - $ sudo chmod 400 secret > - $ sudo touch secret/hidden > - $ pkexec /home/drosenbe/secret/hidden > - (password prompt) > - $ pkexec /home/drosenbe/secret/doesnotexist > - Error getting information about /home/drosenbe/secret/doesnotexist: No = such > - file or directory > - > -I've attached my patch for the issue. I replaced the stat() call > -entirely with access() using F_OK, so rather than check that the > -target exists, pkexec now checks if the user has permission to verify > -the existence of the program. There might be another way of doing > -this, such as chdir()'ing to the parent directory of the target and > -calling lstat(), but this seemed like more code than necessary to > -prevent such a minor problem. I see no reason to allow pkexec to > -execute targets that are not accessible to the executing user because > -of directory permissions. This is such a limited use case anyway that > -this doesn't really affect functionality. > - > -http://bugs.freedesktop.org/show_bug.cgi?id=3D26982 > - > -Signed-off-by: David Zeuthen > ---- > - src/programs/pkexec.c | 5 ++--- > - 1 files changed, 2 insertions(+), 3 deletions(-) > - > -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c > -index 860e665..17c191e 100644 > ---- a/src/programs/pkexec.c > -+++ b/src/programs/pkexec.c > -@@ -411,7 +411,6 @@ main (int argc, char *argv[]) > - gchar *opt_user; > - pid_t pid_of_caller; > - uid_t uid_of_caller; > -- struct stat statbuf; > - = > - ret =3D 127; > - authority =3D NULL; > -@@ -520,9 +519,9 @@ main (int argc, char *argv[]) > - g_free (path); > - argv[n] =3D path =3D s; > - } > -- if (stat (path, &statbuf) !=3D 0) > -+ if (access (path, F_OK) !=3D 0) > - { > -- g_printerr ("Error getting information about %s: %s\n", path, g_s= trerror (errno)); > -+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); > - goto out; > - } > - command_line =3D g_strjoinv (" ", argv + n); > --- = > -1.7.1 > - > diff --git a/patches/polkit-0.96/0002-Add-shadow-support.patch b/patches/= polkit-0.96/0002-Add-shadow-support.patch > deleted file mode 100644 > index b9119e13fb0f..000000000000 > --- a/patches/polkit-0.96/0002-Add-shadow-support.patch > +++ /dev/null > @@ -1,1083 +0,0 @@ > -From a2edcef54d2ab1a92f729e34dfa0c183b2533c61 Mon Sep 17 00:00:00 2001 > -From: Andrew Psaltis > -Date: Mon, 28 Jun 2010 22:04:00 -0400 > -Subject: [PATCH 2/3] Add shadow support > - > -Added support for the shadow authentication framework instead of PAM. > -Enable it by passing --with-authfw=3Dshadow to configure. > - > -This is done by splitting the polkitagenthelper source into separate > -parts, one that does auth with PAM, and another that does auth with > -shadow, sharing functions where appropriate. > - > -Also, all PAM-dependendent code in all other files has been #ifdef'd. > -The only affected file is src/programs/pkexec.c > - > -Signed-off-by: David Zeuthen > ---- > - src/polkitagent/Makefile.am | 9 +- > - src/polkitagent/polkitagenthelper-pam.c | 264 ++++++++++++++++++++++ > - src/polkitagent/polkitagenthelper-shadow.c | 198 ++++++++++++++++ > - src/polkitagent/polkitagenthelper.c | 339 ---------------------= ------- > - src/polkitagent/polkitagenthelperprivate.c | 106 +++++++++ > - src/polkitagent/polkitagenthelperprivate.h | 45 ++++ > - src/programs/pkexec.c | 8 + > - 7 files changed, 629 insertions(+), 340 deletions(-) > - create mode 100644 src/polkitagent/polkitagenthelper-pam.c > - create mode 100644 src/polkitagent/polkitagenthelper-shadow.c > - delete mode 100644 src/polkitagent/polkitagenthelper.c > - create mode 100644 src/polkitagent/polkitagenthelperprivate.c > - create mode 100644 src/polkitagent/polkitagenthelperprivate.h > - > -diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am > -index 3f38329..820be4d 100644 > ---- a/src/polkitagent/Makefile.am > -+++ b/src/polkitagent/Makefile.am > -@@ -68,9 +68,16 @@ libpolkit_agent_1_la_LDFLAGS =3D -export-symbols-rege= x '(^polkit_.*)' > - libexec_PROGRAMS =3D polkit-agent-helper-1 > - = > - polkit_agent_helper_1_SOURCES =3D \ > -- polkitagenthelper.c \ > -+ polkitagenthelperprivate.c polkitagenthelperprivate.h \ > - $(NULL) > - = > -+if POLKIT_AUTHFW_PAM > -+polkit_agent_helper_1_SOURCES +=3D polkitagenthelper-pam.c > -+endif > -+if POLKIT_AUTHFW_SHADOW > -+polkit_agent_helper_1_SOURCES +=3D polkitagenthelper-shadow.c > -+endif > -+ > - polkit_agent_helper_1_CFLAGS =3D \ > - -D_POLKIT_COMPILATION \ > - $(GLIB_CFLAGS) \ > -diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/p= olkitagenthelper-pam.c > -new file mode 100644 > -index 0000000..5e8b54c > ---- /dev/null > -+++ b/src/polkitagent/polkitagenthelper-pam.c > -@@ -0,0 +1,264 @@ > -+/* > -+ * Copyright (C) 2008, 2010 Red Hat, Inc. > -+ * > -+ * This library is free software; you can redistribute it and/or > -+ * modify it under the terms of the GNU Lesser General Public > -+ * License as published by the Free Software Foundation; either > -+ * version 2 of the License, or (at your option) any later version. > -+ * > -+ * This library is distributed in the hope that it will be useful, > -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -+ * Lesser General Public License for more details. > -+ * > -+ * You should have received a copy of the GNU Lesser General > -+ * Public License along with this library; if not, write to the > -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330, > -+ * Boston, MA 02111-1307, USA. > -+ * > -+ * Author: David Zeuthen > -+ */ > -+ > -+#include "config.h" > -+#include "polkitagenthelperprivate.h" > -+ > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+ > -+#include > -+ > -+static int conversation_function (int n, const struct pam_message **msg= , struct pam_response **resp, void *data); > -+ > -+int > -+main (int argc, char *argv[]) > -+{ > -+ int rc; > -+ const char *user_to_auth; > -+ const char *cookie; > -+ struct pam_conv pam_conversation; > -+ pam_handle_t *pam_h; > -+ const void *authed_user; > -+ > -+ rc =3D 0; > -+ pam_h =3D NULL; > -+ > -+ /* clear the entire environment to avoid attacks using with libraries= honoring environment variables */ > -+ if (_polkit_clearenv () !=3D 0) > -+ goto error; > -+ > -+ /* set a minimal environment */ > -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); > -+ > -+ /* check that we are setuid root */ > -+ if (geteuid () !=3D 0) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\= n"); > -+ goto error; > -+ } > -+ > -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); > -+ > -+ /* check for correct invocation */ > -+ if (argc !=3D 3) > -+ { > -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of= arguments [uid=3D%d]", getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of argument= s. This incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ user_to_auth =3D argv[1]; > -+ cookie =3D argv[2]; > -+ > -+ if (getuid () !=3D 0) > -+ { > -+ /* check we're running with a non-tty stdin */ > -+ if (isatty (STDIN_FILENO) !=3D 0) > -+ { > -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a = tty [uid=3D%d]", getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of= helper, stdin is a tty. This incident has been logged.\n"); > -+ goto error; > -+ } > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", us= er_to_auth); > -+#endif /* PAH_DEBUG */ > -+ > -+ pam_conversation.conv =3D conversation_function; > -+ pam_conversation.appdata_ptr =3D NULL; > -+ > -+ /* start the pam stack */ > -+ rc =3D pam_start ("polkit-1", > -+ user_to_auth, > -+ &pam_conversation, > -+ &pam_h); > -+ if (rc !=3D PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n",= pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ /* set the requesting user */ > -+ rc =3D pam_set_item (pam_h, PAM_RUSER, user_to_auth); > -+ if (rc !=3D PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\= n", pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ /* is user really user? */ > -+ rc =3D pam_authenticate (pam_h, 0); > -+ if (rc !=3D PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed= : %s\n", pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ /* permitted access? */ > -+ rc =3D pam_acct_mgmt (pam_h, 0); > -+ if (rc !=3D PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s= \n", pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ /* did we auth the right user? */ > -+ rc =3D pam_get_item (pam_h, PAM_USER, &authed_user); > -+ if (rc !=3D PAM_SUCCESS) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\= n", pam_strerror (pam_h, rc)); > -+ goto error; > -+ } > -+ > -+ if (strcmp (authed_user, user_to_auth) !=3D 0) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' = but we got auth for user '%s' instead", > -+ user_to_auth, (const char *) authed_user); > -+ goto error; > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: successfully authenticated u= ser '%s'.\n", user_to_auth); > -+#endif /* PAH_DEBUG */ > -+ > -+ pam_end (pam_h, rc); > -+ pam_h =3D NULL; > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to Pol= icyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ > -+ /* now send a D-Bus message to the PolicyKit daemon that > -+ * includes a) the cookie; and b) the user we authenticated > -+ */ > -+ if (!send_dbus_message (cookie, user_to_auth)) > -+ { > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus mess= age to PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ goto error; > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus mess= age to PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ > -+ fprintf (stdout, "SUCCESS\n"); > -+ flush_and_wait(); > -+ return 0; > -+ > -+error: > -+ if (pam_h !=3D NULL) > -+ pam_end (pam_h, rc); > -+ > -+ fprintf (stdout, "FAILURE\n"); > -+ flush_and_wait(); > -+ return 1; > -+} > -+ > -+static int > -+conversation_function (int n, const struct pam_message **msg, struct pa= m_response **resp, void *data) > -+{ > -+ struct pam_response *aresp; > -+ char buf[PAM_MAX_RESP_SIZE]; > -+ int i; > -+ > -+ data =3D data; > -+ if (n <=3D 0 || n > PAM_MAX_NUM_MSG) > -+ return PAM_CONV_ERR; > -+ > -+ if ((aresp =3D calloc(n, sizeof *aresp)) =3D=3D NULL) > -+ return PAM_BUF_ERR; > -+ > -+ for (i =3D 0; i < n; ++i) > -+ { > -+ aresp[i].resp_retcode =3D 0; > -+ aresp[i].resp =3D NULL; > -+ switch (msg[i]->msg_style) > -+ { > -+ > -+ case PAM_PROMPT_ECHO_OFF: > -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); > -+ goto conv1; > -+ > -+ case PAM_PROMPT_ECHO_ON: > -+ fprintf (stdout, "PAM_PROMPT_ECHO_ON "); > -+ conv1: > -+ fputs (msg[i]->msg, stdout); > -+ if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->m= sg) - 1] !=3D '\n') > -+ fputc ('\n', stdout); > -+ fflush (stdout); > -+ > -+ if (fgets (buf, sizeof buf, stdin) =3D=3D NULL) > -+ goto error; > -+ > -+ if (strlen (buf) > 0 && > -+ buf[strlen (buf) - 1] =3D=3D '\n') > -+ buf[strlen (buf) - 1] =3D '\0'; > -+ > -+ aresp[i].resp =3D strdup (buf); > -+ if (aresp[i].resp =3D=3D NULL) > -+ goto error; > -+ break; > -+ > -+ case PAM_ERROR_MSG: > -+ fprintf (stdout, "PAM_ERROR_MSG "); > -+ goto conv2; > -+ > -+ case PAM_TEXT_INFO: > -+ fprintf (stdout, "PAM_TEXT_INFO "); > -+ conv2: > -+ fputs (msg[i]->msg, stdout); > -+ if (strlen (msg[i]->msg) > 0 && > -+ msg[i]->msg[strlen (msg[i]->msg) - 1] !=3D '\n') > -+ fputc ('\n', stdout); > -+ fflush (stdout); > -+ break; > -+ > -+ default: > -+ goto error; > -+ } > -+ } > -+ > -+ *resp =3D aresp; > -+ return PAM_SUCCESS; > -+ > -+error: > -+ > -+ for (i =3D 0; i < n; ++i) > -+ { > -+ if (aresp[i].resp !=3D NULL) { > -+ memset (aresp[i].resp, 0, strlen(aresp[i].resp)); > -+ free (aresp[i].resp); > -+ } > -+ } > -+ memset (aresp, 0, n * sizeof *aresp); > -+ *resp =3D NULL; > -+ return PAM_CONV_ERR; > -+} > -diff --git a/src/polkitagent/polkitagenthelper-shadow.c b/src/polkitagen= t/polkitagenthelper-shadow.c > -new file mode 100644 > -index 0000000..a4f73ac > ---- /dev/null > -+++ b/src/polkitagent/polkitagenthelper-shadow.c > -@@ -0,0 +1,198 @@ > -+/* > -+ * Copyright (C) 2008 Red Hat, Inc. > -+ * Copyright (C) 2009-2010 Andrew Psaltis > -+ * > -+ * This library is free software; you can redistribute it and/or > -+ * modify it under the terms of the GNU Lesser General Public > -+ * License as published by the Free Software Foundation; either > -+ * version 2 of the License, or (at your option) any later version. > -+ * > -+ * This library is distributed in the hope that it will be useful, > -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -+ * Lesser General Public License for more details. > -+ * > -+ * You should have received a copy of the GNU Lesser General > -+ * Public License along with this library; if not, write to the > -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330, > -+ * Boston, MA 02111-1307, USA. > -+ * > -+ * Authors: Andrew Psaltis , based on > -+ * polkitagenthelper.c which was written by > -+ * David Zeuthen > -+ */ > -+ > -+#include "config.h" > -+#include "polkitagenthelperprivate.h" > -+ > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+#include > -+ > -+#include > -+ > -+static gboolean shadow_authenticate (struct spwd *shadow); > -+ > -+int > -+main (int argc, char *argv[]) > -+{ > -+ struct spwd *shadow; > -+ const char *user_to_auth; > -+ const char *cookie; > -+ time_t now; > -+ > -+ /* clear the entire environment to avoid attacks with > -+ libraries honoring environment variables */ > -+ if (_polkit_clearenv () !=3D 0) > -+ goto error; > -+ > -+ /* set a minimal environment */ > -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); > -+ > -+ /* check that we are setuid root */ > -+ if (geteuid () !=3D 0) > -+ { > -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\= n"); > -+ goto error; > -+ } > -+ > -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); > -+ > -+ /* check for correct invocation */ > -+ if (argc !=3D 3) > -+ { > -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of= arguments [uid=3D%d]", getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of argument= s. This incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ if (getuid () !=3D 0) > -+ { > -+ /* check we're running with a non-tty stdin */ > -+ if (isatty (STDIN_FILENO) !=3D 0) > -+ { > -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tt= y [uid=3D%d]", getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of h= elper, stdin is a tty. This incident has been logged.\n"); > -+ goto error; > -+ } > -+ } > -+ > -+ user_to_auth =3D argv[1]; > -+ cookie =3D argv[2]; > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", us= er_to_auth); > -+#endif /* PAH_DEBUG */ > -+ > -+ > -+ /* Ask shadow about the user requesting authentication */ > -+ shadow =3D getspnam (user_to_auth); > -+ > -+ if (shadow =3D=3D NULL) > -+ { > -+ syslog (LOG_NOTICE, "shadow file data information request for use= r '%s' [uid=3D%d] failed", user_to_auth, getuid ()); > -+ fprintf(stderr, "polkit-agent-helper-1: could not get shadow info= rmation for '%s'", user_to_auth); > -+ goto error; > -+ } > -+ > -+ /* Check the user's identity */ > -+ if (shadow_authenticate (shadow) =3D=3D FALSE) > -+ { > -+ syslog (LOG_NOTICE, "authentication failure [uid=3D%d] trying to = authenticate '%s'", getuid (), user_to_auth); > -+ fprintf (stderr, "polkit-agent-helper-1: authentication failure. = This incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ /* Check whether the user's password has expired */ > -+ now =3D time (NULL); > -+ if (shadow->sp_max >=3D 0 && (shadow->sp_lstchg + shadow->sp_max) * 6= 0 * 60 * 24 <=3D now) > -+ { > -+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=3D%d] tr= ying to authenticate", user_to_auth, getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. T= his incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ /* Check whether the user's password has aged (and account expired al= ong > -+ * with it) > -+ */ > -+ if (shadow->sp_inact >=3D 0 && (shadow->sp_lstchg + shadow->sp_max + = shadow->sp_inact) * 60 * 60 * 24 <=3D now) > -+ { > -+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=3D%d] tryin= g to authenticate", user_to_auth, getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. T= his incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+ /* Check whether the user's account has expired */ > -+ if (shadow->sp_expire >=3D 0 && shadow->sp_expire * 60 * 60 * 24 <=3D= now) > -+ { > -+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=3D%d] try= ing to authenticate", user_to_auth, getuid ()); > -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. T= his incident has been logged.\n"); > -+ goto error; > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to Pol= icyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ > -+ /* now send a D-Bus message to the PolicyKit daemon that > -+ * includes a) the cookie; and b) the user we authenticated > -+ */ > -+ if (!send_dbus_message (cookie, user_to_auth)) > -+ { > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus mess= age to PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ goto error; > -+ } > -+ > -+#ifdef PAH_DEBUG > -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus mess= age to PolicyKit daemon\n"); > -+#endif /* PAH_DEBUG */ > -+ > -+ fprintf (stdout, "SUCCESS\n"); > -+ flush_and_wait (); > -+ return 0; > -+ > -+error: > -+ fprintf (stdout, "FAILURE\n"); > -+ flush_and_wait (); > -+ return 1; > -+} > -+ > -+static gboolean > -+shadow_authenticate (struct spwd *shadow) > -+{ > -+ char passwd[512], *crypt_pass; > -+ > -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n"); > -+ fflush (stdout); > -+ usleep (10 * 1000); /* since fflush(3) seems buggy */ > -+ > -+ if (fgets (passwd, sizeof (passwd), stdin) =3D=3D NULL) > -+ goto error; > -+ > -+ if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] =3D=3D '\n') > -+ passwd[strlen (passwd) - 1] =3D '\0'; > -+ > -+ /* Use the encrypted password as the salt, according to the crypt(3) = man page, > -+ * it will perform whatever encryption method is specified in /etc/sh= adow > -+ */ > -+ crypt_pass =3D crypt (passwd, shadow->sp_pwdp); > -+ > -+ if (crypt_pass =3D=3D NULL) > -+ goto error; > -+ > -+ if (strcmp (shadow->sp_pwdp, crypt (passwd, shadow->sp_pwdp)) !=3D 0) > -+ goto error; > -+ return 1; > -+error: > -+ return 0; > -+} > -diff --git a/src/polkitagent/polkitagenthelper.c b/src/polkitagent/polki= tagenthelper.c > -deleted file mode 100644 > -index cca86db..0000000 > ---- a/src/polkitagent/polkitagenthelper.c > -+++ /dev/null > -@@ -1,339 +0,0 @@ > --/* > -- * Copyright (C) 2008 Red Hat, Inc. > -- * > -- * This library is free software; you can redistribute it and/or > -- * modify it under the terms of the GNU Lesser General Public > -- * License as published by the Free Software Foundation; either > -- * version 2 of the License, or (at your option) any later version. > -- * > -- * This library is distributed in the hope that it will be useful, > -- * but WITHOUT ANY WARRANTY; without even the implied warranty of > -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -- * Lesser General Public License for more details. > -- * > -- * You should have received a copy of the GNU Lesser General > -- * Public License along with this library; if not, write to the > -- * Free Software Foundation, Inc., 59 Temple Place, Suite 330, > -- * Boston, MA 02111-1307, USA. > -- * > -- * Author: David Zeuthen > -- */ > -- > --#include "config.h" > --#include > --#include > --#include > --#include > --#include > --#include > --#include > --#include > -- > --#include > -- > --#ifdef HAVE_SOLARIS > --# define LOG_AUTHPRIV (10<<3) > --#endif > -- > --#ifndef HAVE_CLEARENV > --extern char **environ; > -- > --static int > --clearenv (void) > --{ > -- if (environ !=3D NULL) > -- environ[0] =3D NULL; > -- return 0; > --} > --#endif > -- > --/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ > -- * enable this in production builds; it may leak passwords and other > -- * sensitive information. > -- */ > --#undef PAH_DEBUG > --// #define PAH_DEBUG > -- > --static gboolean send_dbus_message (const char *cookie, const char *user= ); > -- > --static int conversation_function (int n, const struct pam_message **msg= , struct pam_response **resp, void *data); > -- > --int > --main (int argc, char *argv[]) > --{ > -- int rc; > -- const char *user_to_auth; > -- const char *cookie; > -- struct pam_conv pam_conversation; > -- pam_handle_t *pam_h; > -- const void *authed_user; > -- > -- rc =3D 0; > -- pam_h =3D NULL; > -- > -- /* clear the entire environment to avoid attacks using with libraries= honoring environment variables */ > -- if (clearenv () !=3D 0) > -- goto error; > -- > -- /* set a minimal environment */ > -- setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); > -- > -- /* check that we are setuid root */ > -- if (geteuid () !=3D 0) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\= n"); > -- goto error; > -- } > -- > -- openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); > -- > -- /* check for correct invocation */ > -- if (argc !=3D 3) > -- { > -- syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of= arguments [uid=3D%d]", getuid ()); > -- fprintf (stderr, "polkit-agent-helper-1: wrong number of argument= s. This incident has been logged.\n"); > -- goto error; > -- } > -- > -- user_to_auth =3D argv[1]; > -- cookie =3D argv[2]; > -- > -- if (getuid () !=3D 0) > -- { > -- /* check we're running with a non-tty stdin */ > -- if (isatty (STDIN_FILENO) !=3D 0) > -- { > -- syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a = tty [uid=3D%d]", getuid ()); > -- fprintf (stderr, "polkit-agent-helper-1: inappropriate use of= helper, stdin is a tty. This incident has been logged.\n"); > -- goto error; > -- } > -- } > -- > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", us= er_to_auth); > --#endif /* PAH_DEBUG */ > -- > -- pam_conversation.conv =3D conversation_function; > -- pam_conversation.appdata_ptr =3D NULL; > -- > -- /* start the pam stack */ > -- rc =3D pam_start ("polkit-1", > -- user_to_auth, > -- &pam_conversation, > -- &pam_h); > -- if (rc !=3D PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n",= pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- /* set the requesting user */ > -- rc =3D pam_set_item (pam_h, PAM_RUSER, user_to_auth); > -- if (rc !=3D PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\= n", pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- /* is user really user? */ > -- rc =3D pam_authenticate (pam_h, 0); > -- if (rc !=3D PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed= : %s\n", pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- /* permitted access? */ > -- rc =3D pam_acct_mgmt (pam_h, 0); > -- if (rc !=3D PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s= \n", pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- /* did we auth the right user? */ > -- rc =3D pam_get_item (pam_h, PAM_USER, &authed_user); > -- if (rc !=3D PAM_SUCCESS) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\= n", pam_strerror (pam_h, rc)); > -- goto error; > -- } > -- > -- if (strcmp (authed_user, user_to_auth) !=3D 0) > -- { > -- fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' = but we got auth for user '%s' instead", > -- user_to_auth, (const char *) authed_user); > -- goto error; > -- } > -- > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: successfully authenticated u= ser '%s'.\n", user_to_auth); > --#endif /* PAH_DEBUG */ > -- > -- pam_end (pam_h, rc); > -- pam_h =3D NULL; > -- > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to Pol= icyKit daemon\n"); > --#endif /* PAH_DEBUG */ > -- > -- /* now send a D-Bus message to the PolicyKit daemon that > -- * includes a) the cookie; and b) the user we authenticated > -- */ > -- if (!send_dbus_message (cookie, user_to_auth)) > -- { > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus mess= age to PolicyKit daemon\n"); > --#endif /* PAH_DEBUG */ > -- goto error; > -- } > -- > --#ifdef PAH_DEBUG > -- fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus mess= age to PolicyKit daemon\n"); > --#endif /* PAH_DEBUG */ > -- > -- fprintf (stdout, "SUCCESS\n"); > -- fflush (stdout); > -- fflush (stderr); > -- usleep (10 * 1000); /* since fflush(3) seems buggy */ > -- return 0; > -- > --error: > -- if (pam_h !=3D NULL) > -- pam_end (pam_h, rc); > -- > -- fprintf (stdout, "FAILURE\n"); > -- fflush (stdout); > -- fflush (stderr); > -- usleep (10 * 1000); /* since fflush(3) seems buggy */ > -- return 1; > --} > -- > --static int > --conversation_function (int n, const struct pam_message **msg, struct pa= m_response **resp, void *data) > --{ > -- struct pam_response *aresp; > -- char buf[PAM_MAX_RESP_SIZE]; > -- int i; > -- > -- data =3D data; > -- if (n <=3D 0 || n > PAM_MAX_NUM_MSG) > -- return PAM_CONV_ERR; > -- > -- if ((aresp =3D calloc(n, sizeof *aresp)) =3D=3D NULL) > -- return PAM_BUF_ERR; > -- > -- for (i =3D 0; i < n; ++i) > -- { > -- aresp[i].resp_retcode =3D 0; > -- aresp[i].resp =3D NULL; > -- switch (msg[i]->msg_style) > -- { > -- > -- case PAM_PROMPT_ECHO_OFF: > -- fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); > -- goto conv1; > -- > -- case PAM_PROMPT_ECHO_ON: > -- fprintf (stdout, "PAM_PROMPT_ECHO_ON "); > -- conv1: > -- fputs (msg[i]->msg, stdout); > -- if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->m= sg) - 1] !=3D '\n') > -- fputc ('\n', stdout); > -- fflush (stdout); > -- > -- if (fgets (buf, sizeof buf, stdin) =3D=3D NULL) > -- goto error; > -- > -- if (strlen (buf) > 0 && > -- buf[strlen (buf) - 1] =3D=3D '\n') > -- buf[strlen (buf) - 1] =3D '\0'; > -- > -- aresp[i].resp =3D strdup (buf); > -- if (aresp[i].resp =3D=3D NULL) > -- goto error; > -- break; > -- > -- case PAM_ERROR_MSG: > -- fprintf (stdout, "PAM_ERROR_MSG "); > -- goto conv2; > -- > -- case PAM_TEXT_INFO: > -- fprintf (stdout, "PAM_TEXT_INFO "); > -- conv2: > -- fputs (msg[i]->msg, stdout); > -- if (strlen (msg[i]->msg) > 0 && > -- msg[i]->msg[strlen (msg[i]->msg) - 1] !=3D '\n') > -- fputc ('\n', stdout); > -- fflush (stdout); > -- break; > -- > -- default: > -- goto error; > -- } > -- } > -- > -- *resp =3D aresp; > -- return PAM_SUCCESS; > -- > --error: > -- > -- for (i =3D 0; i < n; ++i) > -- { > -- if (aresp[i].resp !=3D NULL) { > -- memset (aresp[i].resp, 0, strlen(aresp[i].resp)); > -- free (aresp[i].resp); > -- } > -- } > -- memset (aresp, 0, n * sizeof *aresp); > -- *resp =3D NULL; > -- return PAM_CONV_ERR; > --} > -- > --static gboolean > --send_dbus_message (const char *cookie, const char *user) > --{ > -- PolkitAuthority *authority; > -- PolkitIdentity *identity; > -- GError *error; > -- gboolean ret; > -- > -- ret =3D FALSE; > -- > -- error =3D NULL; > -- > -- g_type_init (); > -- > -- authority =3D polkit_authority_get (); > -- > -- identity =3D polkit_unix_user_new_for_name (user, &error); > -- if (identity =3D=3D NULL) > -- { > -- g_printerr ("Error constructing identity: %s\n", error->message); > -- g_error_free (error); > -- goto out; > -- } > -- > -- if (!polkit_authority_authentication_agent_response_sync (authority, > -- cookie, > -- identity, > -- NULL, > -- &error)) > -- { > -- g_printerr ("polkit-agent-helper-1: error response to PolicyKit d= aemon: %s\n", error->message); > -- g_error_free (error); > -- goto out; > -- } > -- > -- ret =3D TRUE; > -- > -- out: > -- > -- if (identity !=3D NULL) > -- g_object_unref (identity); > -- > -- if (authority !=3D NULL) > -- g_object_unref (authority); > -- > -- return ret; > --} > -diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagen= t/polkitagenthelperprivate.c > -new file mode 100644 > -index 0000000..be495e9 > ---- /dev/null > -+++ b/src/polkitagent/polkitagenthelperprivate.c > -@@ -0,0 +1,106 @@ > -+/* > -+ * Copyright (C) 2009-2010 Red Hat, Inc. > -+ * > -+ * This library is free software; you can redistribute it and/or > -+ * modify it under the terms of the GNU Lesser General Public > -+ * License as published by the Free Software Foundation; either > -+ * version 2 of the License, or (at your option) any later version. > -+ * > -+ * This library is distributed in the hope that it will be useful, > -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -+ * Lesser General Public License for more details. > -+ * > -+ * You should have received a copy of the GNU Lesser General > -+ * Public License along with this library; if not, write to the > -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, > -+ * Boston, MA 02110-1301, USA. > -+ * > -+ * Authors: David Zeuthen , > -+ * Andrew Psaltis > -+ */ > -+ > -+#include "config.h" > -+#include "polkitagenthelperprivate.h" > -+#include > -+#include > -+#include > -+ > -+#ifndef HAVE_CLEARENV > -+extern char **environ; > -+ > -+int > -+_polkit_clearenv (void) > -+{ > -+ if (environ !=3D NULL) > -+ environ[0] =3D NULL; > -+ return 0; > -+} > -+#else > -+int > -+_polkit_clearenv (void) > -+{ > -+ return clearenv (); > -+} > -+#endif > -+ > -+ > -+gboolean > -+send_dbus_message (const char *cookie, const char *user) > -+{ > -+ PolkitAuthority *authority; > -+ PolkitIdentity *identity; > -+ GError *error; > -+ gboolean ret; > -+ > -+ ret =3D FALSE; > -+ > -+ error =3D NULL; > -+ > -+ g_type_init (); > -+ > -+ authority =3D polkit_authority_get (); > -+ > -+ identity =3D polkit_unix_user_new_for_name (user, &error); > -+ if (identity =3D=3D NULL) > -+ { > -+ g_printerr ("Error constructing identity: %s\n", error->message); > -+ g_error_free (error); > -+ goto out; > -+ } > -+ > -+ if (!polkit_authority_authentication_agent_response_sync (authority, > -+ cookie, > -+ identity, > -+ NULL, > -+ &error)) > -+ { > -+ g_printerr ("polkit-agent-helper-1: error response to PolicyKit d= aemon: %s\n", error->message); > -+ g_error_free (error); > -+ goto out; > -+ } > -+ > -+ ret =3D TRUE; > -+ > -+ out: > -+ > -+ if (identity !=3D NULL) > -+ g_object_unref (identity); > -+ > -+ if (authority !=3D NULL) > -+ g_object_unref (authority); > -+ > -+ return ret; > -+} > -+ > -+/* fflush(3) stdin and stdout and wait a little bit. > -+ * This replaces the three-line commands at the bottom of > -+ * polkit-agent-helper-1's main() function. > -+ */ > -+void > -+flush_and_wait () > -+{ > -+ fflush (stdout); > -+ fflush (stderr); > -+ usleep (10 * 1000); /* since fflush(3) seems buggy */ > -+} > -diff --git a/src/polkitagent/polkitagenthelperprivate.h b/src/polkitagen= t/polkitagenthelperprivate.h > -new file mode 100644 > -index 0000000..7294d46 > ---- /dev/null > -+++ b/src/polkitagent/polkitagenthelperprivate.h > -@@ -0,0 +1,45 @@ > -+/* > -+ * Copyright (C) 2009-2010 Red Hat, Inc. > -+ * > -+ * This library is free software; you can redistribute it and/or > -+ * modify it under the terms of the GNU Lesser General Public > -+ * License as published by the Free Software Foundation; either > -+ * version 2 of the License, or (at your option) any later version. > -+ * > -+ * This library is distributed in the hope that it will be useful, > -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > -+ * Lesser General Public License for more details. > -+ * > -+ * You should have received a copy of the GNU Lesser General > -+ * Public License along with this library; if not, write to the > -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, > -+ * Boston, MA 02110-1301, USA. > -+ * > -+ * Authors: David Zeuthen , > -+ * Andrew Psaltis > -+ */ > -+#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H > -+#define __POLKIT_AGENT_HELPER_PRIVATE_H > -+ > -+#define _GNU_SOURCE > -+#include > -+ > -+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ > -+ * enable this in production builds; it may leak passwords and other > -+ * sensitive information. > -+ */ > -+#undef PAH_DEBUG > -+// #define PAH_DEBUG > -+ > -+#ifdef HAVE_SOLARIS > -+# define LOG_AUTHPRIV (10<<3) > -+#endif > -+ > -+int _polkit_clearenv (void); > -+ > -+gboolean send_dbus_message (const char *cookie, const char *user); > -+ > -+void flush_and_wait (); > -+ > -+#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */ > -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c > -index 17c191e..b0193f4 100644 > ---- a/src/programs/pkexec.c > -+++ b/src/programs/pkexec.c > -@@ -34,7 +34,11 @@ > - #include > - #include > - #include > -+ > -+#ifdef POLKIT_AUTHFW_PAM > - #include > -+#endif /* POLKIT_AUTHFW_PAM */ > -+ > - #include > - #include > - = > -@@ -115,6 +119,7 @@ log_message (gint level, > - = > - /* --------------------------------------------------------------------= -------------------------------- */ > - = > -+#ifdef POLKIT_AUTHFW_PAM > - static int > - pam_conversation_function (int n, > - const struct pam_message **msg, > -@@ -167,6 +172,7 @@ out: > - pam_end (pam_h, rc); > - return ret; > - } > -+#endif /* POLKIT_AUTHFW_PAM */ > - = > - /* --------------------------------------------------------------------= -------------------------------- */ > - = > -@@ -741,10 +747,12 @@ main (int argc, char *argv[]) > - * TODO: The question here is whether we should clear the limits befo= re applying them? > - * As evident above, neither su(1) (and, for that matter, nor sudo(8)= ) does this. > - */ > -+#ifdef POLKIT_AUTHFW_PAM > - if (!open_session (pw->pw_name)) > - { > - goto out; > - } > -+#endif /* POLKIT_AUTHFW_PAM */ > - = > - /* become the user */ > - if (setgroups (0, NULL) !=3D 0) > --- = > -1.7.1 > - > diff --git a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-e= very-query.patch b/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-= on-every-query.patch > deleted file mode 100644 > index d9cf8c23bfd6..000000000000 > --- a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-qu= ery.patch > +++ /dev/null > @@ -1,45 +0,0 @@ > -From 779c0153fc0bd3c2e302dac1979d17638f054229 Mon Sep 17 00:00:00 2001 > -From: =3D?UTF-8?q?Petr=3D20Mr=3DC3=3DA1zek?=3D > -Date: Wed, 14 Jul 2010 02:59:12 +0200 > -Subject: [PATCH 3/3] =3D?UTF-8?q?Bug=3D2029051=3D20=3DE2=3D80=3D93=3D20C= onfiguration=3D20reload=3D20on=3D20every=3D20query?=3D > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=3DUTF-8 > -Content-Transfer-Encoding: 8bit > - > -Set has_data to true after the data is loaded to prevent excessive > -reloading of config files. > - > -Signed-off-by: David Zeuthen > ---- > - src/polkitbackend/polkitbackendconfigsource.c | 1 + > - .../polkitbackendlocalauthorizationstore.c | 2 ++ > - 2 files changed, 3 insertions(+), 0 deletions(-) > - > -diff --git a/src/polkitbackend/polkitbackendconfigsource.c b/src/polkitb= ackend/polkitbackendconfigsource.c > -index 224d0d0..465da96 100644 > ---- a/src/polkitbackend/polkitbackendconfigsource.c > -+++ b/src/polkitbackend/polkitbackendconfigsource.c > -@@ -386,6 +386,7 @@ polkit_backend_config_source_ensure (PolkitBackendCo= nfigSource *source) > - } > - = > - source->priv->key_files =3D g_list_reverse (source->priv->key_files); > -+ source->priv->has_data =3D TRUE; > - = > - out: > - g_list_foreach (files, (GFunc) g_object_unref, NULL); > -diff --git a/src/polkitbackend/polkitbackendlocalauthorizationstore.c b/= src/polkitbackend/polkitbackendlocalauthorizationstore.c > -index 5d5dc14..b959269 100644 > ---- a/src/polkitbackend/polkitbackendlocalauthorizationstore.c > -+++ b/src/polkitbackend/polkitbackendlocalauthorizationstore.c > -@@ -641,6 +641,8 @@ polkit_backend_local_authorization_store_ensure (Pol= kitBackendLocalAuthorization > - g_free (filename); > - } > - = > -+ store->priv->has_data =3D TRUE; > -+ > - out: > - g_list_foreach (files, (GFunc) g_object_unref, NULL); > - g_list_free (files); > --- = > -1.7.1 > - > diff --git a/patches/polkit-0.96/autogen.sh b/patches/polkit-0.96/autogen= .sh > deleted file mode 120000 > index 9f8a4cb7ddcb..000000000000 > --- a/patches/polkit-0.96/autogen.sh > +++ /dev/null > @@ -1 +0,0 @@ > -../autogen.sh > \ No newline at end of file > diff --git a/patches/polkit-0.96/series b/patches/polkit-0.96/series > deleted file mode 100644 > index ee29cd64eb79..000000000000 > --- a/patches/polkit-0.96/series > +++ /dev/null > @@ -1,3 +0,0 @@ > -0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch > -0002-Add-shadow-support.patch > -0003-Bug-29051-Configuration-reload-on-every-query.patch > diff --git a/rules/polkit.in b/rules/polkit.in > index d28de7c67e91..4edfccd2194f 100644 > --- a/rules/polkit.in > +++ b/rules/polkit.in > @@ -1,14 +1,26 @@ > ## SECTION=3Dsystem_libraries > = > -config POLKIT > +menuconfig POLKIT > tristate > - prompt "policykit-1" > + prompt "policykit-1 " > select LIBC_CRYPT > select HOST_INTLTOOL > select HOST_GTK_DOC > + select EXPAT > select GLIB > select DBUS_GLIB > select EGGDBUS > + select SYSTEMD_LOGIND if POLKIT_SYSTEMD This does not work. We need libsystemd-login and this does not generate the necessary dependencies. Select 'SYSTEMD' here as well... > help > PolicyKit offers an infrastructure for security policies for > dbus applications. > + > +if POLKIT > + > +config POLKIT_SYSTEMD > + bool "systemd based session tracking" > + default y if SYSTEMD ...and use 'default INITMETHOD_SYSTEMD' here. We do the same in dbus. Michael > + help > + Use systemd for session tracking, else ConsoleKit is used > + > +endif > diff --git a/rules/polkit.make b/rules/polkit.make > index b702a1b50d90..376315f929f8 100644 > --- a/rules/polkit.make > +++ b/rules/polkit.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_POLKIT) +=3D polkit > # > # Paths and names > # > -POLKIT_VERSION :=3D 0.96 > -POLKIT_MD5 :=3D e0a06da501b04ed3bab986a9df5b5aa2 > +POLKIT_VERSION :=3D 0.104 > +POLKIT_MD5 :=3D e380b4c6fb1e7bccf854e92edc0a8ce1 > POLKIT :=3D polkit-$(POLKIT_VERSION) > POLKIT_SUFFIX :=3D tar.gz > POLKIT_URL :=3D http://hal.freedesktop.org/releases/$(POLKIT).$(POLKIT_S= UFFIX) > @@ -28,19 +28,19 @@ POLKIT_DIR :=3D $(BUILDDIR)/$(POLKIT) > # Prepare > # ----------------------------------------------------------------------= ------ > = > -# > -# autoconf > -# > -POLKIT_AUTOCONF :=3D \ > +POLKIT_CONF_TOOL :=3D autoconf > +POLKIT_CONF_OPT :=3D \ > $(CROSS_AUTOCONF_USR) \ > - --enable-shared \ > - --enable-static \ > + $(GLOBAL_LARGE_FILE_OPTION) \ > --disable-ansi \ > --disable-verbose-mode \ > --disable-man-pages \ > --disable-gtk-doc \ > - --disable-examples \ > + --disable-gtk-doc-html \ > + --$(call ptx/endis, PTXCONF_POLKIT_SYSTEMD)-systemd \ > --disable-introspection \ > + --disable-examples \ > + --disable-nls \ > --with-gnu-ld \ > --with-authfw=3Dshadow \ > --with-os-type=3Dptxdist > @@ -65,6 +65,7 @@ $(STATEDIR)/polkit.targetinstall: > /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service) > = > # config > + @$(call install_copy, polkit, 0, 0, 700, /etc/polkit-1/localauthority) > @$(call install_copy, polkit, 0, 0, 0644, -, \ > /etc/polkit-1/localauthority.conf.d/50-localauthority.conf) > @$(call install_copy, polkit, 0, 0, 0644, -, \ > @@ -79,8 +80,6 @@ $(STATEDIR)/polkit.targetinstall: > = > @$(call install_copy, polkit, 0, 0, 0644, -, \ > /usr/lib/polkit-1/extensions/libnullbackend.so) > - @$(call install_copy, polkit, 0, 0, 0644, -, \ > - /usr/lib/polkit-1/extensions/libpkexec-action-lookup.so) > = > # binaries > @$(call install_copy, polkit, 0, 0, 0755, -, /usr/bin/pkaction) > @@ -93,6 +92,9 @@ $(STATEDIR)/polkit.targetinstall: > @$(call install_copy, polkit, 0, 0, 4755, -, \ > /usr/libexec/polkit-agent-helper-1) > = > +# run-time > + @$(call install_copy, polkit, 0, 0, 700, /var/lib/polkit-1) > + > @$(call install_finish, polkit) > = > @$(call touch) > -- = > Pengutronix e.K. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0| Juergen Borleis =A0 =A0 =A0 =A0 =A0 =A0 | > Industrial Linux Solutions =A0 =A0 =A0| http://www.pengutro= nix.de/ | > = > -- = > ptxdist mailing list > ptxdist@pengutronix.de > = -- = Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- = ptxdist mailing list ptxdist@pengutronix.de