platform/upstream/polkit.git
17 years agoavoid including regex.h from a public header file
David Zeuthen [Sun, 21 Oct 2007 03:53:16 +0000 (23:53 -0400)]
avoid including regex.h from a public header file

17 years agoadd C++ include guards and a new method to get pfe's by annotation
David Zeuthen [Sun, 21 Oct 2007 01:42:43 +0000 (21:42 -0400)]
add C++ include guards and a new method to get pfe's by annotation

17 years agoadd support to PolKitTracker for also asking on pid
David Zeuthen [Thu, 18 Oct 2007 17:44:16 +0000 (13:44 -0400)]
add support to PolKitTracker for also asking on pid

17 years agopost-release version bump
David Zeuthen [Sat, 13 Oct 2007 00:53:19 +0000 (20:53 -0400)]
post-release version bump

Better late than never!

17 years agoadd id's so the generated HTML has stable and predictable file names
David Zeuthen [Sat, 13 Oct 2007 00:50:57 +0000 (20:50 -0400)]
add id's so the generated HTML has stable and predictable file names

17 years agoadd the convenience class PolKitTracker
David Zeuthen [Sat, 13 Oct 2007 00:38:13 +0000 (20:38 -0400)]
add the convenience class PolKitTracker

This class allows a mechanism to greatly reduce the syscall and IPC
overhead when checking whether a caller on the system bus message is
allowed to do a specific action. In a nutshell, this class caches
PolKitCaller objects and a) updates them when ConsoleKit emits
ActivityChanged signals; and b) evicts such objects from the cache
when the caller drops off the bus.

There's also an example, in examples/tracker-example/ that shows how
to use this. This example is referenced in the API docs too.

17 years agoupdate NEWS POLICY_KIT_0_6
David Zeuthen [Thu, 11 Oct 2007 21:50:30 +0000 (17:50 -0400)]
update NEWS

17 years agomake polkit-list-actions print information about <allow_any>
David Zeuthen [Thu, 27 Sep 2007 17:46:29 +0000 (13:46 -0400)]
make polkit-list-actions print information about <allow_any>

17 years agodon't fail on unknown XML tags, just skip them
David Zeuthen [Thu, 27 Sep 2007 17:36:11 +0000 (13:36 -0400)]
don't fail on unknown XML tags, just skip them

This change will futureproof libpolkit for extensions; e.g. if there's
an OS upgrade where

 a) the PolicyKit package is upgraded to a version where support for a
    new tag <allow_foo> is added; and

 b) another package, using PolicyKit, is upgraded dropping a .policy
    file using the new <allow_foo> tag; then

existing running processes using libpolkit will not fail. They will,
however, not honor the new tags until the daemon process itself is
restarted using e.g. condrestart.

We also log to the system logger whenever we encouter unknown tags.

17 years agoimplement <allow_any> to specify default answer for any user
David Zeuthen [Thu, 27 Sep 2007 16:08:19 +0000 (12:08 -0400)]
implement <allow_any> to specify default answer for any user

This is useful in instances where the OS vendor wants to allow any
user, even remote users logging in via ssh etc., but recognize that
some sites may want to lock this down to a limited set of users.

Suggested by Daniel P. Berrange <berrange@redhat.com>:

<danpb>  my specific use case is that in libvirt we don't mind any user
         querying for VM status info by default
<danpb>  but some admins may wish to lock that ability down
<danpb>  so only designated users can query VM status
<davidz> right
<davidz> it makes sense
<davidz> without having giving it too much thought; adding another stanza to
         the .policy file might make sense
<davidz> <allow_non_session>yes</allow_non_session>
<davidz> danpb: would that work?
<danpb>  yeah, that'd do the trick
<davidz> cool
<davidz> I'll add it then

17 years agoadd TODO item detailing how to handle upgrades
David Zeuthen [Wed, 26 Sep 2007 19:49:31 +0000 (15:49 -0400)]
add TODO item detailing how to handle upgrades

17 years agoadd specifics for the Pardus distro
David Zeuthen [Tue, 25 Sep 2007 20:38:32 +0000 (16:38 -0400)]
add specifics for the Pardus distro

Patch from S.Çağlar Onur <caglar@pardus.org.tr>. Thanks.

17 years agouse chgrp instead of chown with group only
Doug Goldstein [Fri, 7 Sep 2007 03:53:53 +0000 (23:53 -0400)]
use chgrp instead of chown with group only

Change to use chgrp instead of chown when only changing a group

17 years agoinstall hook for setuid/setgid
Doug Goldstein [Thu, 6 Sep 2007 20:14:24 +0000 (16:14 -0400)]
install hook for setuid/setgid

Current installation uses a local rule which isn't guarenteed to be run
after the automake'd rule, as such it will not always setuid/setgid properly.
This patch switches that to a hook which is guarenteed to run afterwards.

17 years agogentoo OS type support
Doug Goldstein [Thu, 6 Sep 2007 16:07:20 +0000 (12:07 -0400)]
gentoo OS type support

Adds Gentoo as a valid OS type

17 years agopost-release version bump
David Zeuthen [Fri, 31 Aug 2007 19:59:59 +0000 (15:59 -0400)]
post-release version bump

17 years agoupdate NEWS file POLICY_KIT_0_5
David Zeuthen [Fri, 31 Aug 2007 19:56:07 +0000 (15:56 -0400)]
update NEWS file

17 years agobump so name
David Zeuthen [Fri, 31 Aug 2007 19:48:52 +0000 (15:48 -0400)]
bump so name

17 years agofix 'make distcheck' by avoiding with man pages on distcheck
David Zeuthen [Fri, 31 Aug 2007 19:48:38 +0000 (15:48 -0400)]
fix 'make distcheck' by avoiding with man pages on distcheck

17 years agomake polkit-grant-helper-pam out of reach for normal users
David Zeuthen [Fri, 31 Aug 2007 17:51:10 +0000 (13:51 -0400)]
make polkit-grant-helper-pam out of reach for normal users

Adds a little bit of more security..

17 years agoadd an example of how define_admin_auth is used
David Zeuthen [Tue, 28 Aug 2007 17:33:18 +0000 (13:33 -0400)]
add an example of how define_admin_auth is used

Based on input from Ken VanDine

http://lists.freedesktop.org/archives/hal/2007-August/009402.html

17 years agominor doc changes
David Zeuthen [Mon, 27 Aug 2007 20:41:40 +0000 (16:41 -0400)]
minor doc changes

17 years agoalso forgot to add polkit-docs.xml
David Zeuthen [Mon, 27 Aug 2007 20:39:59 +0000 (16:39 -0400)]
also forgot to add polkit-docs.xml

17 years agoalso add another missing file
David Zeuthen [Mon, 27 Aug 2007 18:06:30 +0000 (14:06 -0400)]
also add another missing file

17 years agoforgot to add doc/version.xml.in
David Zeuthen [Mon, 27 Aug 2007 17:34:49 +0000 (13:34 -0400)]
forgot to add doc/version.xml.in

17 years agomake config file override grant database
David Zeuthen [Mon, 27 Aug 2007 15:27:39 +0000 (11:27 -0400)]
make config file override grant database

Even though a caller may have an entry in the grant database (and as
such will see POLKIT_RESULT_YES), change the behavior such that this
is no longer honored unless the config file specifies the result
POLKIT_RESULT_ONLY_VIA_[SELF|ADMIN]_AUTH_{,KEEP_SESSION|KEEP_ALWAYS}.

E.g. this allows the sysadmin to specify things like POLKIT_RESULT_NO
in the config file and that will now make existing grants
useless. This behavior is a lot more natural.

17 years agosome more doc fixes
David Zeuthen [Fri, 24 Aug 2007 22:44:14 +0000 (18:44 -0400)]
some more doc fixes

17 years agoupdate inline API docs
David Zeuthen [Fri, 24 Aug 2007 22:12:07 +0000 (18:12 -0400)]
update inline API docs

17 years agofix up manual pages for some trivial errors
David Zeuthen [Fri, 24 Aug 2007 21:25:58 +0000 (17:25 -0400)]
fix up manual pages for some trivial errors

17 years agorevert "fixed code documentation issues"
David Zeuthen [Fri, 24 Aug 2007 21:18:12 +0000 (17:18 -0400)]
revert "fixed code documentation issues"

This commit is wrong as the docs are not properly formatted with this
change. This reverts commit 0d69cdc59f51fda93c857171b69ac8f3fe46b745.

17 years agoclean up our documentation
David Zeuthen [Fri, 24 Aug 2007 21:15:26 +0000 (17:15 -0400)]
clean up our documentation

 - Put all three libraries in the same gtk-doc project
 - Include the spec in the gtk-doc project
 - Include the manual pages in the gtk-doc project

17 years agoconvert manual page sources to Docbook, add polkit-config-file-validate tool
David Zeuthen [Fri, 24 Aug 2007 19:31:35 +0000 (15:31 -0400)]
convert manual page sources to Docbook, add polkit-config-file-validate tool

Also drop the polkit-check-caller and polkit-check-session tools;
they're not really useful in their current incarnation.

17 years agodelay loading the configuration until it's needed
David Zeuthen [Fri, 24 Aug 2007 01:30:55 +0000 (21:30 -0400)]
delay loading the configuration until it's needed

This is especially good for saving CPU cycles as we may get a number
events from inotify and previously we kept reloading/parsing the
configuration file on every event.

17 years agoMerge branch 'master' of ssh://david@git.freedesktop.org/git/PolicyKit
David Zeuthen [Fri, 24 Aug 2007 01:08:01 +0000 (21:08 -0400)]
Merge branch 'master' of ssh://david@git.freedesktop.org/git/PolicyKit

17 years agogive a little love to polkit-list-actions(1) and polkit-grant(1)
David Zeuthen [Fri, 24 Aug 2007 01:07:46 +0000 (21:07 -0400)]
give a little love to polkit-list-actions(1) and polkit-grant(1)

In addition polkit-grant(1) gained a few new features

 --list          : for listing all grants
 --delete <user> : for deleting all grants given to an user

17 years agofixed compiler warning about uid_t handling
Danny Kukawka [Thu, 23 Aug 2007 12:23:02 +0000 (14:23 +0200)]
fixed compiler warning about uid_t handling

This fixes the same problem with uid_t as we had with HAL some time ago
on 64bit architectures in PolicyKit. This time I removed the useless check:

   uid == ((unsigned long) -1)

because this is always false on 64bit (comparison is always false due to
limited range of data type) and because the DBusError from the
dbus_bus_get_unix_user() call is set if the function returns DBUS_UID_UNSET
so we need only to check if the error is set.

17 years agofixed code documentation issues
Danny Kukawka [Thu, 23 Aug 2007 12:05:34 +0000 (14:05 +0200)]
fixed code documentation issues

Fixed code documentation issues:
 * s/<programlisting>/@code/
 * removed @void: from polkit_grant_new()

17 years agoadd support for annotations
David Zeuthen [Wed, 22 Aug 2007 22:32:50 +0000 (18:32 -0400)]
add support for annotations

17 years agowork when SELinux is disabled
Richard Hughes [Wed, 22 Aug 2007 19:36:15 +0000 (15:36 -0400)]
work when SELinux is disabled

I've compiled with selinux and have it turned off. The attached patch
stops the warnings for me.

Richard.

17 years agogracefully handle bad config/policy files, drop polkit-reload-config, syslog
David Zeuthen [Tue, 21 Aug 2007 03:01:19 +0000 (23:01 -0400)]
gracefully handle bad config/policy files, drop polkit-reload-config, syslog

 - don't abort/malfunction if the /etc/PolicyKit/PolicyKit.conf
   configuration file is malformed; simply just continue as normal
   but return 'no' to every question asked. Also use syslog(3) to
   report this to the system log

 - if a .policy file is malformed, simply skip it and still include
   other well-formed .policy files. Use syslog(3) to report if indeed
   a .policy file is malformed.

 - drop /var/lib/PolicyKit/reload and rely on inotify to detect changes to
   - /etc/PolicyKit/PolicyKit.conf
   - Policy files in /usr/share/PolicyKit/policy
   - privileges in /var/lib/PolicyKit and /var/run/PolicyKit

As a result, changes made to /etc/PolicyKit/PolicyKit.conf (typically
an admin edits this file) and .policy files (typically these can
change on package upgrades) in /usr/share/PolicyKit/policy are
instantly picked up.

17 years agoavoid the now defunct group concept in polkit-list-actions
David Zeuthen [Tue, 21 Aug 2007 01:48:21 +0000 (21:48 -0400)]
avoid the now defunct group concept in polkit-list-actions

17 years agominor doc cleanups
David Zeuthen [Tue, 21 Aug 2007 01:47:25 +0000 (21:47 -0400)]
minor doc cleanups

17 years agorip out group concept from .policy files and rename <policy> element to <action>
David Zeuthen [Tue, 21 Aug 2007 00:38:24 +0000 (20:38 -0400)]
rip out group concept from .policy files and rename <policy> element to <action>

17 years agomake libpolkit-grant less noisy
David Zeuthen [Mon, 20 Aug 2007 23:59:49 +0000 (19:59 -0400)]
make libpolkit-grant less noisy

17 years agomake polkit-grant(1) work with <define_admin_user /> feature
David Zeuthen [Mon, 20 Aug 2007 23:59:10 +0000 (19:59 -0400)]
make polkit-grant(1) work with <define_admin_user /> feature

17 years agohandle the case where we don't load descriptions
David Zeuthen [Mon, 20 Aug 2007 21:54:33 +0000 (17:54 -0400)]
handle the case where we don't load descriptions

17 years agoproperly support i18n'ed messages from .policy files
David Zeuthen [Mon, 20 Aug 2007 21:51:02 +0000 (17:51 -0400)]
properly support i18n'ed messages from .policy files

Ugh, I'm not sure if there's a smarter way of dealing with xml:lang
when using expat (google searches for this suggests no) but the way I
fixed this is surely a bitch.

17 years agoexport PolKitConfig and provide a <define_admin_auth/> config file directive
David Zeuthen [Mon, 13 Aug 2007 17:44:33 +0000 (13:44 -0400)]
export PolKitConfig and provide a <define_admin_auth/> config file directive

Also change the libpolkit-grant API a bit to work with these changes.

17 years agowhen granting privileges, touch the /var/lib/PolicyKit/reload file
David Zeuthen [Thu, 9 Aug 2007 20:39:16 +0000 (16:39 -0400)]
when granting privileges, touch the /var/lib/PolicyKit/reload file

This means that all libpolkit-using processes should recieve a
config_changed() callback whenever privileges are granted.

Remember to update your RPM spec files etc. such that group polkituser
(or equiv.) is permitted to write to the reload file.

17 years agomake the /var/lib/PolicyKit/reload writable for group polkituser
David Zeuthen [Thu, 9 Aug 2007 20:37:36 +0000 (16:37 -0400)]
make the /var/lib/PolicyKit/reload writable for group polkituser

17 years agouse correct type for conversation_done() function
David Zeuthen [Thu, 9 Aug 2007 16:37:55 +0000 (12:37 -0400)]
use correct type for conversation_done() function

fix proposed by Danny Kukawka <danny.kukawka@web.de>

17 years agopost-release version number bump
David Zeuthen [Tue, 31 Jul 2007 15:19:27 +0000 (11:19 -0400)]
post-release version number bump

17 years agoprovide a high-level interaction diagram of how this works
David Zeuthen [Mon, 30 Jul 2007 23:56:46 +0000 (19:56 -0400)]
provide a high-level interaction diagram of how this works

17 years agouse waitpid() to avoid Zombie processes
David Zeuthen [Mon, 30 Jul 2007 23:29:47 +0000 (19:29 -0400)]
use waitpid() to avoid Zombie processes

17 years agoput back isatty() checks when calling user is not uid 0
David Zeuthen [Mon, 30 Jul 2007 23:11:42 +0000 (19:11 -0400)]
put back isatty() checks when calling user is not uid 0

17 years agoremove the isatty() call so it's easier to audit the helper
David Zeuthen [Mon, 30 Jul 2007 23:08:58 +0000 (19:08 -0400)]
remove the isatty() call so it's easier to audit the helper

The isatty() check is just to catch users poking around; it provides little or no real security. With this change, you can do stuff like

$ /usr/libexec/polkit-grant-helper-pam
davidz
PAM_PROMPT_ECHO_OFF Password:
<enter real password here>
SUCCESS

$ /usr/libexec/polkit-grant-helper-pam
davidz
PAM_PROMPT_ECHO_OFF Password:
not_my_password
polkit-grant-helper-pam: pam_authenticated failed: Authentication failure
FAILURE

which is useful for auditing.

17 years agomove PAM stack usage to separate helper
David Zeuthen [Mon, 30 Jul 2007 22:54:36 +0000 (18:54 -0400)]
move PAM stack usage to separate helper

So it turns out that I hadn't been using shadow passwords on my other
development box (don't ask) and that's why auth as root worked fine
when just running as an unprivileged user. However, to auth as another
user (such as root), the process embedding pam needs to run as
root. Therefore, split out the actual authentication bits into a small
and easy to audit helper, polkit-grant-helper-pam.

The auth now goes like this:

 polkit-gnome <-links with-> libpolkit-grant
                                   ^
                                   |
                                spawns
                                   |
                                   V
                     /usr/libexec/polkit-grant-helper
                                   ^
                                   |
                                spawns
                                   |
                                   V
                   /usr/libexec/polkit-grant-helper-pam

where

 polkit-grant-helper
    is setgid polkit; it links with libdbus and libpolkit.

 polkit-grant-helper-pam
    is setuid root; it links only with libpam

17 years agoadded missing files to git repo
Danny Kukawka [Fri, 27 Jul 2007 10:12:35 +0000 (12:12 +0200)]
added missing files to git repo

Added missing files from PolicyKit 0.4 release package to the
git repo: data/PolicyKit.conf.in, data/config.dtd

17 years agoactually reload config and policy files when they change POLICY_KIT_0_4
David Zeuthen [Thu, 26 Jul 2007 02:00:56 +0000 (22:00 -0400)]
actually reload config and policy files when they change

17 years agoupdate NEWS
David Zeuthen [Thu, 26 Jul 2007 01:38:20 +0000 (21:38 -0400)]
update NEWS

17 years agofor PolKitContext, mention that a mechanism need to provide .policy files
David Zeuthen [Thu, 26 Jul 2007 00:37:43 +0000 (20:37 -0400)]
for PolKitContext, mention that a mechanism need to provide .policy files

17 years agofix up proper naming of some methods on the PolKitPolicyFileEntry class
David Zeuthen [Wed, 25 Jul 2007 22:02:54 +0000 (18:02 -0400)]
fix up proper naming of some methods on the PolKitPolicyFileEntry class

17 years agofix docs
David Zeuthen [Wed, 25 Jul 2007 22:02:10 +0000 (18:02 -0400)]
fix docs

17 years agorequire that policy files also provide a <message> element
David Zeuthen [Wed, 25 Jul 2007 21:47:45 +0000 (17:47 -0400)]
require that policy files also provide a <message> element

Declaring an action now requires two textual elements (that both are
subject to translation):

 description: This is intended to be used in policy editors, for
              example "Mount internal volumes".
 message:     This is to be used in auth dialogs, for example "System
              Policy prevents mounting this internal volume".

This is actually needed for security reasons. The idea is that the
desktop environment can provide infrastructure that Callers
(e.g. applications) can use to ask the user to authenticate to gain a
privilege. One such example is PolicyKit-gnome; it's a D-Bus session
based service that applications can use to ask the user to
auth.

Before this change the caller provided the markup, e.g. gnome-mount
would do

 action = "hal-storage-mount-fixed";
 markup = _("System policy prevents mounting internal drives");
 result = org.gnome.PolicyKit.ShowDialog (action, markup);

and the problem here is that any application in the session can spoof
the dialog by providing false information and getting to use to click
through on that.

With this change, where the org.gnome.PolicyKit auth service reads the
message from a system-controlled file, this can't happen. What the
user sees really reflects the action he's asking to consider allowing
to happen.

Especially with things like XACE (previously known as SEX) this is
important as we can make the process providing the D-Bus service
org.gnome.PolicyKit run in a dedicated security context, audit it to
make sure it's secure. Then have the window manager paint trust window
decorations or other things to make the user feel fuzzy, warm and
safe.

Btw, with this change the PolicyKit-gnome API will be simplified to

 action = "hal-storage-mount-fixed";
 result = org.gnome.PolicyKit.ShowDialog (action);

which is just about as simple as it can get.

Credit goes to Ryan Lortie <desrt@desrt.ca> for pointing this out
on #gnome-hackers earlier this morning.

17 years agofix typo
David Zeuthen [Wed, 25 Jul 2007 19:00:57 +0000 (15:00 -0400)]
fix typo

17 years agochange default username
David Zeuthen [Wed, 25 Jul 2007 18:11:36 +0000 (14:11 -0400)]
change default username

- change user from 'polkit' to 'polkituser'
- create directories in /var from polkit instead of polkit-grant

17 years agofix up some of the docs
David Zeuthen [Tue, 24 Jul 2007 21:42:08 +0000 (17:42 -0400)]
fix up some of the docs

17 years agoremove RESULT_NOT_AUTHORIZED_TO_KNOW and s/RESULT_UNKNOWN_ACTION/RESULT_UNKNOWN/
David Zeuthen [Tue, 24 Jul 2007 20:05:43 +0000 (16:05 -0400)]
remove RESULT_NOT_AUTHORIZED_TO_KNOW and s/RESULT_UNKNOWN_ACTION/RESULT_UNKNOWN/

17 years agoswitch from VIA_ROOT to VIA_ADMIN
David Zeuthen [Tue, 24 Jul 2007 19:41:58 +0000 (15:41 -0400)]
switch from VIA_ROOT to VIA_ADMIN

In the future PolicyKit will be able to be built such that VIA_ADMIN
either means 1) ask for root password; or 2) ask for a user in the
'wheel' group to authenticate. Right now it's only the former.

17 years agoupdate TODO
David Zeuthen [Tue, 24 Jul 2007 18:47:09 +0000 (14:47 -0400)]
update TODO

17 years agodocument the /etc/PolicyKit/PolicyKit.conf file with a manual page
David Zeuthen [Tue, 24 Jul 2007 17:29:33 +0000 (13:29 -0400)]
document the /etc/PolicyKit/PolicyKit.conf file with a manual page

Also add a man page for polkit-list-actions(1).

17 years agoadd support for an /etc/PolicyKit/PolicyKit.conf config file
David Zeuthen [Tue, 24 Jul 2007 02:22:38 +0000 (22:22 -0400)]
add support for an /etc/PolicyKit/PolicyKit.conf config file

With this, system administrators can override policy. Partial support,
more to come (including manual pages and documentation) later.

17 years agoget proper pid and SELinux context
David Zeuthen [Tue, 24 Jul 2007 02:21:24 +0000 (22:21 -0400)]
get proper pid and SELinux context

17 years agoreplace configuration reload mechanism
David Zeuthen [Thu, 12 Jul 2007 19:12:30 +0000 (15:12 -0400)]
replace configuration reload mechanism

Instead of asking the user of libpolkit to provide a huge file
monitoring abstraction we simply ask for a simple interface for
watching file descriptors and use inotify (on Linux) to watch a file,
/var/lib/PolicyKit/reload. We provide a new tool,
polkit-reload-config, that simply touches this file.

17 years agoremove the notion of modules
David Zeuthen [Thu, 12 Jul 2007 17:49:08 +0000 (13:49 -0400)]
remove the notion of modules

17 years agopost-release version bump
David Zeuthen [Wed, 20 Jun 2007 05:53:26 +0000 (01:53 -0400)]
post-release version bump

17 years agoupdate NEWS POLICY_KIT_0_3
David Zeuthen [Wed, 20 Jun 2007 05:31:38 +0000 (01:31 -0400)]
update NEWS

17 years agoadd some more TODO items
David Zeuthen [Wed, 20 Jun 2007 05:10:47 +0000 (01:10 -0400)]
add some more TODO items

17 years agoupdate HACKING and TODO
David Zeuthen [Wed, 20 Jun 2007 05:04:17 +0000 (01:04 -0400)]
update HACKING and TODO

17 years agoupdate TODO
David Zeuthen [Wed, 20 Jun 2007 05:01:30 +0000 (01:01 -0400)]
update TODO

17 years agoadd the spec
David Zeuthen [Wed, 20 Jun 2007 04:49:13 +0000 (00:49 -0400)]
add the spec

17 years agofix small typo so _keep_always granting works again
David Zeuthen [Wed, 20 Jun 2007 01:50:48 +0000 (21:50 -0400)]
fix small typo so _keep_always granting works again

17 years agomake .policy files live in /usr/share, not /etc
David Zeuthen [Wed, 20 Jun 2007 01:48:42 +0000 (21:48 -0400)]
make .policy files live in /usr/share, not /etc

17 years agobuild fixes
David Zeuthen [Wed, 20 Jun 2007 00:12:00 +0000 (20:12 -0400)]
build fixes

17 years agomove all grant writing/checking into a separate private library
David Zeuthen [Tue, 19 Jun 2007 23:59:54 +0000 (19:59 -0400)]
move all grant writing/checking into a separate private library

17 years agoremove the distinction for local vs. remote users
David Zeuthen [Tue, 19 Jun 2007 20:41:49 +0000 (16:41 -0400)]
remove the distinction for local vs. remote users

Again, we punt this to the applications/mechanisms - they know better.

17 years agorip out the notion of Resources
David Zeuthen [Tue, 19 Jun 2007 19:41:55 +0000 (15:41 -0400)]
rip out the notion of Resources

It makes things a _lot more_ complicated having to deal with resources
and there's a much nicer way to deal with it: Punt it to the apps:

It's much more natural for the application to have a notion about
about what resources are "trusted" (and e.g. requires lesser
privileges) and what resources aren't.

Consider dial-up networking; here the privileged application that
performs the dial-up operation consults a list (maintained by the
system administrator) of allowed numbers to dial. If the unprivileged
networking UI applet that requests a number to be dialed is on the
list it uses the PolicyKit action 'nm-dialup-trusted-location', if it
isn't then it uses the PolicyKit action 'nm-dialup-untrusted-location'.

17 years agoswitch to XML for policy definition files and introduce descriptions
David Zeuthen [Mon, 23 Apr 2007 01:13:17 +0000 (21:13 -0400)]
switch to XML for policy definition files and introduce descriptions

Descriptions will be subject to i18n/l10n efforts at some point.

Also add a new tool polkit-list-actions.

17 years agoalso remember to do s/libpolkit/polkit/ on the pkg-config files
David Zeuthen [Tue, 17 Apr 2007 06:13:02 +0000 (02:13 -0400)]
also remember to do s/libpolkit/polkit/ on the pkg-config files

17 years agorename libpolkit to polkit
David Zeuthen [Tue, 17 Apr 2007 05:41:09 +0000 (01:41 -0400)]
rename libpolkit to polkit

It's more consistent and, uhm, easier to type.

17 years agoadd some validation to public facing functions
David Zeuthen [Mon, 16 Apr 2007 03:37:29 +0000 (23:37 -0400)]
add some validation to public facing functions

17 years agoremove misguided action parameters
David Zeuthen [Sun, 15 Apr 2007 23:41:00 +0000 (19:41 -0400)]
remove misguided action parameters

This feature was introduced with

 commit 02a4c5101ca4751963f76a0e016d3308389dc2a5
 http://gitweb.freedesktop.org/?p=PolicyKit.git;a=commit;h=02a4c5101ca4751963f76a0e016d3308389dc2a5

It makes things a lot harder for privilege granting if a feature like
action parameters are present. Thinking about it, they're not really
necessary; the parameters should just be encoded in the resource name;
e.g. with the example given in the commit

> This is useful for letting mechanisms convey information which may be
> useful in making a decision whether an action is OK. For example,
> NetworkManager could use this to provide the phone-number parameter
> with a hypothetical "nm-dialup" action. Then a site or vendor can
> provide insert
>
>  mandatory polkit-run-program.so \
>     program="/usr/lib/check-dialup-number.sh" privilege="nm-dialup"
>
> into /etc/PolicyKit/PolicyKit.conf and have said program check
>
>  $POLKIT_ACTION_PARAM_PHONE_NUMBER
>
> in that program.

is broken; the right thing here is for a hypothetical NetworkManager
to pass the dial up connection details as the resource

 resource.type = "NetworkManager"
 resource.id = "/org/freedesktop/NM/DialUpConnection/number=555-HOT-CHICKS"

in a well-defined format etc. etc.

17 years agoadd the PAM configuration file
David Zeuthen [Sun, 15 Apr 2007 22:55:27 +0000 (18:55 -0400)]
add the PAM configuration file

17 years agoadd pkg-config files for the two new libraries
David Zeuthen [Sun, 15 Apr 2007 22:54:35 +0000 (18:54 -0400)]
add pkg-config files for the two new libraries

17 years agoadd the correct version files for docs
David Zeuthen [Sun, 15 Apr 2007 22:53:42 +0000 (18:53 -0400)]
add the correct version files for docs

17 years agoadd grant functionality + lots of other changes
David Zeuthen [Sun, 15 Apr 2007 22:51:19 +0000 (18:51 -0400)]
add grant functionality + lots of other changes

 - Split libpolkit into three libraries
   - libpolkit : to be used only by mechanisms and modules
   - libpolkit-dbus : utility library for libpolkit to get caller, session
                      etc. info from the bus and ConsoleKit
   - libpolkit-grant : client side library for obtaining privileges; uses
                       a setgid helper internally

 - grant functionality
   - a helper library, libpolkit-grant, to gain privileges
     - includes a setgid $POLKIT_GROUP helper to write granted privileges
   - a PK module, to read and interpret granted privileges
   - a cmdline app, polkit-grant, using said library

 - Other changes
   - so it turns out that sizeof(bool) != sizeof(gboolean), sizeof(dbus_bool_t)
     This blows so define our own polkit_bool_t type
   - add some validation routines

The grant functionality, especially the setgid helper needs thorough
security review before we can release it.

17 years agoremove all usage of glib from the header files
David Zeuthen [Mon, 9 Apr 2007 22:38:20 +0000 (18:38 -0400)]
remove all usage of glib from the header files

This paves the way for getting rid of a glib dependency; when and if
that happens is to be determined; right now it just doesn't make a lot
of sense to reimplement GKeyFile, GSList, GHashTable, g_spawn_sync and
other useful routines. But it might make sense if we want to get the
message bus daemon to link with libpolkit so you e.g. can say

 <policy polkit="acme-frobnicate">
   <allow send_interface="com.acme.Frobnicator"
 </policy>

to allow a caller on the system message bus to access that interface
if, and only if, he can do the "acme-frobnicate" action according to
PolicyKit.

17 years agoassociate parameters (key/value pairs) with the Action class
David Zeuthen [Mon, 9 Apr 2007 19:20:04 +0000 (15:20 -0400)]
associate parameters (key/value pairs) with the Action class

This is useful for letting mechanisms convey information which may be
useful in making a decision whether an action is OK. For example,
NetworkManager could use this to provide the phone-number parameter
with a hypothetical "nm-dialup" action. Then a site or vendor can
provide insert

 mandatory polkit-run-program.so program="/usr/lib/check-dialup-number.sh" privilege="nm-dialup"

into /etc/PolicyKit/PolicyKit.conf and have said program check

 $POLKIT_ACTION_PARAM_PHONE_NUMBER

in that program.

17 years agoremember to set session's ConsoleKit object path
David Zeuthen [Mon, 9 Apr 2007 19:16:10 +0000 (15:16 -0400)]
remember to set session's ConsoleKit object path

17 years agopolicy files now have the .policy extension, not .priv
David Zeuthen [Sun, 8 Apr 2007 23:38:02 +0000 (19:38 -0400)]
policy files now have the .policy extension, not .priv