| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Reported by Perter Klotz <peter.klotz99@gmail.com>.
https://bugs.freedesktop.org/show_bug.cgi?id=103144
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=92566
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Refer to PolkitAgentSession in general instead of to _response only
- Revert to the original description of authentication cancellation, the
agent really needs to return an error to the caller (in addition to dealing
with the session if any).
- Explicitly document the UID assumption; in the process fixing bug #69980.
- Keep documenting that we need a sufficiently privileged caller.
- Refer to the ...Response2 API in more places.
- Also update docbook documentation.
- Drop a paragraph suggesting non-PolkitAgentSession implementations are
expected and commonplace.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
Reviewed-by: Colin Walters <walters@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html
The "cookie" value that Polkit hands out is global to all polkit
users. And when `AuthenticationAgentResponse` is invoked, we
previously only received the cookie and *target* identity, and
attempted to find an agent from that.
The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.
The overflow and ability to guess the cookie were fixed by the
previous patch.
This patch is conceptually further hardening on top of that. Polkit
currently treats uids as equivalent from a security domain
perspective; there is no support for
SELinux/AppArmor/etc. differentiation.
We can retrieve the uid from `getuid()` in the setuid helper, which
allows us to ensure the uid invoking `AuthenticationAgentResponse2`
matches that of the agent.
Then the authority only looks at authentication sessions matching the
cookie that were created by a matching uid, thus removing the ability
for different uids to interfere with each other entirely.
Several fixes to this patch were contributed by:
Miloslav Trmač <mitr@redhat.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
CVE: CVE-2015-4625
Reported-by: Tavis Ormandy <taviso@google.com>
Reviewed-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Colin Walters <walters@redhat.com>
|
|
|
|
|
|
|
| |
to silence
warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
https://bugs.freedesktop.org/show_bug.cgi?id=80767
|
|
|
|
|
|
|
|
| |
I was looking at:
https://bugs.freedesktop.org/show_bug.cgi?id=85504
But polkit, particularly because of its use of recursive make, is a
good fit for git.mk.
|
|
|
|
|
|
|
|
| |
I use "pkexec bash" a lot, and it'd be nice to be able to just type
"pkexec" and have it do what I want. Like how "su" will run the shell
by default.
https://bugs.freedesktop.org/show_bug.cgi?id=74933
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The uid is a new addition; this allows callers such as libvirt to
close a race condition in reading the uid of the process talking to
them. They can read it via getsockopt(SO_PEERCRED) or equivalent,
rather than having pkcheck look at /proc later after the fact.
Programs which invoke pkcheck but need to know beforehand (i.e. at
compile time) whether or not it supports passing the uid can
use:
pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
test x$pkcheck_supports_uid = xyes
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=64197
|
|
|
|
|
|
| |
Suggested by Colin Walters.
https://bugs.freedesktop.org/show_bug.cgi?id=57284
|
|
|
|
|
|
|
|
| |
From time to time, application developers just copy example
configuration without examining it in details. Because polkit is
typically used to control access to system-level operations, the policy
(and therefore the examples) should limit access to system
administrators only.
|
|
|
|
| |
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641527
|
|
|
|
|
|
|
|
| |
Fold PolkitImplicitAuthorization and PolkitCheckAuthorizationFlags
into the relevant classes in the section list; polkit-1-docs.xml is
already not including the enum documents.
https://bugs.freedesktop.org/show_bug.cgi?id=63573
|
|
|
|
|
|
|
|
| |
All of these are a part of public API with some external users. Do the
minimum to avoid a warning; ideally we should also add a
*_DISABLE_DEPRECATED macro etc.
https://bugs.freedesktop.org/show_bug.cgi?id=63573
|
|
|
|
|
|
|
|
| |
This seems a fairly obvious public counterpart of
polkit_action_description_get_annotation, and it is used in pkaction.c
in what is pretty much an example of public API use.
https://bugs.freedesktop.org/show_bug.cgi?id=63573
|
|
|
|
|
|
|
| |
- Mark private header files as private.
- Fix obvious typos in the section file.
https://bugs.freedesktop.org/show_bug.cgi?id=63573
|
|
|
|
|
|
|
| |
... which silences warnings about these classes missing from
polkit-1-sections.txt
https://bugs.freedesktop.org/show_bug.cgi?id=63573
|
|
|
|
|
|
|
|
| |
as described at the end of
https://live.gnome.org/GObjectIntrospection/Annotations. Fixes a huge
number of warnings.
https://bugs.freedesktop.org/show_bug.cgi?id=63573
|
|
|
|
|
|
|
| |
This snippet comes from gtk-doc 1.18 examples/Makefile.am; we might want
to update all of the file but that's not strictly necessary.
https://bugs.freedesktop.org/show_bug.cgi?id=63479
|
|
|
|
|
|
|
| |
gtk-doc.make is attempting to add --path automatically but there is a
bug in the script in gtk-doc 1.18
https://bugs.freedesktop.org/show_bug.cgi?id=63479
|
|
|
|
| |
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This way an authorization rule can do this
return polkit.Result.YES;
which is slightly nicer than
return "yes";
https://bugs.freedesktop.org/show_bug.cgi?id=50983
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that GDBusProxy does something reasonable for a masked systemd
service, see
https://bugzilla.gnome.org/show_bug.cgi?id=677718
construction of the PolkitAuthority object does not fail anymore. That
doesn't mean the authority is available, though, so mention that users
should check the result of the CheckAuthorization() call as well. Or
in the case of PolkitAuthority, that the error is not a POLKIT_ERROR.
This is actually a nice feature, it means that if you unmask
polkit.service then mechanisms using PolkitAuthority will start using
it without a restart.
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
|
|
| |
Pointed out by Dan Williams <dcbw@redhat.com> on IRC.
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
|
|
| |
... e.g. we reserve the right to switch out the JS engine.
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
|
|
| |
There's really no reason to run all this code as uid 0.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This also removes the ability to change detail parameters which is
actually a good thing. If we later need a way to change the
authentication message, we can always add something like
polkit.addAuthenticationMessageRule() so the user can register a
function returning a string.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Any backend can now be implemented in JavaScript (if so desired) so we
don't need any of this any more.
Note that the libpolkitbackend library was never declared stable (the
preprocessor symbol POLKIT_BACKEND_I_KNOW_API_IS_SUBJECT_TO_CHANGE had
to be defined) so removing it is not an API/ABI break.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
| |
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
|
|
| |
Nuke the has_prefix() helper, it's just confusing.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|