diff options
author | David Zeuthen <david@fubar.dk> | 2006-06-06 11:55:50 +0000 |
---|---|---|
committer | David Zeuthen <david@fubar.dk> | 2006-06-06 11:55:50 +0000 |
commit | 8be672ff73c76f99b15f72cc9fb1b3eb4d1a778c (patch) | |
tree | 1dbb87f33035d439758796e5ed08bd4b39f37fff | |
parent | 1c3d5691ad444ae2849d079e3745d6b476614623 (diff) | |
download | polkit-8be672ff73c76f99b15f72cc9fb1b3eb4d1a778c.tar.gz |
Patch from Frederic Peters <fpeters@entrouvert.com>.
http://jhbuild.bxlug.be/builds/2006-06-06-0000/logs/PolicyKit/#build
shows a error when building newest PolicyKit with Debian PAM libraries.
Attached patch adds new configure checks; pam-polkit-console.c may need
alternate behaviour if pam_vsyslog is missing (using straight
vsyslog?).
configure.in,
-rw-r--r-- | ChangeLog | 15 | ||||
-rw-r--r-- | configure.in | 3 | ||||
-rw-r--r-- | doc/TODO | 3 | ||||
-rw-r--r-- | doc/spec/polkit-spec.html | 26 | ||||
-rw-r--r-- | pam-polkit-console/pam-polkit-console.c | 7 |
5 files changed, 41 insertions, 13 deletions
@@ -1,3 +1,18 @@ +2006-06-06 David Zeuthen <davidz@redhat.com> + + Patch from Frederic Peters <fpeters@entrouvert.com>. + http://jhbuild.bxlug.be/builds/2006-06-06-0000/logs/PolicyKit/#build + shows a error when building newest PolicyKit with Debian PAM + libraries. + + Attached patch adds new configure checks; pam-polkit-console.c may + need alternate behaviour if pam_vsyslog is missing (using straight + vsyslog?). + + * configure.in, + * pam-polkit-console/pam-polkit-console.c: (_pam_log): + * doc/TODO: + 2006-06-05 David Zeuthen <davidz@redhat.com> Lots of changes! Almost ready for 0.2 release. diff --git a/configure.in b/configure.in index 557aa59..ff053c0 100644 --- a/configure.in +++ b/configure.in @@ -262,6 +262,9 @@ AM_CONDITIONAL(HAVE_PAM, test x$have_pam = xyes) AC_SUBST(HAVE_PAM) AC_SUBST(AUTH_LIBS) +AC_CHECK_HEADER(security/pam_modutil.h, [AC_DEFINE(HAVE_PAM_MODUTIL_H, [], "Have pam_modutil.h")]) +AC_CHECK_HEADER(security/pam_ext.h, [AC_DEFINE(HAVE_PAM_EXT_H, [], "Have pam_ext.h")]) +AC_CHECK_LIB(pam, pam_vsyslog, [AC_DEFINE(HAVE_PAM_VSYSLOG, [], "Have pam_vsyslog")]) AC_ARG_WITH(os-type, [ --with-os-type=<os> distribution or OS (redhat)]) @@ -35,3 +35,6 @@ PENDING - implement D-BUS interfaces suitable for a GUI privilege editor - write more tests; audit code + + - Maybe use straight vsyslog from pam-polkit-console.c if pam_vsyslog + is missing (as recommened by Frederic Peters <fpeters@entrouvert.com>) diff --git a/doc/spec/polkit-spec.html b/doc/spec/polkit-spec.html index 71d0776..3646f64 100644 --- a/doc/spec/polkit-spec.html +++ b/doc/spec/polkit-spec.html @@ -1,10 +1,10 @@ <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>PolicyKit 0.2 Specification</title><meta name="generator" content="DocBook XSL Stylesheets V1.69.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="index"></a>PolicyKit 0.2 Specification</h1></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Zeuthen</span></h3><div class="affiliation"><div class="address"><p><br> <code class="email"><<a href="mailto:david@fubar.dk">david@fubar.dk</a>></code><br> - </p></div></div></div></div></div><div><p class="releaseinfo">Version 0.2</p></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="#introduction">1. Introduction</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2789999">About</a></span></dt></dl></dd><dt><span class="chapter"><a href="#operation">2. Theory of operation</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2790022">Privileges</a></span></dt><dt><span class="sect1"><a href="#id2820713">Architecture</a></span></dt><dt><span class="sect1"><a href="#id2785230">Example</a></span></dt></dl></dd><dt><span class="chapter"><a href="#resources">3. Resources</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2785455">Resource Identifiers</a></span></dt></dl></dd><dt><span class="chapter"><a href="#privileges">4. Privileges</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2789259">Privilege Descriptors</a></span></dt><dt><span class="sect1"><a href="#id2789336">File Format</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2789361"><code class="literal">RequiredPrivileges</code>: Required Privileges</a></span></dt><dt><span class="sect2"><a href="#id2789390"><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</a></span></dt><dt><span class="sect2"><a href="#id2789423"><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</a></span></dt><dt><span class="sect2"><a href="#can-obtain"><code class="literal">CanObtain</code>: Obtaining Privileges</a></span></dt><dt><span class="sect2"><a href="#id2785054"><code class="literal">CanGrant</code>: Granting Privileges</a></span></dt><dt><span class="sect2"><a href="#id2829707"><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</a></span></dt></dl></dd><dt><span class="sect1"><a href="#privs-by-polkit">Privileges defined by PolicyKit</a></span></dt><dd><dl><dt><span class="sect2"><a href="#priv-desktop-console"><code class="literal">desktop-console</code> : Users at a local console</a></span></dt></dl></dd></dl></dd></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="introduction"></a>Chapter 1. Introduction</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2789999">About</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2789999"></a>About</h2></div></div></div><p> + </p></div></div></div></div></div><div><p class="releaseinfo">Version 0.2</p></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="#introduction">1. Introduction</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2484164">About</a></span></dt></dl></dd><dt><span class="chapter"><a href="#operation">2. Theory of operation</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2484188">Privileges</a></span></dt><dt><span class="sect1"><a href="#id2514878">Architecture</a></span></dt><dt><span class="sect1"><a href="#id2479395">Example</a></span></dt></dl></dd><dt><span class="chapter"><a href="#resources">3. Resources</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2479620">Resource Identifiers</a></span></dt></dl></dd><dt><span class="chapter"><a href="#privileges">4. Privileges</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2483424">Privilege Descriptors</a></span></dt><dt><span class="sect1"><a href="#id2483501">File Format</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2483526"><code class="literal">RequiredPrivileges</code>: Required Privileges</a></span></dt><dt><span class="sect2"><a href="#id2483555"><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</a></span></dt><dt><span class="sect2"><a href="#id2483588"><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</a></span></dt><dt><span class="sect2"><a href="#can-obtain"><code class="literal">CanObtain</code>: Obtaining Privileges</a></span></dt><dt><span class="sect2"><a href="#id2479219"><code class="literal">CanGrant</code>: Granting Privileges</a></span></dt><dt><span class="sect2"><a href="#id2523872"><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</a></span></dt></dl></dd><dt><span class="sect1"><a href="#privs-by-polkit">Privileges defined by PolicyKit</a></span></dt><dd><dl><dt><span class="sect2"><a href="#priv-desktop-console"><code class="literal">desktop-console</code> : Users at a local console</a></span></dt></dl></dd></dl></dd></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="introduction"></a>Chapter 1. Introduction</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2484164">About</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2484164"></a>About</h2></div></div></div><p> PolicyKit is a system for enabling unprivileged desktop applications to invoke privileged methods on system-wide components in a controlled manner. - </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="operation"></a>Chapter 2. Theory of operation</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2790022">Privileges</a></span></dt><dt><span class="sect1"><a href="#id2820713">Architecture</a></span></dt><dt><span class="sect1"><a href="#id2785230">Example</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2790022"></a>Privileges</h2></div></div></div><p> + </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="operation"></a>Chapter 2. Theory of operation</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2484188">Privileges</a></span></dt><dt><span class="sect1"><a href="#id2514878">Architecture</a></span></dt><dt><span class="sect1"><a href="#id2479395">Example</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2484188"></a>Privileges</h2></div></div></div><p> One major concept of the PolicyKit system is the notion of privileges; a <span class="emphasis"><em>PolicyKit privilege</em></span> (referred to simply as @@ -17,7 +17,7 @@ allowed to invoke a method, the system level component defines a set of <span class="emphasis"><em>privileges</em></span>. - </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2820713"></a>Architecture</h2></div></div></div><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2514878"></a>Architecture</h2></div></div></div><p> The PolicyKit system is basically client/server and is implemented as the system-wide <code class="literal">org.freedesktop.PolicyKit</code> D-BUS @@ -34,7 +34,7 @@ In addition, the PolicyKit system includes client side libraries and command-line utilities wrapping the D-BUS API of the <code class="literal">org.freedesktop.PolicyKit</code> service. - </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2785230"></a>Example</h2></div></div></div><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2479395"></a>Example</h2></div></div></div><p> As an example, HAL exports the method <code class="literal">Mount</code> on the <code class="literal">org.freedesktop.Hal.Device.Volume</code> interface @@ -96,20 +96,20 @@ <img src="polkit-arch.png"> </p><p> The whole example is outlined in the diagram above. - </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="resources"></a>Chapter 3. Resources</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2785455">Resource Identifiers</a></span></dt></dl></div><p> + </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="resources"></a>Chapter 3. Resources</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2479620">Resource Identifiers</a></span></dt></dl></div><p> PolicyKit allows granting privileges only on certain <span class="emphasis"><em>resources</em></span>. For example, for HAL, it is possible to grant the privilege <span class="emphasis"><em>hal-storage-fixed-mount</em></span> to the user with uid 500 but only for the HAL device object representing e.g. the <code class="literal">/dev/hda3</code> partition. - </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2785455"></a>Resource Identifiers</h2></div></div></div><p> Resource identifers are prefixed with a name identifying + </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2479620"></a>Resource Identifiers</h2></div></div></div><p> Resource identifers are prefixed with a name identifying what service they belong to. The following resource identifiers are defined </p><div class="itemizedlist"><ul type="disc"><li><p> <code class="literal">hal://</code> HAL Unique Device Identifiers also known as HAL UID's. Example: <code class="literal">hal:///org/freedesktop/Hal/devices/volume_uuid_1a28b356_9955_44f9_b268_6ed6639978f5</code> - </p></li></ul></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="privileges"></a>Chapter 4. Privileges</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2789259">Privilege Descriptors</a></span></dt><dt><span class="sect1"><a href="#id2789336">File Format</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2789361"><code class="literal">RequiredPrivileges</code>: Required Privileges</a></span></dt><dt><span class="sect2"><a href="#id2789390"><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</a></span></dt><dt><span class="sect2"><a href="#id2789423"><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</a></span></dt><dt><span class="sect2"><a href="#can-obtain"><code class="literal">CanObtain</code>: Obtaining Privileges</a></span></dt><dt><span class="sect2"><a href="#id2785054"><code class="literal">CanGrant</code>: Granting Privileges</a></span></dt><dt><span class="sect2"><a href="#id2829707"><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</a></span></dt></dl></dd><dt><span class="sect1"><a href="#privs-by-polkit">Privileges defined by PolicyKit</a></span></dt><dd><dl><dt><span class="sect2"><a href="#priv-desktop-console"><code class="literal">desktop-console</code> : Users at a local console</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2789259"></a>Privilege Descriptors</h2></div></div></div><p> + </p></li></ul></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="privileges"></a>Chapter 4. Privileges</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2483424">Privilege Descriptors</a></span></dt><dt><span class="sect1"><a href="#id2483501">File Format</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2483526"><code class="literal">RequiredPrivileges</code>: Required Privileges</a></span></dt><dt><span class="sect2"><a href="#id2483555"><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</a></span></dt><dt><span class="sect2"><a href="#id2483588"><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</a></span></dt><dt><span class="sect2"><a href="#can-obtain"><code class="literal">CanObtain</code>: Obtaining Privileges</a></span></dt><dt><span class="sect2"><a href="#id2479219"><code class="literal">CanGrant</code>: Granting Privileges</a></span></dt><dt><span class="sect2"><a href="#id2523872"><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</a></span></dt></dl></dd><dt><span class="sect1"><a href="#privs-by-polkit">Privileges defined by PolicyKit</a></span></dt><dd><dl><dt><span class="sect2"><a href="#priv-desktop-console"><code class="literal">desktop-console</code> : Users at a local console</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2483424"></a>Privilege Descriptors</h2></div></div></div><p> Applications, such as HAL, installs <span class="emphasis"><em>privilege descriptors</em></span> into the <code class="literal">/etc/PolicyKit/privilege.d</code> directory @@ -128,7 +128,7 @@ Information on whether the user can obtain the privilege, and if he can, whether only temporarily or permanently. </p></li><li><p> Whether a user with the privilege may permanently grant it to other users. - </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2789336"></a>File Format</h2></div></div></div><p> + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2483501"></a>File Format</h2></div></div></div><p> A developer of a system-wide application wanting to define a privilege must create a privilege descriptor. This is a a simple <code class="literal">.ini</code>-like config file. Here is what @@ -142,7 +142,7 @@ CanObtain= CanGrant= ObtainRequireRoot= - </pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2789361"></a><code class="literal">RequiredPrivileges</code>: Required Privileges</h3></div></div></div><p> + </pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2483526"></a><code class="literal">RequiredPrivileges</code>: Required Privileges</h3></div></div></div><p> This is a list of privileges the user must possess in order to possess the given privilege. If the user doesn't possess all of these privileges he is not considered to possess the @@ -151,7 +151,7 @@ for one or more resources. E.g., if <code class="literal">foo</code> is a required privilege then just having this privilege on one resource is sufficient. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2789390"></a><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</h3></div></div></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2483555"></a><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</h3></div></div></div><p> This is a list of privileges that, if a user possess any of these, he is consider to possess the given privilege. The list may be empty. A privilege in this list is considered @@ -159,7 +159,7 @@ resources. As with <code class="literal">RequiredPrivileges</code>, if <code class="literal">foo</code> is a sufficient privilege then just having this privilege on one resource is sufficient. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2789423"></a><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</h3></div></div></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2483588"></a><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</h3></div></div></div><p> Both <code class="literal">Allow</code> and <code class="literal">Deny</code> contains lists describing what users are allowed respectively denied the privilege. The elements of in each @@ -258,7 +258,7 @@ has <code class="literal">CanObtain</code> set to <code class="literal">False</code>, the user will always have to authenticate as the super user. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2785054"></a><code class="literal">CanGrant</code>: Granting Privileges</h3></div></div></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2479219"></a><code class="literal">CanGrant</code>: Granting Privileges</h3></div></div></div><p> This property (it can assume the values <code class="literal">True</code> and <code class="literal">False</code>) describes whether an user with the given privilege can @@ -289,7 +289,7 @@ the value <code class="literal">True</code> if this property assumes the value <code class="literal">True</code>. Otherwise this property effectively assumes the value <code class="literal">False</code>. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2829707"></a><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</h3></div></div></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2523872"></a><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</h3></div></div></div><p> If the property <code class="literal">CanObtain</code> assumes the value <code class="literal">True</code> or <code class="literal">Temporary</code> it means the user can diff --git a/pam-polkit-console/pam-polkit-console.c b/pam-polkit-console/pam-polkit-console.c index 353d596..9e8da11 100644 --- a/pam-polkit-console/pam-polkit-console.c +++ b/pam-polkit-console/pam-polkit-console.c @@ -37,11 +37,16 @@ #include <unistd.h> #include <stdio.h> #include <signal.h> +#include <stdarg.h> #include <security/pam_modules.h> #include <security/_pam_macros.h> +#ifdef HAVE_PAM_MODUTIL_H #include <security/pam_modutil.h> +#endif +#ifdef HAVE_PAM_EXT_H #include <security/pam_ext.h> +#endif #ifndef FALSE #define FALSE 0 @@ -64,7 +69,9 @@ _pam_log (pam_handle_t *pamh, return; va_start (args, format); +#ifdef HAVE_PAM_VSYSLOG pam_vsyslog (pamh, err, format, args); +#endif closelog (); } |