Patch from Frederic Peters <fpeters@entrouvert.com>. jhbuild monitors files

author David Zeuthen <david@fubar.dk>

Tue, 6 Jun 2006 14:48:27 +0000 (14:48 +0000)

committer David Zeuthen <david@fubar.dk>

Tue, 6 Jun 2006 14:48:27 +0000 (14:48 +0000)
author David Zeuthen <david@fubar.dk>
Tue, 6 Jun 2006 14:48:27 +0000 (14:48 +0000)
committer David Zeuthen <david@fubar.dk>
Tue, 6 Jun 2006 14:48:27 +0000 (14:48 +0000)
diff --git a/ChangeLog b/ChangeLog

index 2928a6f..186b2b5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,18 @@
  2006-06-06  David Zeuthen  <davidz@redhat.com>
  
+       Patch from Frederic Peters <fpeters@entrouvert.com>. jhbuild
+       monitors files being installed and prevents them from being
+       written out of its target directory.  This means HAL now prevents
+       jhautobuild[1] to complete since pam-polkit-console hardcodes
+       /lib/security. Attached is a patch with a configure
+       option (--with-pam-module-dir) so it is possible to set an other
+       directory. [1] http://jhbuild.bxlug.be
+
+       * pam-polkit-console/Makefile.am: 
+       * configure.in: 
+
+2006-06-06  David Zeuthen  <davidz@redhat.com>
+
         Patch from Frederic Peters <fpeters@entrouvert.com>.
         http://jhbuild.bxlug.be/builds/2006-06-06-0000/logs/PolicyKit/#build
         shows a error when building newest PolicyKit with Debian PAM
diff --git a/configure.in b/configure.in

index ff053c0..ff061fd 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -266,6 +266,17 @@ AC_CHECK_HEADER(security/pam_modutil.h, [AC_DEFINE(HAVE_PAM_MODUTIL_H, [], "Have
  AC_CHECK_HEADER(security/pam_ext.h, [AC_DEFINE(HAVE_PAM_EXT_H, [], "Have pam_ext.h")])
  AC_CHECK_LIB(pam, pam_vsyslog, [AC_DEFINE(HAVE_PAM_VSYSLOG, [], "Have pam_vsyslog")])
  
+
+AC_ARG_WITH(pam-module-dir, [  --with-pam-module-dir=[dirname]  directory to install PAM security module])
+if ! test -z "$with_pam_module_dir"; then
+    PAM_MODULE_DIR=$with_pam_module_dir
+else
+    PAM_MODULE_DIR="/lib/security"
+fi
+
+AC_SUBST(PAM_MODULE_DIR)
+
+
  AC_ARG_WITH(os-type,     [  --with-os-type=<os>        distribution or OS (redhat)])
  
  #### Check our operating system (distro-tweaks required)
@@ -378,6 +389,7 @@ echo "
          localstatedir:              ${LOCALSTATEDIR}
          docdir:                     ${DOCDIR}
          PAM prefix:                 ${PAM_PREFIX}
+       PAM module dir:             ${PAM_MODULE_DIR}
  
          compiler:                   ${CC}
          cflags:                     ${CFLAGS}
diff --git a/doc/spec/polkit-spec.html b/doc/spec/polkit-spec.html

index 3646f64..51f6195 100644 (file)
--- a/doc/spec/polkit-spec.html
+++ b/doc/spec/polkit-spec.html
@@ -1,10 +1,10 @@
  <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>PolicyKit 0.2 Specification</title><meta name="generator" content="DocBook XSL Stylesheets V1.69.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="index"></a>PolicyKit 0.2 Specification</h1></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Zeuthen</span></h3><div class="affiliation"><div class="address"><p><br>
             <code class="email">&lt;<a href="mailto:david@fubar.dk">david@fubar.dk</a>&gt;</code><br>
-         </p></div></div></div></div></div><div><p class="releaseinfo">Version 0.2</p></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="#introduction">1. Introduction</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2484164">About</a></span></dt></dl></dd><dt><span class="chapter"><a href="#operation">2. Theory of operation</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2484188">Privileges</a></span></dt><dt><span class="sect1"><a href="#id2514878">Architecture</a></span></dt><dt><span class="sect1"><a href="#id2479395">Example</a></span></dt></dl></dd><dt><span class="chapter"><a href="#resources">3. Resources</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2479620">Resource Identifiers</a></span></dt></dl></dd><dt><span class="chapter"><a href="#privileges">4. Privileges</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2483424">Privilege Descriptors</a></span></dt><dt><span class="sect1"><a href="#id2483501">File Format</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2483526"><code class="literal">RequiredPrivileges</code>: Required Privileges</a></span></dt><dt><span class="sect2"><a href="#id2483555"><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</a></span></dt><dt><span class="sect2"><a href="#id2483588"><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</a></span></dt><dt><span class="sect2"><a href="#can-obtain"><code class="literal">CanObtain</code>: Obtaining Privileges</a></span></dt><dt><span class="sect2"><a href="#id2479219"><code class="literal">CanGrant</code>: Granting Privileges</a></span></dt><dt><span class="sect2"><a href="#id2523872"><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</a></span></dt></dl></dd><dt><span class="sect1"><a href="#privs-by-polkit">Privileges defined by PolicyKit</a></span></dt><dd><dl><dt><span class="sect2"><a href="#priv-desktop-console"><code class="literal">desktop-console</code> : Users at a local console</a></span></dt></dl></dd></dl></dd></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="introduction"></a>Chapter 1. Introduction</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2484164">About</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2484164"></a>About</h2></div></div></div><p>
+         </p></div></div></div></div></div><div><p class="releaseinfo">Version 0.2</p></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="chapter"><a href="#introduction">1. Introduction</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2867132">About</a></span></dt></dl></dd><dt><span class="chapter"><a href="#operation">2. Theory of operation</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2867155">Privileges</a></span></dt><dt><span class="sect1"><a href="#id2897848">Architecture</a></span></dt><dt><span class="sect1"><a href="#id2862356">Example</a></span></dt></dl></dd><dt><span class="chapter"><a href="#resources">3. Resources</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2862581">Resource Identifiers</a></span></dt></dl></dd><dt><span class="chapter"><a href="#privileges">4. Privileges</a></span></dt><dd><dl><dt><span class="sect1"><a href="#id2866392">Privilege Descriptors</a></span></dt><dt><span class="sect1"><a href="#id2866469">File Format</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2866494"><code class="literal">RequiredPrivileges</code>: Required Privileges</a></span></dt><dt><span class="sect2"><a href="#id2866523"><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</a></span></dt><dt><span class="sect2"><a href="#id2866556"><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</a></span></dt><dt><span class="sect2"><a href="#can-obtain"><code class="literal">CanObtain</code>: Obtaining Privileges</a></span></dt><dt><span class="sect2"><a href="#id2862178"><code class="literal">CanGrant</code>: Granting Privileges</a></span></dt><dt><span class="sect2"><a href="#id2906842"><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</a></span></dt></dl></dd><dt><span class="sect1"><a href="#privs-by-polkit">Privileges defined by PolicyKit</a></span></dt><dd><dl><dt><span class="sect2"><a href="#priv-desktop-console"><code class="literal">desktop-console</code> : Users at a local console</a></span></dt></dl></dd></dl></dd></dl></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="introduction"></a>Chapter 1. Introduction</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2867132">About</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867132"></a>About</h2></div></div></div><p>
         PolicyKit is a system for enabling unprivileged desktop
         applications to invoke privileged methods on system-wide
         components in a controlled manner.
-      </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="operation"></a>Chapter 2. Theory of operation</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2484188">Privileges</a></span></dt><dt><span class="sect1"><a href="#id2514878">Architecture</a></span></dt><dt><span class="sect1"><a href="#id2479395">Example</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2484188"></a>Privileges</h2></div></div></div><p>
+      </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="operation"></a>Chapter 2. Theory of operation</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2867155">Privileges</a></span></dt><dt><span class="sect1"><a href="#id2897848">Architecture</a></span></dt><dt><span class="sect1"><a href="#id2862356">Example</a></span></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2867155"></a>Privileges</h2></div></div></div><p>
         One major concept of the PolicyKit system is the notion of
         privileges; a <span class="emphasis"><em>PolicyKit privilege</em></span>
         (referred to simply as
@@ -17,7 +17,7 @@
         allowed to invoke a method, the system level component defines
         a set of
         <span class="emphasis"><em>privileges</em></span>. 
-      </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2514878"></a>Architecture</h2></div></div></div><p>
+      </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2897848"></a>Architecture</h2></div></div></div><p>
         The PolicyKit system is basically client/server and is
         implemented as the
         system-wide <code class="literal">org.freedesktop.PolicyKit</code> D-BUS
@@ -34,7 +34,7 @@
         In addition, the PolicyKit system includes client side
         libraries and command-line utilities wrapping the D-BUS API of
         the <code class="literal">org.freedesktop.PolicyKit</code> service.
-      </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2479395"></a>Example</h2></div></div></div><p>
+      </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2862356"></a>Example</h2></div></div></div><p>
         As an example, HAL exports the method <code class="literal">Mount</code>
         on the
         <code class="literal">org.freedesktop.Hal.Device.Volume</code> interface
@@ -96,20 +96,20 @@
         <img src="polkit-arch.png">
        </p><p>
         The whole example is outlined in the diagram above.
-      </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="resources"></a>Chapter 3. Resources</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2479620">Resource Identifiers</a></span></dt></dl></div><p>
+      </p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="resources"></a>Chapter 3. Resources</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2862581">Resource Identifiers</a></span></dt></dl></div><p>
        PolicyKit allows granting privileges only on
        certain <span class="emphasis"><em>resources</em></span>. For example, for HAL, it
        is possible to grant the
        privilege <span class="emphasis"><em>hal-storage-fixed-mount</em></span> to the
        user with uid 500 but only for the HAL device object
        representing e.g. the <code class="literal">/dev/hda3</code> partition.
-    </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2479620"></a>Resource Identifiers</h2></div></div></div><p> Resource identifers are prefixed with a name identifying
+    </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2862581"></a>Resource Identifiers</h2></div></div></div><p> Resource identifers are prefixed with a name identifying
         what service they belong to. The following resource
         identifiers are defined
        </p><div class="itemizedlist"><ul type="disc"><li><p>
             <code class="literal">hal://</code>
             HAL Unique Device Identifiers also known as HAL UID's. Example: <code class="literal">hal:///org/freedesktop/Hal/devices/volume_uuid_1a28b356_9955_44f9_b268_6ed6639978f5</code>
-          </p></li></ul></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="privileges"></a>Chapter 4. Privileges</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2483424">Privilege Descriptors</a></span></dt><dt><span class="sect1"><a href="#id2483501">File Format</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2483526"><code class="literal">RequiredPrivileges</code>: Required Privileges</a></span></dt><dt><span class="sect2"><a href="#id2483555"><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</a></span></dt><dt><span class="sect2"><a href="#id2483588"><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</a></span></dt><dt><span class="sect2"><a href="#can-obtain"><code class="literal">CanObtain</code>: Obtaining Privileges</a></span></dt><dt><span class="sect2"><a href="#id2479219"><code class="literal">CanGrant</code>: Granting Privileges</a></span></dt><dt><span class="sect2"><a href="#id2523872"><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</a></span></dt></dl></dd><dt><span class="sect1"><a href="#privs-by-polkit">Privileges defined by PolicyKit</a></span></dt><dd><dl><dt><span class="sect2"><a href="#priv-desktop-console"><code class="literal">desktop-console</code> : Users at a local console</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2483424"></a>Privilege Descriptors</h2></div></div></div><p> 
+          </p></li></ul></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="privileges"></a>Chapter 4. Privileges</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2866392">Privilege Descriptors</a></span></dt><dt><span class="sect1"><a href="#id2866469">File Format</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2866494"><code class="literal">RequiredPrivileges</code>: Required Privileges</a></span></dt><dt><span class="sect2"><a href="#id2866523"><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</a></span></dt><dt><span class="sect2"><a href="#id2866556"><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</a></span></dt><dt><span class="sect2"><a href="#can-obtain"><code class="literal">CanObtain</code>: Obtaining Privileges</a></span></dt><dt><span class="sect2"><a href="#id2862178"><code class="literal">CanGrant</code>: Granting Privileges</a></span></dt><dt><span class="sect2"><a href="#id2906842"><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</a></span></dt></dl></dd><dt><span class="sect1"><a href="#privs-by-polkit">Privileges defined by PolicyKit</a></span></dt><dd><dl><dt><span class="sect2"><a href="#priv-desktop-console"><code class="literal">desktop-console</code> : Users at a local console</a></span></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866392"></a>Privilege Descriptors</h2></div></div></div><p> 
         Applications, such as HAL, installs <span class="emphasis"><em>privilege
         descriptors</em></span> into
         the <code class="literal">/etc/PolicyKit/privilege.d</code> directory
@@ -128,7 +128,7 @@
             Information on whether the user can obtain the privilege, and if he can, whether only temporarily or permanently.
            </p></li><li><p>
             Whether a user with the privilege may permanently grant it to other users.
-          </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2483501"></a>File Format</h2></div></div></div><p>
+          </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2866469"></a>File Format</h2></div></div></div><p>
         A developer of a system-wide application wanting to define a
         privilege must create a privilege descriptor. This is a a
         simple <code class="literal">.ini</code>-like config file. Here is what
@@ -142,7 +142,7 @@
         CanObtain=
         CanGrant=
         ObtainRequireRoot=
-      </pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2483526"></a><code class="literal">RequiredPrivileges</code>: Required Privileges</h3></div></div></div><p>
+      </pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2866494"></a><code class="literal">RequiredPrivileges</code>: Required Privileges</h3></div></div></div><p>
           This is a list of privileges the user must possess in order
           to possess the given privilege. If the user doesn't possess
           all of these privileges he is not considered to possess the
@@ -151,7 +151,7 @@
           for one or more resources. E.g., if <code class="literal">foo</code>
           is a required privilege then just having this privilege on
           one resource is sufficient.
-       </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2483555"></a><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</h3></div></div></div><p>
+       </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2866523"></a><code class="literal">SufficientPrivileges</code>: Sufficient Privileges</h3></div></div></div><p>
           This is a list of privileges that, if a user possess any of
           these, he is consider to possess the given privilege. The
           list may be empty.  A privilege in this list is considered
@@ -159,7 +159,7 @@
           resources. As with <code class="literal">RequiredPrivileges</code>,
           if <code class="literal">foo</code> is a sufficient privilege then
           just having this privilege on one resource is sufficient.
-       </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2483588"></a><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</h3></div></div></div><p>
+       </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2866556"></a><code class="literal">Allow, Deny</code>: Criteria for Possesing a Privilege</h3></div></div></div><p>
           Both <code class="literal">Allow</code> and <code class="literal">Deny</code>
           contains lists describing what users are allowed
           respectively denied the privilege. The elements of in each
@@ -258,7 +258,7 @@
           has <code class="literal">CanObtain</code> set
           to <code class="literal">False</code>, the user will always have to
           authenticate as the super user.
-       </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2479219"></a><code class="literal">CanGrant</code>: Granting Privileges</h3></div></div></div><p>
+       </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2862178"></a><code class="literal">CanGrant</code>: Granting Privileges</h3></div></div></div><p>
           This property (it can assume the
           values <code class="literal">True</code> and <code class="literal">False</code>)
           describes whether an user with the given privilege can
@@ -289,7 +289,7 @@
           the value <code class="literal">True</code> if this property assumes
           the value <code class="literal">True</code>. Otherwise this property
           effectively assumes the value <code class="literal">False</code>.
-       </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2523872"></a><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</h3></div></div></div><p>
+       </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2906842"></a><code class="literal">ObtainRequireRoot</code>: Authentication Requirements</h3></div></div></div><p>
           If the property <code class="literal">CanObtain</code> assumes the
           value <code class="literal">True</code>
           or <code class="literal">Temporary</code> it means the user can
diff --git a/pam-polkit-console/Makefile.am b/pam-polkit-console/Makefile.am

index c0592f9..c72ac29 100644 (file)
--- a/pam-polkit-console/Makefile.am
+++ b/pam-polkit-console/Makefile.am
@@ -2,7 +2,7 @@
  LOCKDIR     = $(localstatedir)/run/polkit-console
  LOCKDIRMODE = 0700
  
-securelibdir = /lib/security
+securelibdir = $(PAM_MODULE_DIR)
  securelib_LTLIBRARIES = pam_polkit_console.la
  
  pam_polkit_console_la_LDFLAGS = -no-undefined -avoid-version -module
author	David Zeuthen <david@fubar.dk>
	Tue, 6 Jun 2006 14:48:27 +0000 (14:48 +0000)
committer	David Zeuthen <david@fubar.dk>
	Tue, 6 Jun 2006 14:48:27 +0000 (14:48 +0000)
ChangeLog		patch \| blob \| history
configure.in		patch \| blob \| history
doc/spec/polkit-spec.html		patch \| blob \| history
pam-polkit-console/Makefile.am		patch \| blob \| history