David Zeuthen [Tue, 8 Apr 2008 19:48:38 +0000 (15:48 -0400)]
fix build when tests are disabled
David Zeuthen [Tue, 8 Apr 2008 19:42:46 +0000 (15:42 -0400)]
don't leak the copied authorizations list on OOM
Now the test suite passes again.
David Zeuthen [Tue, 8 Apr 2008 19:41:54 +0000 (15:41 -0400)]
clear the right block when growing a string
David Zeuthen [Tue, 8 Apr 2008 19:41:11 +0000 (15:41 -0400)]
print stack traces for where leaks were allocated
Jim Li [Tue, 8 Apr 2008 16:27:37 +0000 (12:27 -0400)]
add support for Solaris platform
Add support for Solaris platform. The patch contains some implement
for GNU library extentsion function which isn't support by Solaris,
for instance, vasprintf(), strndup(), clearenv(), and clearenv(). Also
rewriting some code which Sun compiler doesn't support, such as empty
union name.
Kees Cook [Fri, 4 Apr 2008 06:26:30 +0000 (02:26 -0400)]
fix for CVE-2008-1658: format string vulnerability in password input
http://bugs.freedesktop.org/show_bug.cgi?id=15295
David Zeuthen [Mon, 17 Mar 2008 06:27:00 +0000 (02:27 -0400)]
remove more debug spew
David Zeuthen [Mon, 17 Mar 2008 06:26:08 +0000 (02:26 -0400)]
remove debug spew
David Zeuthen [Mon, 17 Mar 2008 06:21:02 +0000 (02:21 -0400)]
invalidate memory cache after revoking one shot authorization
Jim Meyering [Tue, 4 Mar 2008 13:21:29 +0000 (14:21 +0100)]
handle kit_strdup failure.
* tools/polkit-policy-file-validate.c (validate_file):
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: David Zeuthen <davidz@redhat.com>
Jim Meyering [Tue, 4 Mar 2008 13:19:45 +0000 (14:19 +0100)]
avoid unnecessary/leaky use of strdup.
* polkit-grant-helper.c (main): Move the declaration of "buf"
to the outer scope and use a pointer into it, instead.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: David Zeuthen <davidz@redhat.com>
Jim Meyering [Tue, 4 Mar 2008 13:09:52 +0000 (14:09 +0100)]
(do_auth): rename local: s/buf/password/
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: David Zeuthen <davidz@redhat.com>
Jim Meyering [Tue, 4 Mar 2008 10:14:10 +0000 (11:14 +0100)]
remove unnecessary strdup.
* src/polkit-grant/polkit-grant-helper-shadow.c (do_auth):
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: David Zeuthen <davidz@redhat.com>
Jim Meyering [Tue, 4 Mar 2008 10:12:48 +0000 (11:12 +0100)]
handle kit_strdup_printf failure.
* src/polkit-dbus/polkit-dbus.c (polkit_caller_new_from_pid):
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: David Zeuthen <davidz@redhat.com>
David Zeuthen [Tue, 4 Mar 2008 21:12:43 +0000 (16:12 -0500)]
clarify docs for POLKIT_AUTHORIZATION_CONSTRAINT_TYPE_REQUIRE_EXE
David Zeuthen [Tue, 4 Mar 2008 20:10:24 +0000 (15:10 -0500)]
don't check key/values in KitHash; they are not neccesarily pointers
David Zeuthen [Fri, 29 Feb 2008 18:56:24 +0000 (13:56 -0500)]
fix typo in docs for polkit_dbus_error_parse_from_strings()
David Zeuthen [Thu, 28 Feb 2008 17:28:39 +0000 (12:28 -0500)]
also add polkit_dbus_error_parse_from_strings() function
This is useful when using D-Bus bindings, such as dbus-glib, that
don't expose the DBusError object directly.
David Zeuthen [Thu, 28 Feb 2008 01:05:30 +0000 (20:05 -0500)]
add convenience API to consistently report authorization failures over D-Bus
David Zeuthen [Tue, 26 Feb 2008 22:19:31 +0000 (17:19 -0500)]
make polkit-policy-file-validate require that actions are properly packaged
Meaning this bit was added to the spec:
The name of the XML file is significant. Each XML file can only
declare actions from the namespace of it's own name; for example
actions org.foobar.action-a, org.foobar.action-b and
org.foobar.action-c would all go into the file org.foobar.policy
while actions com.my-company.product-awesome.action-a,
com.mycompany.product-awesome.action-b would go into the file
com.mycompany.product-awesome.policy.
This is the output of the validator on a broken .policy file
$ polkit-policy-file-validate /usr/share/PolicyKit/policy/gnome-clock-applet-mechanism.policy
WARNING: The action org.gnome.clockapplet.mechanism.configurehwclock does not
belong in a policy file named gnome-clock-applet-mechanism.policy.
A future version of PolicyKit will ignore this action.
WARNING: The action org.gnome.clockapplet.mechanism.settime does not
belong in a policy file named gnome-clock-applet-mechanism.policy.
A future version of PolicyKit will ignore this action.
WARNING: The action org.gnome.clockapplet.mechanism.settimezone does not
belong in a policy file named gnome-clock-applet-mechanism.policy.
A future version of PolicyKit will ignore this action.
ERROR: /usr/share/PolicyKit/policy/gnome-clock-applet-mechanism.policy did not validate
We currently don't enforce this but will in a future version. The
rationale is that we can avoid loading all .policy files at startup
which would be a performance win.
David Zeuthen [Tue, 26 Feb 2008 21:45:49 +0000 (16:45 -0500)]
fix doc in bugs for PolKitContextAddIOWatch
pointed out by Dan Winship.
Holger Macht [Tue, 26 Feb 2008 21:05:23 +0000 (16:05 -0500)]
avoid reliance on DT_REG so we work on reiserfs as well
(with minor fixes from davidz for avoiding memory leaks)
Recently I wondered why PolicyKit (especially polkit-auth) does not work
on my system. While debugging, I noticed that the corresponding code works
in my home directory, but not in the root filesystem.
readdir() and its d_type are the culprits. Quoting the readdir manpage:
[...]
Other than Linux, the d_type field is available mainly only on BSD
systems. This field makes it possible to avoid the expense of calling
stat() if further actions depend on the type of the file.
[...]
Filesystems may fill DT_UNKNOWN into this field, which reiserfs does, so
call stat instead, which always does the right thing.
Signed-off-by: Holger Macht <hmacht@suse.de>
David Zeuthen [Tue, 26 Feb 2008 20:48:39 +0000 (15:48 -0500)]
avoid use normal timeout when showing auth dialog; use INT_MAX instead
Reported by Dan P. Berrange.
David Zeuthen [Tue, 18 Dec 2007 18:50:38 +0000 (13:50 -0500)]
actually check for bash in polkit-bash-completion.sh
Some zsh users complained about this
https://bugzilla.redhat.com/show_bug.cgi?id=418471
Carlos Corbacho [Mon, 17 Dec 2007 17:14:04 +0000 (12:14 -0500)]
also add the new C file for the shadow helper
Carlos Corbacho [Mon, 17 Dec 2007 03:59:30 +0000 (22:59 -0500)]
add Shadow authentication framework
Add Piter PUNK's polkit-grant-helper-shadow, and link against the
appropriate libraries.
For now, the Shadow framework must be explictily called - in future,
this could also be added as a fallback if PAM is not available.
David Zeuthen [Mon, 17 Dec 2007 03:40:10 +0000 (22:40 -0500)]
make polkit-grant-helper-pam world readable
This is to avoid breaking various backup and IDS software - proposed
by Michael Biebl <mbiebl@gmail.com>.
Carlos Corbacho [Mon, 17 Dec 2007 02:21:16 +0000 (21:21 -0500)]
split out authentication framework from authorisation database
As per discussions with David Zeuthen, alter the build system so that we
can have different authentication frameworks for the authorisation
databases.
For now, the dummy database will only accept 'none' for the authentication
framework (this will be autoselected if not specified, and configure will
throw an error if any other framework than 'none' is specified is passed
in).
For the default database, the only available framework for now is 'pam'
(as with 'none' and dummy, 'pam' will be autoselected if specified as the
framework. If 'none' is passed as a framework, configure will reject this
and fail).
PAM specific code is now also marked with POLKIT_AUTHFW_PAM, so that it
can be easily compiled out if other frameworks are added in future.
Carlos Corbacho [Mon, 17 Dec 2007 02:11:31 +0000 (21:11 -0500)]
remove unncessary PAM header inclusions
Many files are needlessly including PAM headers, when the code in question
has no PAM dependency - remove the PAM includes from these.
David Zeuthen [Fri, 7 Dec 2007 18:37:19 +0000 (13:37 -0500)]
make the docs show an index of new symbols in 0.8
David Zeuthen [Fri, 7 Dec 2007 18:35:36 +0000 (13:35 -0500)]
fix typo in docs
David Zeuthen [Fri, 7 Dec 2007 18:25:17 +0000 (13:25 -0500)]
add docs and bash completion bits for new exe and selinux_context constraints
David Zeuthen [Fri, 7 Dec 2007 17:00:36 +0000 (12:00 -0500)]
add additional checks when using strtoul
Pointed out by Martin Pitt <martin.pitt@ubuntu.com>.
David Zeuthen [Fri, 7 Dec 2007 06:37:37 +0000 (01:37 -0500)]
add note about new polkit-resolve-exe-helper
David Zeuthen [Fri, 7 Dec 2007 06:35:30 +0000 (01:35 -0500)]
add constraints for exe and SELinux context when granting an authorization
The way it works is that added constraints now look like this
scope=always:action-id=org.pulseaudio.acquire-high-priority:when=
1197004781:auth-as=0:constraint=local:constraint=active:constraint=exe%3A%2Fusr%2Fbin%2Fpulseaudio:constraint=selinux_context%3Asystem_u%3Asystem_r%3Aunconfined_t
or if not using SELinux like this
scope=always:action-id=org.freedesktop.hal.storage.mount-fixed:when=
1197008218:auth-as=0:constraint=local:constraint=active:constraint=exe%3A%2Fusr%2Fbin%2Fgnome-mount
This is a bit icky to implement for mechanisms, like HAL, running as
an unprivileged user. The problem is that we can't resolve the symlink
/proc/pid/exe. On the other hands such mechanisms has the
authorization org.freedesktop.policykit.read already. So use that.
Note that this is what some people call snake-oil. The reason is in the
docs for polkit_sysdeps_get_pid_for_exe(); copying it here so I can point
people to this commit in the future
Get the name of the binary a given process was started from.
Note that this is not necessary reliable information and as such
shouldn't be relied on 100% to make a security decision. In fact,
this information is only trustworthy in situations where the given
binary is securely locked down meaning that 1) it can't be
ptrace(2)'d; 2) libc secure mode kicks in (e.g LD_PRELOAD won't
work); 3) there are no other attack vectors (e.g. GTK_MODULES, X11,
CORBA, D-Bus) to patch running code into the process.
In other words: the risk of relying on constraining an authorization
to the output of this function is high. Suppose that the program
/usr/bin/gullible obtains an authorization via authentication for
the action org.example.foo. We add a constraint to say that the
gained authorization only applies to processes for whom
/proc/pid/exe points to /usr/bin/gullible. Now enter
/usr/bin/evil. It knows that the program /usr/bin/gullible is not
"securely locked down" (per the definition in the above
paragraph). So /usr/bin/evil simply sets LD_PRELOAD and execs
/usr/bin/gullible and it can now run code in a process where
/proc/pid/exe points to /usr/bin/gullible. Thus, the recently gained
authorization for org.example.foo applies. Also, /usr/bin/evil could
use a host of other attack vectors to run it's own code under the
disguise of pretending to be /usr/bin/gullible.
Specifically for interpreted languages like Python and Mono it is
the case that /proc/pid/exe always points to /usr/bin/python
resp. /usr/bin/mono. Thus, it's not very useful to rely on that the
result for this function if you want to constrain an authorization
to e.g. /usr/bin/tomboy or /usr/bin/banshee.
However. Once we have a framework for running secure desktop apps this
will start to make sense. Such a framework includes securing X (using
e.g. XACE with SELinux) and making the UI toolkit secure as well. It's
a lot of work.
Until then these constraints at least makes it harder to for malicious
apps to abuse PolicyKit authorizations gained by other users.
David Zeuthen [Fri, 7 Dec 2007 06:29:45 +0000 (01:29 -0500)]
add bogus Returns: to make gtk-doc happy
David Zeuthen [Fri, 7 Dec 2007 00:52:07 +0000 (19:52 -0500)]
use strlen to avoid writing garbage at the end of the test auth file
While this seems like a grave bug it is not. First, this only affects
the test cases and the file is guaranteed to be zero terminated before
the garbage anyway.
David Zeuthen [Fri, 7 Dec 2007 00:01:54 +0000 (19:01 -0500)]
post release version bump to 0.8
David Zeuthen [Thu, 6 Dec 2007 23:59:12 +0000 (18:59 -0500)]
be more precise about permissions in the blurb at the end of configure
Suggested by Michael Biebl <mbiebl@gmail.com>.
David Zeuthen [Thu, 6 Dec 2007 05:07:57 +0000 (00:07 -0500)]
update NEWS file
David Zeuthen [Thu, 6 Dec 2007 04:58:44 +0000 (23:58 -0500)]
update completion + man page since polkit-auth(1) takes >1 --constraint args
David Zeuthen [Thu, 6 Dec 2007 04:36:32 +0000 (23:36 -0500)]
update TODO to mention Piter PUNK's patch
David Zeuthen [Thu, 6 Dec 2007 04:34:55 +0000 (23:34 -0500)]
update TODO
David Zeuthen [Thu, 6 Dec 2007 04:33:24 +0000 (23:33 -0500)]
fix dummy backend so it builds
David Zeuthen [Thu, 6 Dec 2007 03:44:50 +0000 (22:44 -0500)]
refactor constraints API so there is one entry per constraint in the auth file
This makes things a lot more future proof and, perhaps, also easier to
understand.
David Zeuthen [Wed, 5 Dec 2007 00:39:40 +0000 (19:39 -0500)]
don't require .policy files for auth lookups
With this change, 'make check' now works even when PolicyKit isn't
installed (as it should). Before this change it failed because the
.policy files for org.freedesktop.policykit.read and .grant was not
available.
David Zeuthen [Sat, 1 Dec 2007 05:17:02 +0000 (00:17 -0500)]
downgrade to session scope when granting authorizations for blank passwords
See https://bugzilla.redhat.com/show_bug.cgi?id=401811 for details
David Zeuthen [Sat, 1 Dec 2007 05:03:32 +0000 (00:03 -0500)]
fix a bug where KitList elements were not properly freed
David Zeuthen [Sat, 1 Dec 2007 01:49:05 +0000 (20:49 -0500)]
remove glib dep from libpolkit-dbus
David Zeuthen [Sat, 1 Dec 2007 01:38:01 +0000 (20:38 -0500)]
implement kit_hash_foreach_remove()
David Zeuthen [Sat, 1 Dec 2007 00:24:38 +0000 (19:24 -0500)]
add a new KitString class
David Zeuthen [Fri, 30 Nov 2007 21:43:17 +0000 (16:43 -0500)]
add some more test cases for p-a-db.c
David Zeuthen [Fri, 30 Nov 2007 20:40:03 +0000 (15:40 -0500)]
fix OOM handling in p-a-db.c and only invalidate the cache when necessary
David Zeuthen [Fri, 30 Nov 2007 19:59:20 +0000 (14:59 -0500)]
add some more test env variables so we can bypass ConsoleKit in the tests
David Zeuthen [Thu, 29 Nov 2007 21:01:47 +0000 (16:01 -0500)]
update .gitignore files
David Zeuthen [Thu, 29 Nov 2007 20:59:59 +0000 (15:59 -0500)]
add .gitignore files to get test tree structure in the repo
David Zeuthen [Thu, 29 Nov 2007 20:47:15 +0000 (15:47 -0500)]
fix unit tests for polkit-authorization-db.c
David Zeuthen [Thu, 29 Nov 2007 05:07:40 +0000 (00:07 -0500)]
add test-friendly abstractions for getpwnam and getpwuid
David Zeuthen [Thu, 29 Nov 2007 05:06:54 +0000 (00:06 -0500)]
only fail the Nth alloc, not all allocs greater than N
David Zeuthen [Thu, 29 Nov 2007 03:32:52 +0000 (22:32 -0500)]
avoid logging to syslog even for invalid files
David Zeuthen [Wed, 28 Nov 2007 21:50:50 +0000 (16:50 -0500)]
relicense everything to the MIT/X11 license
David Zeuthen [Sun, 25 Nov 2007 21:06:42 +0000 (16:06 -0500)]
add (partial) test cases for polkit-authorization-db.c
David Zeuthen [Sun, 25 Nov 2007 21:06:12 +0000 (16:06 -0500)]
build with -rdynamic for maint mode and use this to print a stack trace
David Zeuthen [Sat, 24 Nov 2007 17:36:41 +0000 (12:36 -0500)]
fix a bug where the childs environment wasn't inherited
David Zeuthen [Sat, 24 Nov 2007 16:13:40 +0000 (11:13 -0500)]
add test harness for polkit-utils
David Zeuthen [Sat, 24 Nov 2007 16:08:51 +0000 (11:08 -0500)]
write newline since kit_string_entry_create doesn't do that any more
David Zeuthen [Fri, 23 Nov 2007 00:15:36 +0000 (19:15 -0500)]
avoid adding newline at the end of generated entry
David Zeuthen [Thu, 22 Nov 2007 04:23:09 +0000 (23:23 -0500)]
update TODO
David Zeuthen [Thu, 22 Nov 2007 02:38:08 +0000 (21:38 -0500)]
also encode \n\r\t characters
David Zeuthen [Thu, 22 Nov 2007 01:33:35 +0000 (20:33 -0500)]
rework the .auths file format to use key/value pairs and make it future-proof
David Zeuthen [Thu, 22 Nov 2007 01:11:04 +0000 (20:11 -0500)]
set errno to ENOMEM when forcibly failing an allocation
David Zeuthen [Wed, 21 Nov 2007 22:08:22 +0000 (17:08 -0500)]
add support for percent encoding/decoding and colon separated kv-lists
David Zeuthen [Wed, 21 Nov 2007 03:58:27 +0000 (22:58 -0500)]
make dummy backend work
David Zeuthen [Wed, 21 Nov 2007 03:46:50 +0000 (22:46 -0500)]
fix 'make check-coverage'
David Zeuthen [Wed, 21 Nov 2007 02:40:42 +0000 (21:40 -0500)]
remove Since gtk-doc tags from the internal libkit library
David Zeuthen [Tue, 20 Nov 2007 21:38:44 +0000 (16:38 -0500)]
define abstract Authentication Agent interface and make polkit-auth(1) use it
Also provide a convenience function to access it: polkit_auth_obtain().
David Zeuthen [Tue, 20 Nov 2007 06:00:33 +0000 (01:00 -0500)]
make PolKitAuthorization a bit more future proof by adding get_type()
David Zeuthen [Tue, 20 Nov 2007 05:25:34 +0000 (00:25 -0500)]
provide a way to force a reload of all caches etc.
David Zeuthen [Tue, 20 Nov 2007 04:25:30 +0000 (23:25 -0500)]
add support for negative authorizations
Negative authorizations is a way to block an entity; previously the
algorithm was something like (ignoring the config file for now)
Result is_authorized() {
res = has_implicit_auth();
if (res == YES) {
return YES;
} else if (has_explicit_auth()) {
return YES;
}
return res;
}
Now it's
Result is_authorized() {
res = has_implicit_auth();
expl = has_explicit_auth();
is_blocked = has_negative_explicit_auth();
if (is_blocked)
return NO;
if (res == YES) {
return YES;
} else if (has_explicit_auth()) {
return YES;
}
return res;
}
E.g. just a single negative auth will force NO to be returned. I
really, really need to write into the spec how this works; my mental
L1 cache can't contain it anymore. Once it's formally defined we need
to craft a test suite to verify that the code works according to
spec...
David Zeuthen [Mon, 19 Nov 2007 17:47:18 +0000 (12:47 -0500)]
export the policydir in the .pc file
This is useful when building a project using polkit in a different
prefix. Lennart asked for it.
David Zeuthen [Mon, 19 Nov 2007 05:27:56 +0000 (00:27 -0500)]
require org.fd.pk.revoke to revoke auths for self if granted by someone else
David Zeuthen [Mon, 19 Nov 2007 00:16:23 +0000 (19:16 -0500)]
provide convenience functions for auth checking and port helpers to use them
Basically, checking auths with polkit is now a one-liner:
if (polkit_check_auth (getpid (), "com.acme.some-action", NULL) == 0) {
fprintf (stderr, "Not authorized; go away\n");
exit (1);
}
This can be used for making a lot of the legacy UNIX tools PolicyKit
aware. For example, vixie-cron could make crontab(1) (a setuid
program) check whether the calling user is authorized for the action
org.isc.vixie-cron.edit-own-crontab
This is a nice way to provide least privilege and still put the system
administrator in control via polkit-auth(1), polkit-action(1) and the
GTK+ "Manage Authorizations" utility:
http://people.redhat.com/davidz/polkitg-auth-1.png
http://people.redhat.com/davidz/polkitg-auth-2.png
http://people.redhat.com/davidz/polkitg-auth-3.png
David Zeuthen [Sun, 18 Nov 2007 02:17:50 +0000 (21:17 -0500)]
add support for vendor, vendor_url and icon_name tags in .policy files
David Zeuthen [Sat, 17 Nov 2007 21:47:51 +0000 (16:47 -0500)]
restrict new API to the default backend only
David Zeuthen [Sat, 17 Nov 2007 21:43:25 +0000 (16:43 -0500)]
add API for overriding defaults and make polkit-action(1) use this API.
David Zeuthen [Sat, 17 Nov 2007 16:50:29 +0000 (11:50 -0500)]
fix a grave bug where the wrong authorizations were returned
We were modifying the 'uid' parameter in _authdb_get_auths_for_uid();
I bet that if we had unit tests this bug would have been caught
earlier...
David Zeuthen [Mon, 12 Nov 2007 18:43:10 +0000 (13:43 -0500)]
fix parallel build
https://bugs.freedesktop.org/show_bug.cgi?id=13082
David Zeuthen [Mon, 12 Nov 2007 18:14:22 +0000 (13:14 -0500)]
create /var/lib/misc on 'make install'
http://bugs.freedesktop.org/show_bug.cgi?id=13113
David Zeuthen [Mon, 12 Nov 2007 18:10:46 +0000 (13:10 -0500)]
build system fixes and refuse to install if built with --enable-tests
David Zeuthen [Mon, 12 Nov 2007 01:08:02 +0000 (20:08 -0500)]
add unit test framework to the rest of the library sources
David Zeuthen [Mon, 12 Nov 2007 00:03:46 +0000 (19:03 -0500)]
fix build for dummy backend
David Zeuthen [Sun, 11 Nov 2007 23:38:14 +0000 (18:38 -0500)]
also check for file descriptor leaks
David Zeuthen [Sun, 11 Nov 2007 22:58:00 +0000 (17:58 -0500)]
tweak how we do coverage reporting
David Zeuthen [Sun, 11 Nov 2007 22:09:26 +0000 (17:09 -0500)]
remove glib dependency from libpolkit.so
David Zeuthen [Sun, 11 Nov 2007 22:08:38 +0000 (17:08 -0500)]
don't overflow when splitting a string
David Zeuthen [Sun, 11 Nov 2007 21:32:22 +0000 (16:32 -0500)]
actually include the files with the spawn functions
David Zeuthen [Sun, 11 Nov 2007 21:31:55 +0000 (16:31 -0500)]
add spawn function to libkit
David Zeuthen [Sun, 11 Nov 2007 16:32:01 +0000 (11:32 -0500)]
add (empty, for now) tests for remaining files
David Zeuthen [Sun, 11 Nov 2007 05:05:41 +0000 (00:05 -0500)]
use kit_strsplit in polkit-sysdeps
David Zeuthen [Sun, 11 Nov 2007 05:02:41 +0000 (00:02 -0500)]
add strsplit function