From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from gallifrey.ext.pengutronix.de ([2001:6f8:1178:4:5054:ff:fe8d:eefb] helo=localhost) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1Yb3Q5-0000yT-T5 for ptxdist@pengutronix.de; Thu, 26 Mar 2015 09:45:41 +0100 From: Juergen Borleis Date: Thu, 26 Mar 2015 09:48:04 +0100 MIME-Version: 1.0 Content-Disposition: inline Message-Id: <201503260948.04180.jbe@pengutronix.de> Subject: [ptxdist] [PATCH v2] polkit: version bump 0.96 -> 0.104 Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de Signed-off-by: Juergen Borleis diff --git a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosu= re-vulnerabilit.patch b/patches/polkit-0.96/0001-Bug-26982-pkexec-informati= on-disclosure-vulnerabilit.patch deleted file mode 100644 index 3c8efb61bdbd..000000000000 --- a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vuln= erabilit.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 -From: Dan Rosenberg -Date: Wed, 10 Mar 2010 12:46:19 -0500 -Subject: [PATCH 1/3] =3D?UTF-8?q?Bug=3D2026982=3D20=3DE2=3D80=3D93=3D20pke= xec=3D20information=3D20disclosure=3D20vulnerability?=3D -MIME-Version: 1.0 -Content-Type: text/plain; charset=3DUTF-8 -Content-Transfer-Encoding: 8bit - -pkexec is vulnerable to a minor information disclosure vulnerability -that allows an attacker to verify whether or not arbitrary files -exist, violating directory permissions. I reproduced the issue on my -Karmic installation as follows: - - $ mkdir secret - $ sudo chown root:root secret - $ sudo chmod 400 secret - $ sudo touch secret/hidden - $ pkexec /home/drosenbe/secret/hidden - (password prompt) - $ pkexec /home/drosenbe/secret/doesnotexist - Error getting information about /home/drosenbe/secret/doesnotexist: No su= ch - file or directory - -I've attached my patch for the issue. I replaced the stat() call -entirely with access() using F_OK, so rather than check that the -target exists, pkexec now checks if the user has permission to verify -the existence of the program. There might be another way of doing -this, such as chdir()'ing to the parent directory of the target and -calling lstat(), but this seemed like more code than necessary to -prevent such a minor problem. I see no reason to allow pkexec to -execute targets that are not accessible to the executing user because -of directory permissions. This is such a limited use case anyway that -this doesn't really affect functionality. - -http://bugs.freedesktop.org/show_bug.cgi?id=3D26982 - -Signed-off-by: David Zeuthen ---- - src/programs/pkexec.c | 5 ++--- - 1 files changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 860e665..17c191e 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -411,7 +411,6 @@ main (int argc, char *argv[]) - gchar *opt_user; - pid_t pid_of_caller; - uid_t uid_of_caller; -- struct stat statbuf; - = - ret =3D 127; - authority =3D NULL; -@@ -520,9 +519,9 @@ main (int argc, char *argv[]) - g_free (path); - argv[n] =3D path =3D s; - } -- if (stat (path, &statbuf) !=3D 0) -+ if (access (path, F_OK) !=3D 0) - { -- g_printerr ("Error getting information about %s: %s\n", path, g_str= error (errno)); -+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); - goto out; - } - command_line =3D g_strjoinv (" ", argv + n); --- = -1.7.1 - diff --git a/patches/polkit-0.96/0002-Add-shadow-support.patch b/patches/po= lkit-0.96/0002-Add-shadow-support.patch deleted file mode 100644 index b9119e13fb0f..000000000000 --- a/patches/polkit-0.96/0002-Add-shadow-support.patch +++ /dev/null @@ -1,1083 +0,0 @@ -From a2edcef54d2ab1a92f729e34dfa0c183b2533c61 Mon Sep 17 00:00:00 2001 -From: Andrew Psaltis -Date: Mon, 28 Jun 2010 22:04:00 -0400 -Subject: [PATCH 2/3] Add shadow support - -Added support for the shadow authentication framework instead of PAM. -Enable it by passing --with-authfw=3Dshadow to configure. - -This is done by splitting the polkitagenthelper source into separate -parts, one that does auth with PAM, and another that does auth with -shadow, sharing functions where appropriate. - -Also, all PAM-dependendent code in all other files has been #ifdef'd. -The only affected file is src/programs/pkexec.c - -Signed-off-by: David Zeuthen ---- - src/polkitagent/Makefile.am | 9 +- - src/polkitagent/polkitagenthelper-pam.c | 264 ++++++++++++++++++++++ - src/polkitagent/polkitagenthelper-shadow.c | 198 ++++++++++++++++ - src/polkitagent/polkitagenthelper.c | 339 -----------------------= ----- - src/polkitagent/polkitagenthelperprivate.c | 106 +++++++++ - src/polkitagent/polkitagenthelperprivate.h | 45 ++++ - src/programs/pkexec.c | 8 + - 7 files changed, 629 insertions(+), 340 deletions(-) - create mode 100644 src/polkitagent/polkitagenthelper-pam.c - create mode 100644 src/polkitagent/polkitagenthelper-shadow.c - delete mode 100644 src/polkitagent/polkitagenthelper.c - create mode 100644 src/polkitagent/polkitagenthelperprivate.c - create mode 100644 src/polkitagent/polkitagenthelperprivate.h - -diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am -index 3f38329..820be4d 100644 ---- a/src/polkitagent/Makefile.am -+++ b/src/polkitagent/Makefile.am -@@ -68,9 +68,16 @@ libpolkit_agent_1_la_LDFLAGS =3D -export-symbols-regex = '(^polkit_.*)' - libexec_PROGRAMS =3D polkit-agent-helper-1 - = - polkit_agent_helper_1_SOURCES =3D \ -- polkitagenthelper.c \ -+ polkitagenthelperprivate.c polkitagenthelperprivate.h \ - $(NULL) - = -+if POLKIT_AUTHFW_PAM -+polkit_agent_helper_1_SOURCES +=3D polkitagenthelper-pam.c -+endif -+if POLKIT_AUTHFW_SHADOW -+polkit_agent_helper_1_SOURCES +=3D polkitagenthelper-shadow.c -+endif -+ - polkit_agent_helper_1_CFLAGS =3D \ - -D_POLKIT_COMPILATION \ - $(GLIB_CFLAGS) \ -diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/pol= kitagenthelper-pam.c -new file mode 100644 -index 0000000..5e8b54c ---- /dev/null -+++ b/src/polkitagent/polkitagenthelper-pam.c -@@ -0,0 +1,264 @@ -+/* -+ * Copyright (C) 2008, 2010 Red Hat, Inc. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General -+ * Public License along with this library; if not, write to the -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330, -+ * Boston, MA 02111-1307, USA. -+ * -+ * Author: David Zeuthen -+ */ -+ -+#include "config.h" -+#include "polkitagenthelperprivate.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+static int conversation_function (int n, const struct pam_message **msg, = struct pam_response **resp, void *data); -+ -+int -+main (int argc, char *argv[]) -+{ -+ int rc; -+ const char *user_to_auth; -+ const char *cookie; -+ struct pam_conv pam_conversation; -+ pam_handle_t *pam_h; -+ const void *authed_user; -+ -+ rc =3D 0; -+ pam_h =3D NULL; -+ -+ /* clear the entire environment to avoid attacks using with libraries h= onoring environment variables */ -+ if (_polkit_clearenv () !=3D 0) -+ goto error; -+ -+ /* set a minimal environment */ -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); -+ -+ /* check that we are setuid root */ -+ if (geteuid () !=3D 0) -+ { -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"= ); -+ goto error; -+ } -+ -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); -+ -+ /* check for correct invocation */ -+ if (argc !=3D 3) -+ { -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of a= rguments [uid=3D%d]", getuid ()); -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments.= This incident has been logged.\n"); -+ goto error; -+ } -+ -+ user_to_auth =3D argv[1]; -+ cookie =3D argv[2]; -+ -+ if (getuid () !=3D 0) -+ { -+ /* check we're running with a non-tty stdin */ -+ if (isatty (STDIN_FILENO) !=3D 0) -+ { -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tt= y [uid=3D%d]", getuid ()); -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of h= elper, stdin is a tty. This incident has been logged.\n"); -+ goto error; -+ } -+ } -+ -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user= _to_auth); -+#endif /* PAH_DEBUG */ -+ -+ pam_conversation.conv =3D conversation_function; -+ pam_conversation.appdata_ptr =3D NULL; -+ -+ /* start the pam stack */ -+ rc =3D pam_start ("polkit-1", -+ user_to_auth, -+ &pam_conversation, -+ &pam_h); -+ if (rc !=3D PAM_SUCCESS) -+ { -+ fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", p= am_strerror (pam_h, rc)); -+ goto error; -+ } -+ -+ /* set the requesting user */ -+ rc =3D pam_set_item (pam_h, PAM_RUSER, user_to_auth); -+ if (rc !=3D PAM_SUCCESS) -+ { -+ fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n"= , pam_strerror (pam_h, rc)); -+ goto error; -+ } -+ -+ /* is user really user? */ -+ rc =3D pam_authenticate (pam_h, 0); -+ if (rc !=3D PAM_SUCCESS) -+ { -+ fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: = %s\n", pam_strerror (pam_h, rc)); -+ goto error; -+ } -+ -+ /* permitted access? */ -+ rc =3D pam_acct_mgmt (pam_h, 0); -+ if (rc !=3D PAM_SUCCESS) -+ { -+ fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n= ", pam_strerror (pam_h, rc)); -+ goto error; -+ } -+ -+ /* did we auth the right user? */ -+ rc =3D pam_get_item (pam_h, PAM_USER, &authed_user); -+ if (rc !=3D PAM_SUCCESS) -+ { -+ fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n"= , pam_strerror (pam_h, rc)); -+ goto error; -+ } -+ -+ if (strcmp (authed_user, user_to_auth) !=3D 0) -+ { -+ fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' bu= t we got auth for user '%s' instead", -+ user_to_auth, (const char *) authed_user); -+ goto error; -+ } -+ -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: successfully authenticated use= r '%s'.\n", user_to_auth); -+#endif /* PAH_DEBUG */ -+ -+ pam_end (pam_h, rc); -+ pam_h =3D NULL; -+ -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to Polic= yKit daemon\n"); -+#endif /* PAH_DEBUG */ -+ -+ /* now send a D-Bus message to the PolicyKit daemon that -+ * includes a) the cookie; and b) the user we authenticated -+ */ -+ if (!send_dbus_message (cookie, user_to_auth)) -+ { -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus messag= e to PolicyKit daemon\n"); -+#endif /* PAH_DEBUG */ -+ goto error; -+ } -+ -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus messag= e to PolicyKit daemon\n"); -+#endif /* PAH_DEBUG */ -+ -+ fprintf (stdout, "SUCCESS\n"); -+ flush_and_wait(); -+ return 0; -+ -+error: -+ if (pam_h !=3D NULL) -+ pam_end (pam_h, rc); -+ -+ fprintf (stdout, "FAILURE\n"); -+ flush_and_wait(); -+ return 1; -+} -+ -+static int -+conversation_function (int n, const struct pam_message **msg, struct pam_= response **resp, void *data) -+{ -+ struct pam_response *aresp; -+ char buf[PAM_MAX_RESP_SIZE]; -+ int i; -+ -+ data =3D data; -+ if (n <=3D 0 || n > PAM_MAX_NUM_MSG) -+ return PAM_CONV_ERR; -+ -+ if ((aresp =3D calloc(n, sizeof *aresp)) =3D=3D NULL) -+ return PAM_BUF_ERR; -+ -+ for (i =3D 0; i < n; ++i) -+ { -+ aresp[i].resp_retcode =3D 0; -+ aresp[i].resp =3D NULL; -+ switch (msg[i]->msg_style) -+ { -+ -+ case PAM_PROMPT_ECHO_OFF: -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); -+ goto conv1; -+ -+ case PAM_PROMPT_ECHO_ON: -+ fprintf (stdout, "PAM_PROMPT_ECHO_ON "); -+ conv1: -+ fputs (msg[i]->msg, stdout); -+ if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg= ) - 1] !=3D '\n') -+ fputc ('\n', stdout); -+ fflush (stdout); -+ -+ if (fgets (buf, sizeof buf, stdin) =3D=3D NULL) -+ goto error; -+ -+ if (strlen (buf) > 0 && -+ buf[strlen (buf) - 1] =3D=3D '\n') -+ buf[strlen (buf) - 1] =3D '\0'; -+ -+ aresp[i].resp =3D strdup (buf); -+ if (aresp[i].resp =3D=3D NULL) -+ goto error; -+ break; -+ -+ case PAM_ERROR_MSG: -+ fprintf (stdout, "PAM_ERROR_MSG "); -+ goto conv2; -+ -+ case PAM_TEXT_INFO: -+ fprintf (stdout, "PAM_TEXT_INFO "); -+ conv2: -+ fputs (msg[i]->msg, stdout); -+ if (strlen (msg[i]->msg) > 0 && -+ msg[i]->msg[strlen (msg[i]->msg) - 1] !=3D '\n') -+ fputc ('\n', stdout); -+ fflush (stdout); -+ break; -+ -+ default: -+ goto error; -+ } -+ } -+ -+ *resp =3D aresp; -+ return PAM_SUCCESS; -+ -+error: -+ -+ for (i =3D 0; i < n; ++i) -+ { -+ if (aresp[i].resp !=3D NULL) { -+ memset (aresp[i].resp, 0, strlen(aresp[i].resp)); -+ free (aresp[i].resp); -+ } -+ } -+ memset (aresp, 0, n * sizeof *aresp); -+ *resp =3D NULL; -+ return PAM_CONV_ERR; -+} -diff --git a/src/polkitagent/polkitagenthelper-shadow.c b/src/polkitagent/= polkitagenthelper-shadow.c -new file mode 100644 -index 0000000..a4f73ac ---- /dev/null -+++ b/src/polkitagent/polkitagenthelper-shadow.c -@@ -0,0 +1,198 @@ -+/* -+ * Copyright (C) 2008 Red Hat, Inc. -+ * Copyright (C) 2009-2010 Andrew Psaltis -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General -+ * Public License along with this library; if not, write to the -+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330, -+ * Boston, MA 02111-1307, USA. -+ * -+ * Authors: Andrew Psaltis , based on -+ * polkitagenthelper.c which was written by -+ * David Zeuthen -+ */ -+ -+#include "config.h" -+#include "polkitagenthelperprivate.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+static gboolean shadow_authenticate (struct spwd *shadow); -+ -+int -+main (int argc, char *argv[]) -+{ -+ struct spwd *shadow; -+ const char *user_to_auth; -+ const char *cookie; -+ time_t now; -+ -+ /* clear the entire environment to avoid attacks with -+ libraries honoring environment variables */ -+ if (_polkit_clearenv () !=3D 0) -+ goto error; -+ -+ /* set a minimal environment */ -+ setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); -+ -+ /* check that we are setuid root */ -+ if (geteuid () !=3D 0) -+ { -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"= ); -+ goto error; -+ } -+ -+ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); -+ -+ /* check for correct invocation */ -+ if (argc !=3D 3) -+ { -+ syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of a= rguments [uid=3D%d]", getuid ()); -+ fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments.= This incident has been logged.\n"); -+ goto error; -+ } -+ -+ if (getuid () !=3D 0) -+ { -+ /* check we're running with a non-tty stdin */ -+ if (isatty (STDIN_FILENO) !=3D 0) -+ { -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty = [uid=3D%d]", getuid ()); -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of hel= per, stdin is a tty. This incident has been logged.\n"); -+ goto error; -+ } -+ } -+ -+ user_to_auth =3D argv[1]; -+ cookie =3D argv[2]; -+ -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user= _to_auth); -+#endif /* PAH_DEBUG */ -+ -+ -+ /* Ask shadow about the user requesting authentication */ -+ shadow =3D getspnam (user_to_auth); -+ -+ if (shadow =3D=3D NULL) -+ { -+ syslog (LOG_NOTICE, "shadow file data information request for user = '%s' [uid=3D%d] failed", user_to_auth, getuid ()); -+ fprintf(stderr, "polkit-agent-helper-1: could not get shadow inform= ation for '%s'", user_to_auth); -+ goto error; -+ } -+ -+ /* Check the user's identity */ -+ if (shadow_authenticate (shadow) =3D=3D FALSE) -+ { -+ syslog (LOG_NOTICE, "authentication failure [uid=3D%d] trying to au= thenticate '%s'", getuid (), user_to_auth); -+ fprintf (stderr, "polkit-agent-helper-1: authentication failure. Th= is incident has been logged.\n"); -+ goto error; -+ } -+ -+ /* Check whether the user's password has expired */ -+ now =3D time (NULL); -+ if (shadow->sp_max >=3D 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 = * 60 * 24 <=3D now) -+ { -+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=3D%d] tryi= ng to authenticate", user_to_auth, getuid ()); -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. Thi= s incident has been logged.\n"); -+ goto error; -+ } -+ -+ /* Check whether the user's password has aged (and account expired along -+ * with it) -+ */ -+ if (shadow->sp_inact >=3D 0 && (shadow->sp_lstchg + shadow->sp_max + sh= adow->sp_inact) * 60 * 60 * 24 <=3D now) -+ { -+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=3D%d] trying = to authenticate", user_to_auth, getuid ()); -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. Thi= s incident has been logged.\n"); -+ goto error; -+ } -+ -+ /* Check whether the user's account has expired */ -+ if (shadow->sp_expire >=3D 0 && shadow->sp_expire * 60 * 60 * 24 <=3D n= ow) -+ { -+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=3D%d] tryin= g to authenticate", user_to_auth, getuid ()); -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. Thi= s incident has been logged.\n"); -+ goto error; -+ } -+ -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to Polic= yKit daemon\n"); -+#endif /* PAH_DEBUG */ -+ -+ /* now send a D-Bus message to the PolicyKit daemon that -+ * includes a) the cookie; and b) the user we authenticated -+ */ -+ if (!send_dbus_message (cookie, user_to_auth)) -+ { -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus messag= e to PolicyKit daemon\n"); -+#endif /* PAH_DEBUG */ -+ goto error; -+ } -+ -+#ifdef PAH_DEBUG -+ fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus messag= e to PolicyKit daemon\n"); -+#endif /* PAH_DEBUG */ -+ -+ fprintf (stdout, "SUCCESS\n"); -+ flush_and_wait (); -+ return 0; -+ -+error: -+ fprintf (stdout, "FAILURE\n"); -+ flush_and_wait (); -+ return 1; -+} -+ -+static gboolean -+shadow_authenticate (struct spwd *shadow) -+{ -+ char passwd[512], *crypt_pass; -+ -+ fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n"); -+ fflush (stdout); -+ usleep (10 * 1000); /* since fflush(3) seems buggy */ -+ -+ if (fgets (passwd, sizeof (passwd), stdin) =3D=3D NULL) -+ goto error; -+ -+ if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] =3D=3D '\n') -+ passwd[strlen (passwd) - 1] =3D '\0'; -+ -+ /* Use the encrypted password as the salt, according to the crypt(3) ma= n page, -+ * it will perform whatever encryption method is specified in /etc/shad= ow -+ */ -+ crypt_pass =3D crypt (passwd, shadow->sp_pwdp); -+ -+ if (crypt_pass =3D=3D NULL) -+ goto error; -+ -+ if (strcmp (shadow->sp_pwdp, crypt (passwd, shadow->sp_pwdp)) !=3D 0) -+ goto error; -+ return 1; -+error: -+ return 0; -+} -diff --git a/src/polkitagent/polkitagenthelper.c b/src/polkitagent/polkita= genthelper.c -deleted file mode 100644 -index cca86db..0000000 ---- a/src/polkitagent/polkitagenthelper.c -+++ /dev/null -@@ -1,339 +0,0 @@ --/* -- * Copyright (C) 2008 Red Hat, Inc. -- * -- * This library is free software; you can redistribute it and/or -- * modify it under the terms of the GNU Lesser General Public -- * License as published by the Free Software Foundation; either -- * version 2 of the License, or (at your option) any later version. -- * -- * This library is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -- * Lesser General Public License for more details. -- * -- * You should have received a copy of the GNU Lesser General -- * Public License along with this library; if not, write to the -- * Free Software Foundation, Inc., 59 Temple Place, Suite 330, -- * Boston, MA 02111-1307, USA. -- * -- * Author: David Zeuthen -- */ -- --#include "config.h" --#include --#include --#include --#include --#include --#include --#include --#include -- --#include -- --#ifdef HAVE_SOLARIS --# define LOG_AUTHPRIV (10<<3) --#endif -- --#ifndef HAVE_CLEARENV --extern char **environ; -- --static int --clearenv (void) --{ -- if (environ !=3D NULL) -- environ[0] =3D NULL; -- return 0; --} --#endif -- --/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ -- * enable this in production builds; it may leak passwords and other -- * sensitive information. -- */ --#undef PAH_DEBUG --// #define PAH_DEBUG -- --static gboolean send_dbus_message (const char *cookie, const char *user); -- --static int conversation_function (int n, const struct pam_message **msg, = struct pam_response **resp, void *data); -- --int --main (int argc, char *argv[]) --{ -- int rc; -- const char *user_to_auth; -- const char *cookie; -- struct pam_conv pam_conversation; -- pam_handle_t *pam_h; -- const void *authed_user; -- -- rc =3D 0; -- pam_h =3D NULL; -- -- /* clear the entire environment to avoid attacks using with libraries h= onoring environment variables */ -- if (clearenv () !=3D 0) -- goto error; -- -- /* set a minimal environment */ -- setenv ("PATH", "/usr/sbin:/usr/bin:/sbin:/bin", 1); -- -- /* check that we are setuid root */ -- if (geteuid () !=3D 0) -- { -- fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"= ); -- goto error; -- } -- -- openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); -- -- /* check for correct invocation */ -- if (argc !=3D 3) -- { -- syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of a= rguments [uid=3D%d]", getuid ()); -- fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments.= This incident has been logged.\n"); -- goto error; -- } -- -- user_to_auth =3D argv[1]; -- cookie =3D argv[2]; -- -- if (getuid () !=3D 0) -- { -- /* check we're running with a non-tty stdin */ -- if (isatty (STDIN_FILENO) !=3D 0) -- { -- syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tt= y [uid=3D%d]", getuid ()); -- fprintf (stderr, "polkit-agent-helper-1: inappropriate use of h= elper, stdin is a tty. This incident has been logged.\n"); -- goto error; -- } -- } -- --#ifdef PAH_DEBUG -- fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user= _to_auth); --#endif /* PAH_DEBUG */ -- -- pam_conversation.conv =3D conversation_function; -- pam_conversation.appdata_ptr =3D NULL; -- -- /* start the pam stack */ -- rc =3D pam_start ("polkit-1", -- user_to_auth, -- &pam_conversation, -- &pam_h); -- if (rc !=3D PAM_SUCCESS) -- { -- fprintf (stderr, "polkit-agent-helper-1: pam_start failed: %s\n", p= am_strerror (pam_h, rc)); -- goto error; -- } -- -- /* set the requesting user */ -- rc =3D pam_set_item (pam_h, PAM_RUSER, user_to_auth); -- if (rc !=3D PAM_SUCCESS) -- { -- fprintf (stderr, "polkit-agent-helper-1: pam_set_item failed: %s\n"= , pam_strerror (pam_h, rc)); -- goto error; -- } -- -- /* is user really user? */ -- rc =3D pam_authenticate (pam_h, 0); -- if (rc !=3D PAM_SUCCESS) -- { -- fprintf (stderr, "polkit-agent-helper-1: pam_authenticated failed: = %s\n", pam_strerror (pam_h, rc)); -- goto error; -- } -- -- /* permitted access? */ -- rc =3D pam_acct_mgmt (pam_h, 0); -- if (rc !=3D PAM_SUCCESS) -- { -- fprintf (stderr, "polkit-agent-helper-1: pam_acct_mgmt failed: %s\n= ", pam_strerror (pam_h, rc)); -- goto error; -- } -- -- /* did we auth the right user? */ -- rc =3D pam_get_item (pam_h, PAM_USER, &authed_user); -- if (rc !=3D PAM_SUCCESS) -- { -- fprintf (stderr, "polkit-agent-helper-1: pam_get_item failed: %s\n"= , pam_strerror (pam_h, rc)); -- goto error; -- } -- -- if (strcmp (authed_user, user_to_auth) !=3D 0) -- { -- fprintf (stderr, "polkit-agent-helper-1: Tried to auth user '%s' bu= t we got auth for user '%s' instead", -- user_to_auth, (const char *) authed_user); -- goto error; -- } -- --#ifdef PAH_DEBUG -- fprintf (stderr, "polkit-agent-helper-1: successfully authenticated use= r '%s'.\n", user_to_auth); --#endif /* PAH_DEBUG */ -- -- pam_end (pam_h, rc); -- pam_h =3D NULL; -- --#ifdef PAH_DEBUG -- fprintf (stderr, "polkit-agent-helper-1: sending D-Bus message to Polic= yKit daemon\n"); --#endif /* PAH_DEBUG */ -- -- /* now send a D-Bus message to the PolicyKit daemon that -- * includes a) the cookie; and b) the user we authenticated -- */ -- if (!send_dbus_message (cookie, user_to_auth)) -- { --#ifdef PAH_DEBUG -- fprintf (stderr, "polkit-agent-helper-1: error sending D-Bus messag= e to PolicyKit daemon\n"); --#endif /* PAH_DEBUG */ -- goto error; -- } -- --#ifdef PAH_DEBUG -- fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus messag= e to PolicyKit daemon\n"); --#endif /* PAH_DEBUG */ -- -- fprintf (stdout, "SUCCESS\n"); -- fflush (stdout); -- fflush (stderr); -- usleep (10 * 1000); /* since fflush(3) seems buggy */ -- return 0; -- --error: -- if (pam_h !=3D NULL) -- pam_end (pam_h, rc); -- -- fprintf (stdout, "FAILURE\n"); -- fflush (stdout); -- fflush (stderr); -- usleep (10 * 1000); /* since fflush(3) seems buggy */ -- return 1; --} -- --static int --conversation_function (int n, const struct pam_message **msg, struct pam_= response **resp, void *data) --{ -- struct pam_response *aresp; -- char buf[PAM_MAX_RESP_SIZE]; -- int i; -- -- data =3D data; -- if (n <=3D 0 || n > PAM_MAX_NUM_MSG) -- return PAM_CONV_ERR; -- -- if ((aresp =3D calloc(n, sizeof *aresp)) =3D=3D NULL) -- return PAM_BUF_ERR; -- -- for (i =3D 0; i < n; ++i) -- { -- aresp[i].resp_retcode =3D 0; -- aresp[i].resp =3D NULL; -- switch (msg[i]->msg_style) -- { -- -- case PAM_PROMPT_ECHO_OFF: -- fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); -- goto conv1; -- -- case PAM_PROMPT_ECHO_ON: -- fprintf (stdout, "PAM_PROMPT_ECHO_ON "); -- conv1: -- fputs (msg[i]->msg, stdout); -- if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg= ) - 1] !=3D '\n') -- fputc ('\n', stdout); -- fflush (stdout); -- -- if (fgets (buf, sizeof buf, stdin) =3D=3D NULL) -- goto error; -- -- if (strlen (buf) > 0 && -- buf[strlen (buf) - 1] =3D=3D '\n') -- buf[strlen (buf) - 1] =3D '\0'; -- -- aresp[i].resp =3D strdup (buf); -- if (aresp[i].resp =3D=3D NULL) -- goto error; -- break; -- -- case PAM_ERROR_MSG: -- fprintf (stdout, "PAM_ERROR_MSG "); -- goto conv2; -- -- case PAM_TEXT_INFO: -- fprintf (stdout, "PAM_TEXT_INFO "); -- conv2: -- fputs (msg[i]->msg, stdout); -- if (strlen (msg[i]->msg) > 0 && -- msg[i]->msg[strlen (msg[i]->msg) - 1] !=3D '\n') -- fputc ('\n', stdout); -- fflush (stdout); -- break; -- -- default: -- goto error; -- } -- } -- -- *resp =3D aresp; -- return PAM_SUCCESS; -- --error: -- -- for (i =3D 0; i < n; ++i) -- { -- if (aresp[i].resp !=3D NULL) { -- memset (aresp[i].resp, 0, strlen(aresp[i].resp)); -- free (aresp[i].resp); -- } -- } -- memset (aresp, 0, n * sizeof *aresp); -- *resp =3D NULL; -- return PAM_CONV_ERR; --} -- --static gboolean --send_dbus_message (const char *cookie, const char *user) --{ -- PolkitAuthority *authority; -- PolkitIdentity *identity; -- GError *error; -- gboolean ret; -- -- ret =3D FALSE; -- -- error =3D NULL; -- -- g_type_init (); -- -- authority =3D polkit_authority_get (); -- -- identity =3D polkit_unix_user_new_for_name (user, &error); -- if (identity =3D=3D NULL) -- { -- g_printerr ("Error constructing identity: %s\n", error->message); -- g_error_free (error); -- goto out; -- } -- -- if (!polkit_authority_authentication_agent_response_sync (authority, -- cookie, -- identity, -- NULL, -- &error)) -- { -- g_printerr ("polkit-agent-helper-1: error response to PolicyKit dae= mon: %s\n", error->message); -- g_error_free (error); -- goto out; -- } -- -- ret =3D TRUE; -- -- out: -- -- if (identity !=3D NULL) -- g_object_unref (identity); -- -- if (authority !=3D NULL) -- g_object_unref (authority); -- -- return ret; --} -diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/= polkitagenthelperprivate.c -new file mode 100644 -index 0000000..be495e9 ---- /dev/null -+++ b/src/polkitagent/polkitagenthelperprivate.c -@@ -0,0 +1,106 @@ -+/* -+ * Copyright (C) 2009-2010 Red Hat, Inc. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General -+ * Public License along with this library; if not, write to the -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -+ * Boston, MA 02110-1301, USA. -+ * -+ * Authors: David Zeuthen , -+ * Andrew Psaltis -+ */ -+ -+#include "config.h" -+#include "polkitagenthelperprivate.h" -+#include -+#include -+#include -+ -+#ifndef HAVE_CLEARENV -+extern char **environ; -+ -+int -+_polkit_clearenv (void) -+{ -+ if (environ !=3D NULL) -+ environ[0] =3D NULL; -+ return 0; -+} -+#else -+int -+_polkit_clearenv (void) -+{ -+ return clearenv (); -+} -+#endif -+ -+ -+gboolean -+send_dbus_message (const char *cookie, const char *user) -+{ -+ PolkitAuthority *authority; -+ PolkitIdentity *identity; -+ GError *error; -+ gboolean ret; -+ -+ ret =3D FALSE; -+ -+ error =3D NULL; -+ -+ g_type_init (); -+ -+ authority =3D polkit_authority_get (); -+ -+ identity =3D polkit_unix_user_new_for_name (user, &error); -+ if (identity =3D=3D NULL) -+ { -+ g_printerr ("Error constructing identity: %s\n", error->message); -+ g_error_free (error); -+ goto out; -+ } -+ -+ if (!polkit_authority_authentication_agent_response_sync (authority, -+ cookie, -+ identity, -+ NULL, -+ &error)) -+ { -+ g_printerr ("polkit-agent-helper-1: error response to PolicyKit dae= mon: %s\n", error->message); -+ g_error_free (error); -+ goto out; -+ } -+ -+ ret =3D TRUE; -+ -+ out: -+ -+ if (identity !=3D NULL) -+ g_object_unref (identity); -+ -+ if (authority !=3D NULL) -+ g_object_unref (authority); -+ -+ return ret; -+} -+ -+/* fflush(3) stdin and stdout and wait a little bit. -+ * This replaces the three-line commands at the bottom of -+ * polkit-agent-helper-1's main() function. -+ */ -+void -+flush_and_wait () -+{ -+ fflush (stdout); -+ fflush (stderr); -+ usleep (10 * 1000); /* since fflush(3) seems buggy */ -+} -diff --git a/src/polkitagent/polkitagenthelperprivate.h b/src/polkitagent/= polkitagenthelperprivate.h -new file mode 100644 -index 0000000..7294d46 ---- /dev/null -+++ b/src/polkitagent/polkitagenthelperprivate.h -@@ -0,0 +1,45 @@ -+/* -+ * Copyright (C) 2009-2010 Red Hat, Inc. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General -+ * Public License along with this library; if not, write to the -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -+ * Boston, MA 02110-1301, USA. -+ * -+ * Authors: David Zeuthen , -+ * Andrew Psaltis -+ */ -+#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H -+#define __POLKIT_AGENT_HELPER_PRIVATE_H -+ -+#define _GNU_SOURCE -+#include -+ -+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ -+ * enable this in production builds; it may leak passwords and other -+ * sensitive information. -+ */ -+#undef PAH_DEBUG -+// #define PAH_DEBUG -+ -+#ifdef HAVE_SOLARIS -+# define LOG_AUTHPRIV (10<<3) -+#endif -+ -+int _polkit_clearenv (void); -+ -+gboolean send_dbus_message (const char *cookie, const char *user); -+ -+void flush_and_wait (); -+ -+#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */ -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 17c191e..b0193f4 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -34,7 +34,11 @@ - #include - #include - #include -+ -+#ifdef POLKIT_AUTHFW_PAM - #include -+#endif /* POLKIT_AUTHFW_PAM */ -+ - #include - #include - = -@@ -115,6 +119,7 @@ log_message (gint level, - = - /* ----------------------------------------------------------------------= ------------------------------ */ - = -+#ifdef POLKIT_AUTHFW_PAM - static int - pam_conversation_function (int n, - const struct pam_message **msg, -@@ -167,6 +172,7 @@ out: - pam_end (pam_h, rc); - return ret; - } -+#endif /* POLKIT_AUTHFW_PAM */ - = - /* ----------------------------------------------------------------------= ------------------------------ */ - = -@@ -741,10 +747,12 @@ main (int argc, char *argv[]) - * TODO: The question here is whether we should clear the limits before= applying them? - * As evident above, neither su(1) (and, for that matter, nor sudo(8)) = does this. - */ -+#ifdef POLKIT_AUTHFW_PAM - if (!open_session (pw->pw_name)) - { - goto out; - } -+#endif /* POLKIT_AUTHFW_PAM */ - = - /* become the user */ - if (setgroups (0, NULL) !=3D 0) --- = -1.7.1 - diff --git a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-eve= ry-query.patch b/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on= -every-query.patch deleted file mode 100644 index d9cf8c23bfd6..000000000000 --- a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-quer= y.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 779c0153fc0bd3c2e302dac1979d17638f054229 Mon Sep 17 00:00:00 2001 -From: =3D?UTF-8?q?Petr=3D20Mr=3DC3=3DA1zek?=3D -Date: Wed, 14 Jul 2010 02:59:12 +0200 -Subject: [PATCH 3/3] =3D?UTF-8?q?Bug=3D2029051=3D20=3DE2=3D80=3D93=3D20Con= figuration=3D20reload=3D20on=3D20every=3D20query?=3D -MIME-Version: 1.0 -Content-Type: text/plain; charset=3DUTF-8 -Content-Transfer-Encoding: 8bit - -Set has_data to true after the data is loaded to prevent excessive -reloading of config files. - -Signed-off-by: David Zeuthen ---- - src/polkitbackend/polkitbackendconfigsource.c | 1 + - .../polkitbackendlocalauthorizationstore.c | 2 ++ - 2 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/src/polkitbackend/polkitbackendconfigsource.c b/src/polkitbac= kend/polkitbackendconfigsource.c -index 224d0d0..465da96 100644 ---- a/src/polkitbackend/polkitbackendconfigsource.c -+++ b/src/polkitbackend/polkitbackendconfigsource.c -@@ -386,6 +386,7 @@ polkit_backend_config_source_ensure (PolkitBackendConf= igSource *source) - } - = - source->priv->key_files =3D g_list_reverse (source->priv->key_files); -+ source->priv->has_data =3D TRUE; - = - out: - g_list_foreach (files, (GFunc) g_object_unref, NULL); -diff --git a/src/polkitbackend/polkitbackendlocalauthorizationstore.c b/sr= c/polkitbackend/polkitbackendlocalauthorizationstore.c -index 5d5dc14..b959269 100644 ---- a/src/polkitbackend/polkitbackendlocalauthorizationstore.c -+++ b/src/polkitbackend/polkitbackendlocalauthorizationstore.c -@@ -641,6 +641,8 @@ polkit_backend_local_authorization_store_ensure (Polki= tBackendLocalAuthorization - g_free (filename); - } - = -+ store->priv->has_data =3D TRUE; -+ - out: - g_list_foreach (files, (GFunc) g_object_unref, NULL); - g_list_free (files); --- = -1.7.1 - diff --git a/patches/polkit-0.96/autogen.sh b/patches/polkit-0.96/autogen.sh deleted file mode 120000 index 9f8a4cb7ddcb..000000000000 --- a/patches/polkit-0.96/autogen.sh +++ /dev/null @@ -1 +0,0 @@ -../autogen.sh \ No newline at end of file diff --git a/patches/polkit-0.96/series b/patches/polkit-0.96/series deleted file mode 100644 index ee29cd64eb79..000000000000 --- a/patches/polkit-0.96/series +++ /dev/null @@ -1,3 +0,0 @@ -0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch -0002-Add-shadow-support.patch -0003-Bug-29051-Configuration-reload-on-every-query.patch diff --git a/rules/polkit.in b/rules/polkit.in index d28de7c67e91..07c3744b6964 100644 --- a/rules/polkit.in +++ b/rules/polkit.in @@ -1,14 +1,27 @@ ## SECTION=3Dsystem_libraries = -config POLKIT +menuconfig POLKIT tristate - prompt "policykit-1" + prompt "policykit-1 " select LIBC_CRYPT select HOST_INTLTOOL select HOST_GTK_DOC + select EXPAT select GLIB select DBUS_GLIB select EGGDBUS + select SYSTEMD if POLKIT_SYSTEMD + select SYSTEMD_LOGIND if POLKIT_SYSTEMD help PolicyKit offers an infrastructure for security policies for dbus applications. + +if POLKIT + +config POLKIT_SYSTEMD + bool "systemd based session tracking" + default y if INITMETHOD_SYSTEMD + help + Use systemd for session tracking, else ConsoleKit is used + +endif diff --git a/rules/polkit.make b/rules/polkit.make index b702a1b50d90..376315f929f8 100644 --- a/rules/polkit.make +++ b/rules/polkit.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_POLKIT) +=3D polkit # # Paths and names # -POLKIT_VERSION :=3D 0.96 -POLKIT_MD5 :=3D e0a06da501b04ed3bab986a9df5b5aa2 +POLKIT_VERSION :=3D 0.104 +POLKIT_MD5 :=3D e380b4c6fb1e7bccf854e92edc0a8ce1 POLKIT :=3D polkit-$(POLKIT_VERSION) POLKIT_SUFFIX :=3D tar.gz POLKIT_URL :=3D http://hal.freedesktop.org/releases/$(POLKIT).$(POLKIT_SUF= FIX) @@ -28,19 +28,19 @@ POLKIT_DIR :=3D $(BUILDDIR)/$(POLKIT) # Prepare # ------------------------------------------------------------------------= ---- = -# -# autoconf -# -POLKIT_AUTOCONF :=3D \ +POLKIT_CONF_TOOL :=3D autoconf +POLKIT_CONF_OPT :=3D \ $(CROSS_AUTOCONF_USR) \ - --enable-shared \ - --enable-static \ + $(GLOBAL_LARGE_FILE_OPTION) \ --disable-ansi \ --disable-verbose-mode \ --disable-man-pages \ --disable-gtk-doc \ - --disable-examples \ + --disable-gtk-doc-html \ + --$(call ptx/endis, PTXCONF_POLKIT_SYSTEMD)-systemd \ --disable-introspection \ + --disable-examples \ + --disable-nls \ --with-gnu-ld \ --with-authfw=3Dshadow \ --with-os-type=3Dptxdist @@ -65,6 +65,7 @@ $(STATEDIR)/polkit.targetinstall: /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service) = # config + @$(call install_copy, polkit, 0, 0, 700, /etc/polkit-1/localauthority) @$(call install_copy, polkit, 0, 0, 0644, -, \ /etc/polkit-1/localauthority.conf.d/50-localauthority.conf) @$(call install_copy, polkit, 0, 0, 0644, -, \ @@ -79,8 +80,6 @@ $(STATEDIR)/polkit.targetinstall: = @$(call install_copy, polkit, 0, 0, 0644, -, \ /usr/lib/polkit-1/extensions/libnullbackend.so) - @$(call install_copy, polkit, 0, 0, 0644, -, \ - /usr/lib/polkit-1/extensions/libpkexec-action-lookup.so) = # binaries @$(call install_copy, polkit, 0, 0, 0755, -, /usr/bin/pkaction) @@ -93,6 +92,9 @@ $(STATEDIR)/polkit.targetinstall: @$(call install_copy, polkit, 0, 0, 4755, -, \ /usr/libexec/polkit-agent-helper-1) = +# run-time + @$(call install_copy, polkit, 0, 0, 700, /var/lib/polkit-1) + @$(call install_finish, polkit) = @$(call touch) -- = Pengutronix e.K. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0| Juergen Borleis =A0 =A0 =A0 =A0 =A0 =A0 | Industrial Linux Solutions =A0 =A0 =A0| http://www.pengutroni= x.de/ | -- = ptxdist mailing list ptxdist@pengutronix.de