make polkit-grant-helper-pam out of reach for normal users

author David Zeuthen <davidz@redhat.com>

Fri, 31 Aug 2007 17:51:10 +0000 (13:51 -0400)

committer David Zeuthen <davidz@redhat.com>

Fri, 31 Aug 2007 17:51:10 +0000 (13:51 -0400)
author David Zeuthen <davidz@redhat.com>
Fri, 31 Aug 2007 17:51:10 +0000 (13:51 -0400)
committer David Zeuthen <davidz@redhat.com>
Fri, 31 Aug 2007 17:51:10 +0000 (13:51 -0400)
diff --git a/polkit-grant/Makefile.am b/polkit-grant/Makefile.am

index 8c876ef..d888624 100644 (file)
--- a/polkit-grant/Makefile.am
+++ b/polkit-grant/Makefile.am
@@ -42,9 +42,12 @@ clean-local :
  #
  # polkit-grant-helper-pam need to be setuid root because it's used to
  # authenticate not only the invoking user, but possibly also root
-# and/or other users.
+# and/or other users. As only polkit-grant-helper will invoke it
+# we make it owned by the polkitiuser group and non-readable / 
+# non-executable to the world
  #
  install-data-local:
         -chown :$(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-grant-helper
         -chmod 2755 $(DESTDIR)$(libexecdir)/polkit-grant-helper
-       -chmod 4755 $(DESTDIR)$(libexecdir)/polkit-grant-helper-pam
+       -chown :$(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-grant-helper-pam
+       -chmod 4750 $(DESTDIR)$(libexecdir)/polkit-grant-helper-pam
author	David Zeuthen <davidz@redhat.com>
	Fri, 31 Aug 2007 17:51:10 +0000 (13:51 -0400)
committer	David Zeuthen <davidz@redhat.com>
	Fri, 31 Aug 2007 17:51:10 +0000 (13:51 -0400)