Make netgroup support optional

On at least Linux/musl and Linux/uclibc, netgroup support is not
available.  PolKit fails to compile on these systems for that reason.

This change makes netgroup support conditional on the presence of the
setnetgrent(3) function which is required for the support to work.  If
that function is not available on the system, an error will be returned
to the administrator if unix-netgroup: is specified in configuration.

(sam: rebased for Meson and Duktape.)

Closes: https://gitlab.freedesktop.org/polkit/polkit/-/issues/14
Closes: https://gitlab.freedesktop.org/polkit/polkit/-/issues/163
Closes: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/52
Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>

5 files changed, 32 insertions, 8 deletions

diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c
index 3aa1f7f..793f17d 100644
--- a/src/polkit/polkitidentity.c
+++ b/src/polkit/polkitidentity.c
@@ -182,7 +182,15 @@ polkit_identity_from_string  (const gchar   *str,
     }
   else if (g_str_has_prefix (str, "unix-netgroup:"))
     {
+#ifndef HAVE_SETNETGRENT
+      g_set_error (error,
+                   POLKIT_ERROR,
+                   POLKIT_ERROR_FAILED,
+                   "Netgroups are not available on this machine ('%s')",
+                   str);
+#else
       identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1);
+#endif
     }
 
   if (identity == NULL && (error != NULL && *error == NULL))
@@ -344,6 +352,14 @@ polkit_identity_new_for_gvariant (GVariant  *variant,
       GVariant *v;
       const char *name;
 
+#ifndef HAVE_SETNETGRENT
+      g_set_error (error,
+                   POLKIT_ERROR,
+                   POLKIT_ERROR_FAILED,
+                   "Netgroups are not available on this machine");
+      goto out;
+#else
+
       v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
       if (v == NULL)
         {
@@ -353,6 +369,7 @@ polkit_identity_new_for_gvariant (GVariant  *variant,
       name = g_variant_get_string (v, NULL);
       ret = polkit_unix_netgroup_new (name);
       g_variant_unref (v);
+#endif
     }
   else
     {
diff --git a/src/polkit/polkitunixnetgroup.c b/src/polkit/polkitunixnetgroup.c
index 8a2b369..83f8d4a 100644
--- a/src/polkit/polkitunixnetgroup.c
+++ b/src/polkit/polkitunixnetgroup.c
@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group,
 PolkitIdentity *
 polkit_unix_netgroup_new (const gchar *name)
 {
+#ifndef HAVE_SETNETGRENT
+  g_assert_not_reached();
+#endif
   g_return_val_if_fail (name != NULL, NULL);
   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
                                        "name", name,
diff --git a/src/polkitbackend/polkitbackendduktapeauthority.c b/src/polkitbackend/polkitbackendduktapeauthority.c
index c89dbcf..f4b4304 100644
--- a/src/polkitbackend/polkitbackendduktapeauthority.c
+++ b/src/polkitbackend/polkitbackendduktapeauthority.c
@@ -1035,7 +1035,7 @@ js_polkit_user_is_in_netgroup (duk_context *cx)
 
   user = duk_require_string (cx, 0);
   netgroup = duk_require_string (cx, 1);
-
+#ifdef HAVE_SETNETGRENT
   if (innetgr (netgroup,
                NULL,  /* host */
                user,
@@ -1043,7 +1043,7 @@ js_polkit_user_is_in_netgroup (duk_context *cx)
     {
       is_in_netgroup = TRUE;
     }
-
+#endif
   duk_push_boolean (cx, is_in_netgroup);
   return 1;
 }
diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
index d935a7a..1cfc88e 100644
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
@@ -2248,25 +2248,26 @@ get_users_in_net_group (PolkitIdentity                    *group,
   GList *ret;
 
   ret = NULL;
+#ifdef HAVE_SETNETGRENT
   name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group));
 
-#ifdef HAVE_SETNETGRENT_RETURN
+# ifdef HAVE_SETNETGRENT_RETURN
   if (setnetgrent (name) == 0)
     {
       g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno));
       goto out;
     }
-#else
+# else
   setnetgrent (name);
-#endif
+# endif /* HAVE_SETNETGRENT_RETURN */
 
   for (;;)
     {
-#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
+# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
       const char *hostname, *username, *domainname;
-#else
+# else
       char *hostname, *username, *domainname;
-#endif
+# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */
       PolkitIdentity *user;
       GError *error = NULL;
 
@@ -2297,6 +2298,7 @@ get_users_in_net_group (PolkitIdentity                    *group,
 
  out:
   endnetgrent ();
+#endif /* HAVE_SETNETGRENT */
   return ret;
 }
 
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index 2568e8e..999269b 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -1271,6 +1271,7 @@ js_polkit_user_is_in_netgroup (JSContext  *cx,
 
   JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
 
+#ifdef HAVE_SETNETGRENT
   JS::RootedString usrstr (authority->priv->cx);
   usrstr = args[0].toString();
   user = JS_EncodeStringToUTF8 (cx, usrstr);
@@ -1285,6 +1286,7 @@ js_polkit_user_is_in_netgroup (JSContext  *cx,
     {
       is_in_netgroup =  true;
     }
+#endif
 
   ret = true;