summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
David Zeuthen [Wed, 25 Jul 2007 21:47:45 +0000 (17:47 -0400)]
require that policy files also provide a <message> element
Declaring an action now requires two textual elements (that both are
subject to translation):
description: This is intended to be used in policy editors, for
example "Mount internal volumes".
message: This is to be used in auth dialogs, for example "System
Policy prevents mounting this internal volume".
This is actually needed for security reasons. The idea is that the
desktop environment can provide infrastructure that Callers
(e.g. applications) can use to ask the user to authenticate to gain a
privilege. One such example is PolicyKit-gnome; it's a D-Bus session
based service that applications can use to ask the user to
auth.
Before this change the caller provided the markup, e.g. gnome-mount
would do
action = "hal-storage-mount-fixed";
markup = _("System policy prevents mounting internal drives");
result = org.gnome.PolicyKit.ShowDialog (action, markup);
and the problem here is that any application in the session can spoof
the dialog by providing false information and getting to use to click
through on that.
With this change, where the org.gnome.PolicyKit auth service reads the
message from a system-controlled file, this can't happen. What the
user sees really reflects the action he's asking to consider allowing
to happen.
Especially with things like XACE (previously known as SEX) this is
important as we can make the process providing the D-Bus service
org.gnome.PolicyKit run in a dedicated security context, audit it to
make sure it's secure. Then have the window manager paint trust window
decorations or other things to make the user feel fuzzy, warm and
safe.
Btw, with this change the PolicyKit-gnome API will be simplified to
action = "hal-storage-mount-fixed";
result = org.gnome.PolicyKit.ShowDialog (action);
which is just about as simple as it can get.
Credit goes to Ryan Lortie <desrt@desrt.ca> for pointing this out
on #gnome-hackers earlier this morning.
David Zeuthen [Wed, 25 Jul 2007 19:00:57 +0000 (15:00 -0400)]
fix typo
David Zeuthen [Wed, 25 Jul 2007 18:11:36 +0000 (14:11 -0400)]
change default username
- change user from 'polkit' to 'polkituser'
- create directories in /var from polkit instead of polkit-grant
David Zeuthen [Tue, 24 Jul 2007 21:42:08 +0000 (17:42 -0400)]
fix up some of the docs
David Zeuthen [Tue, 24 Jul 2007 20:05:43 +0000 (16:05 -0400)]
remove RESULT_NOT_AUTHORIZED_TO_KNOW and s/RESULT_UNKNOWN_ACTION/RESULT_UNKNOWN/
David Zeuthen [Tue, 24 Jul 2007 19:41:58 +0000 (15:41 -0400)]
switch from VIA_ROOT to VIA_ADMIN
In the future PolicyKit will be able to be built such that VIA_ADMIN
either means 1) ask for root password; or 2) ask for a user in the
'wheel' group to authenticate. Right now it's only the former.
David Zeuthen [Tue, 24 Jul 2007 18:47:09 +0000 (14:47 -0400)]
update TODO
David Zeuthen [Tue, 24 Jul 2007 17:29:33 +0000 (13:29 -0400)]
document the /etc/PolicyKit/PolicyKit.conf file with a manual page
Also add a man page for polkit-list-actions(1).
David Zeuthen [Tue, 24 Jul 2007 02:22:38 +0000 (22:22 -0400)]
add support for an /etc/PolicyKit/PolicyKit.conf config file
With this, system administrators can override policy. Partial support,
more to come (including manual pages and documentation) later.
David Zeuthen [Tue, 24 Jul 2007 02:21:24 +0000 (22:21 -0400)]
get proper pid and SELinux context
David Zeuthen [Thu, 12 Jul 2007 19:12:30 +0000 (15:12 -0400)]
replace configuration reload mechanism
Instead of asking the user of libpolkit to provide a huge file
monitoring abstraction we simply ask for a simple interface for
watching file descriptors and use inotify (on Linux) to watch a file,
/var/lib/PolicyKit/reload. We provide a new tool,
polkit-reload-config, that simply touches this file.
David Zeuthen [Thu, 12 Jul 2007 17:49:08 +0000 (13:49 -0400)]
remove the notion of modules
David Zeuthen [Wed, 20 Jun 2007 05:53:26 +0000 (01:53 -0400)]
post-release version bump
David Zeuthen [Wed, 20 Jun 2007 05:31:38 +0000 (01:31 -0400)]
update NEWS
David Zeuthen [Wed, 20 Jun 2007 05:10:47 +0000 (01:10 -0400)]
add some more TODO items
David Zeuthen [Wed, 20 Jun 2007 05:04:17 +0000 (01:04 -0400)]
update HACKING and TODO
David Zeuthen [Wed, 20 Jun 2007 05:01:30 +0000 (01:01 -0400)]
update TODO
David Zeuthen [Wed, 20 Jun 2007 04:49:13 +0000 (00:49 -0400)]
add the spec
David Zeuthen [Wed, 20 Jun 2007 01:50:48 +0000 (21:50 -0400)]
fix small typo so _keep_always granting works again
David Zeuthen [Wed, 20 Jun 2007 01:48:42 +0000 (21:48 -0400)]
make .policy files live in /usr/share, not /etc
David Zeuthen [Wed, 20 Jun 2007 00:12:00 +0000 (20:12 -0400)]
build fixes
David Zeuthen [Tue, 19 Jun 2007 23:59:54 +0000 (19:59 -0400)]
move all grant writing/checking into a separate private library
David Zeuthen [Tue, 19 Jun 2007 20:41:49 +0000 (16:41 -0400)]
remove the distinction for local vs. remote users
Again, we punt this to the applications/mechanisms - they know better.
David Zeuthen [Tue, 19 Jun 2007 19:41:55 +0000 (15:41 -0400)]
rip out the notion of Resources
It makes things a _lot more_ complicated having to deal with resources
and there's a much nicer way to deal with it: Punt it to the apps:
It's much more natural for the application to have a notion about
about what resources are "trusted" (and e.g. requires lesser
privileges) and what resources aren't.
Consider dial-up networking; here the privileged application that
performs the dial-up operation consults a list (maintained by the
system administrator) of allowed numbers to dial. If the unprivileged
networking UI applet that requests a number to be dialed is on the
list it uses the PolicyKit action 'nm-dialup-trusted-location', if it
isn't then it uses the PolicyKit action 'nm-dialup-untrusted-location'.
David Zeuthen [Mon, 23 Apr 2007 01:13:17 +0000 (21:13 -0400)]
switch to XML for policy definition files and introduce descriptions
Descriptions will be subject to i18n/l10n efforts at some point.
Also add a new tool polkit-list-actions.
David Zeuthen [Tue, 17 Apr 2007 06:13:02 +0000 (02:13 -0400)]
also remember to do s/libpolkit/polkit/ on the pkg-config files
David Zeuthen [Tue, 17 Apr 2007 05:41:09 +0000 (01:41 -0400)]
rename libpolkit to polkit
It's more consistent and, uhm, easier to type.
David Zeuthen [Mon, 16 Apr 2007 03:37:29 +0000 (23:37 -0400)]
add some validation to public facing functions
David Zeuthen [Sun, 15 Apr 2007 23:41:00 +0000 (19:41 -0400)]
remove misguided action parameters
This feature was introduced with
commit
02a4c5101ca4751963f76a0e016d3308389dc2a5
http://gitweb.freedesktop.org/?p=PolicyKit.git;a=commit;h=
02a4c5101ca4751963f76a0e016d3308389dc2a5
It makes things a lot harder for privilege granting if a feature like
action parameters are present. Thinking about it, they're not really
necessary; the parameters should just be encoded in the resource name;
e.g. with the example given in the commit
> This is useful for letting mechanisms convey information which may be
> useful in making a decision whether an action is OK. For example,
> NetworkManager could use this to provide the phone-number parameter
> with a hypothetical "nm-dialup" action. Then a site or vendor can
> provide insert
>
> mandatory polkit-run-program.so \
> program="/usr/lib/check-dialup-number.sh" privilege="nm-dialup"
>
> into /etc/PolicyKit/PolicyKit.conf and have said program check
>
> $POLKIT_ACTION_PARAM_PHONE_NUMBER
>
> in that program.
is broken; the right thing here is for a hypothetical NetworkManager
to pass the dial up connection details as the resource
resource.type = "NetworkManager"
resource.id = "/org/freedesktop/NM/DialUpConnection/number=555-HOT-CHICKS"
in a well-defined format etc. etc.
David Zeuthen [Sun, 15 Apr 2007 22:55:27 +0000 (18:55 -0400)]
add the PAM configuration file
David Zeuthen [Sun, 15 Apr 2007 22:54:35 +0000 (18:54 -0400)]
add pkg-config files for the two new libraries
David Zeuthen [Sun, 15 Apr 2007 22:53:42 +0000 (18:53 -0400)]
add the correct version files for docs
David Zeuthen [Sun, 15 Apr 2007 22:51:19 +0000 (18:51 -0400)]
add grant functionality + lots of other changes
- Split libpolkit into three libraries
- libpolkit : to be used only by mechanisms and modules
- libpolkit-dbus : utility library for libpolkit to get caller, session
etc. info from the bus and ConsoleKit
- libpolkit-grant : client side library for obtaining privileges; uses
a setgid helper internally
- grant functionality
- a helper library, libpolkit-grant, to gain privileges
- includes a setgid $POLKIT_GROUP helper to write granted privileges
- a PK module, to read and interpret granted privileges
- a cmdline app, polkit-grant, using said library
- Other changes
- so it turns out that sizeof(bool) != sizeof(gboolean), sizeof(dbus_bool_t)
This blows so define our own polkit_bool_t type
- add some validation routines
The grant functionality, especially the setgid helper needs thorough
security review before we can release it.
David Zeuthen [Mon, 9 Apr 2007 22:38:20 +0000 (18:38 -0400)]
remove all usage of glib from the header files
This paves the way for getting rid of a glib dependency; when and if
that happens is to be determined; right now it just doesn't make a lot
of sense to reimplement GKeyFile, GSList, GHashTable, g_spawn_sync and
other useful routines. But it might make sense if we want to get the
message bus daemon to link with libpolkit so you e.g. can say
<policy polkit="acme-frobnicate">
<allow send_interface="com.acme.Frobnicator"
</policy>
to allow a caller on the system message bus to access that interface
if, and only if, he can do the "acme-frobnicate" action according to
PolicyKit.
David Zeuthen [Mon, 9 Apr 2007 19:20:04 +0000 (15:20 -0400)]
associate parameters (key/value pairs) with the Action class
This is useful for letting mechanisms convey information which may be
useful in making a decision whether an action is OK. For example,
NetworkManager could use this to provide the phone-number parameter
with a hypothetical "nm-dialup" action. Then a site or vendor can
provide insert
mandatory polkit-run-program.so program="/usr/lib/check-dialup-number.sh" privilege="nm-dialup"
into /etc/PolicyKit/PolicyKit.conf and have said program check
$POLKIT_ACTION_PARAM_PHONE_NUMBER
in that program.
David Zeuthen [Mon, 9 Apr 2007 19:16:10 +0000 (15:16 -0400)]
remember to set session's ConsoleKit object path
David Zeuthen [Sun, 8 Apr 2007 23:38:02 +0000 (19:38 -0400)]
policy files now have the .policy extension, not .priv
David Zeuthen [Sun, 8 Apr 2007 23:18:23 +0000 (19:18 -0400)]
no need to reference polkit-module-default twice in a man page
David Zeuthen [Sun, 8 Apr 2007 23:12:31 +0000 (19:12 -0400)]
minor fixes to the PolicyKit manual page
David Zeuthen [Sun, 8 Apr 2007 23:06:59 +0000 (19:06 -0400)]
mass renaming of classes
Privilege -> Action
PrivilegeFile -> PolicyFile
PrivilegeFileEntry -> PolicyFileEntry
PrivilegeCache -> PolicyCache
Hopefully it makes a bit more sense now.
David Zeuthen [Sun, 8 Apr 2007 21:26:29 +0000 (17:26 -0400)]
fix up Makefile.am
David Zeuthen [Sun, 8 Apr 2007 21:25:31 +0000 (17:25 -0400)]
generate and dist ChangeLog
David Zeuthen [Sun, 8 Apr 2007 20:49:27 +0000 (16:49 -0400)]
add built-in options and a new module pam-polkit-run-program.so
David Zeuthen [Sun, 8 Apr 2007 06:13:34 +0000 (02:13 -0400)]
stop disting ChangeLog and start disting modules/PolicyKit.conf
Am happy to report that 'make distcheck' now works!
David Zeuthen [Sun, 8 Apr 2007 06:07:42 +0000 (02:07 -0400)]
add module loading to PolicyKit
This paves the way for writing
1. A module that tracks temporary (look in /var/run) and permanent (look
in /var/lib) privilege grants
2. A D-Bus service to authenticate a client to obtain to a privilege
grant and then writing the grant in temporary or permanent storage
Also, this feature lets people very easily lock down the system; just
edit /etc/PolicyKit/PolicyKit.conf; add pam-module-deny-all / -allow-all
stanzas with various privilege=<regexp> and user=<username> options.
David Zeuthen [Sat, 7 Apr 2007 02:09:00 +0000 (22:09 -0400)]
watch the correct directory
David Zeuthen [Sat, 7 Apr 2007 01:52:37 +0000 (21:52 -0400)]
really ignore privilege files starting with "." this time
Also avoid dumping all privilege file entries to debug whenever we
populate our privilege cache.
David Zeuthen [Sat, 7 Apr 2007 01:01:35 +0000 (21:01 -0400)]
refine file monitoring interface and implement policy reload
David Zeuthen [Sat, 7 Apr 2007 01:01:14 +0000 (21:01 -0400)]
make polkit-privilege-file-validate accept multiple files
David Zeuthen [Fri, 6 Apr 2007 20:23:47 +0000 (16:23 -0400)]
move to using _pk_debug and respect $POLKIT_DEBUG
David Zeuthen [Fri, 6 Apr 2007 18:09:02 +0000 (14:09 -0400)]
read privilege files and actually use the policy described in those
David Zeuthen [Wed, 4 Apr 2007 20:52:59 +0000 (16:52 -0400)]
provide an example privilege file
David Zeuthen [Wed, 4 Apr 2007 20:38:34 +0000 (16:38 -0400)]
include PolKitPrivilegeFile in API docs
David Zeuthen [Wed, 4 Apr 2007 20:26:20 +0000 (16:26 -0400)]
introduce a PolKitResult enumeration and make privilege files use that
David Zeuthen [Wed, 4 Apr 2007 07:08:09 +0000 (03:08 -0400)]
add support for privilege files and provide a validation tool
David Zeuthen [Wed, 4 Apr 2007 04:39:16 +0000 (00:39 -0400)]
get rid of AS_AC_EXPAND and use autoconf docdir
Inspired by recent patches to both HAL and ConsoleKit from Michael
Biebl <mbiebl@gmail.com>.
David Zeuthen [Thu, 29 Mar 2007 05:17:40 +0000 (01:17 -0400)]
no need to mention $(top_srcdir) twice
David Zeuthen [Thu, 29 Mar 2007 05:06:16 +0000 (01:06 -0400)]
build fix so 'make distcheck' works
David Zeuthen [Thu, 29 Mar 2007 04:46:42 +0000 (00:46 -0400)]
add two tools polkit-check-caller and polkit-check-session
David Zeuthen [Thu, 29 Mar 2007 00:10:52 +0000 (20:10 -0400)]
implement the classes carrying data
David Zeuthen [Wed, 28 Mar 2007 22:08:50 +0000 (18:08 -0400)]
document the API
Now I only need to implement it...
David Zeuthen [Wed, 28 Mar 2007 18:50:02 +0000 (14:50 -0400)]
split libpolkit into more source/header files
David Zeuthen [Wed, 28 Mar 2007 18:11:56 +0000 (14:11 -0400)]
proposed API
David Zeuthen [Wed, 28 Mar 2007 18:11:00 +0000 (14:11 -0400)]
update to the gtk-doc.make from the HAL project
David Zeuthen [Wed, 28 Mar 2007 17:01:37 +0000 (13:01 -0400)]
reset project and remove all existing code
Some of the code, e.g. the daemon, will be brought back in other forms.
Danny Kukawka [Mon, 21 Aug 2006 18:41:21 +0000 (20:41 +0200)]
fix make distcheck
A quick (and dirty) fix to get 'make distcheck' complete running and
to fix polkitd-test
Danny Kukawka [Mon, 21 Aug 2006 18:28:09 +0000 (20:28 +0200)]
stop configure if pam/pam-devel is missing
This little patch fixes configure to stop and print a error message if
pam/pam-devel is missing while run configure for PolicyKit
Danny Kukawka [Sat, 29 Jul 2006 14:42:14 +0000 (10:42 -0400)]
Patch from Danny Kukawka <danny.kukawka@web.de> with some cleanup.s
* pam-polkit-console/pam-polkit-console.c: (pam_sm_open_session),
(pam_sm_close_session): fixed usage of pam_get_item() to respect
strict-aliasing rules
* polkitd/polkit-manager.c: (polkit_manager_get_caller_info):
added ifdef around currently unused calling_selinux_context
* tools/polkit-grant-privilege.c: (grant_complete_cb): replaced
libpolkit_free_context() with correct libpolkit_grant_free_context()
David Zeuthen [Sat, 29 Jul 2006 14:39:05 +0000 (10:39 -0400)]
Add ChangeLog and *.tar.gz to .gitignore.
David Zeuthen [Fri, 28 Jul 2006 00:52:26 +0000 (20:52 -0400)]
Remove ChangeLog file and add rules to Makefile.am to generate one for
disted tarballs.
Kay Sievers [Thu, 27 Jul 2006 20:44:44 +0000 (22:44 +0200)]
.cvsignore -> .gitignore
David Zeuthen [Wed, 7 Jun 2006 00:26:55 +0000 (00:26 +0000)]
For now, comment out SELinux stuff as it breaks when SELinux is not
available.
David Zeuthen [Tue, 6 Jun 2006 14:48:27 +0000 (14:48 +0000)]
Patch from Frederic Peters <fpeters@entrouvert.com>. jhbuild monitors files
being installed and prevents them from being written out of its target
directory. This means HAL now prevents jhautobuild[1] to complete since
pam-polkit-console hardcodes /lib/security. Attached is a patch with a
configure option (--with-pam-module-dir) so it is possible to set an
other directory. [1] http://jhbuild.bxlug.be
David Zeuthen [Tue, 6 Jun 2006 11:55:50 +0000 (11:55 +0000)]
Patch from Frederic Peters <fpeters@entrouvert.com>.
http://jhbuild.bxlug.be/builds/2006-06-06-0000/logs/PolicyKit/#build
shows a error when building newest PolicyKit with Debian PAM libraries.
Attached patch adds new configure checks; pam-polkit-console.c may need
alternate behaviour if pam_vsyslog is missing (using straight
vsyslog?).
configure.in,
David Zeuthen [Mon, 5 Jun 2006 23:39:00 +0000 (23:39 +0000)]
Lots of changes! Almost ready for 0.2 release.
David Zeuthen [Sat, 22 Apr 2006 23:27:14 +0000 (23:27 +0000)]
Update to new D-BUS API; print " (temporary)" for privilege if appropriate.
Update to new D-BUS API
Update to new D-BUS API (main): --do--
New file
Add build rules for polkit-revoke-privilege
Fix up prototypes
Update to new D-BUS API
(polkit_manager_get_allowed_resources_for_privilege): --do--
(polkit_manager_revoke_temporary_privilege): New function
(polkit_manager_remove_temporary_privilege): Fix up resource handling
(polkit_manager_add_temporary_privilege): --do--
Update to new D-BUS API and export libpolkit_revoke_temporary_privilege()
Update to new D-BUS API
(libpolkit_get_allowed_resources_for_privilege_for_uid): --do--
(libpolkit_revoke_temporary_privilege): New function
Rename InitiatePrivilegeGrant() to InitiateTemporaryPrivilegeGrant(). Add
new function RevokeTemporaryPrivilege(). Make IsUserPrivileged() output
a boolean is_temporary. GetAllowedResourcesForPrivilege() now also
outputs an integer num_non_temp.
David Zeuthen [Sat, 22 Apr 2006 02:24:00 +0000 (02:24 +0000)]
Write some more stuff
Richard Hughes [Tue, 4 Apr 2006 19:04:20 +0000 (19:04 +0000)]
Add in the new spec directory so we add the folder to the tarball.
Fix this up in one place so it validates and so that make distcheck can run
again..
David Zeuthen [Wed, 29 Mar 2006 16:15:28 +0000 (16:15 +0000)]
Add docbook detection
New files
Free the questions to prevent memory leak
David Zeuthen [Wed, 29 Mar 2006 02:18:56 +0000 (02:18 +0000)]
initial commit
Richard Hughes [Mon, 27 Mar 2006 08:37:28 +0000 (08:37 +0000)]
Add these files.
David Zeuthen [Fri, 17 Mar 2006 00:23:00 +0000 (00:23 +0000)]
remove code that shouldn't be committed
David Zeuthen [Fri, 17 Mar 2006 00:21:31 +0000 (00:21 +0000)]
Remember to kill the child here
David Zeuthen [Thu, 16 Mar 2006 23:36:16 +0000 (23:36 +0000)]
forgot ChangeLog for polkitd/main.c
David Zeuthen [Thu, 16 Mar 2006 23:28:47 +0000 (23:28 +0000)]
Unref when the child dies (polkit_session_initiate_auth): Ref the object
after creating child (polkit_session_initiator_disconnected): Make sure
to nuke the kids
David Zeuthen [Wed, 15 Mar 2006 16:11:33 +0000 (16:11 +0000)]
Include sys/types.h; fixed fd.o bug #6280. Patch from Wouter Bolsterlee
<uws+freedesktop@xs4all.nl>.
David Zeuthen [Wed, 15 Mar 2006 00:33:35 +0000 (00:33 +0000)]
Change priorities from 90 10 to 98 02 to make this work
Remove user="@POLKIT_USER@" bits as I'm not sure we need a dedicated user
Cosmetic things
David Zeuthen [Wed, 15 Mar 2006 00:29:38 +0000 (00:29 +0000)]
remove Makefile.in; it's not needed
Kay Sievers [Wed, 15 Mar 2006 00:19:57 +0000 (00:19 +0000)]
Add SUSE distro bits.
David Zeuthen [Tue, 14 Mar 2006 06:20:47 +0000 (06:20 +0000)]
forgot two files
David Zeuthen [Tue, 14 Mar 2006 06:14:33 +0000 (06:14 +0000)]
Add a bunch of code; basically a full rewrite moving all queries to the
daemon.
David Zeuthen [Thu, 9 Mar 2006 17:14:48 +0000 (17:14 +0000)]
Use right Cflags
David Zeuthen [Wed, 8 Mar 2006 03:28:58 +0000 (03:28 +0000)]
s/hal-policy/polkit/
David Zeuthen [Wed, 8 Mar 2006 02:56:14 +0000 (02:56 +0000)]
Use simpler names: user, group and txtsrc :-/
David Zeuthen [Wed, 8 Mar 2006 02:53:45 +0000 (02:53 +0000)]
Add libpoluser, libpolgroup and libpoltxtsrc variables
David Zeuthen [Wed, 8 Mar 2006 02:45:24 +0000 (02:45 +0000)]
s/-llibpolkit/-lpolkit/
David Zeuthen [Wed, 8 Mar 2006 01:52:03 +0000 (01:52 +0000)]
Initial import
David Zeuthen [Wed, 8 Mar 2006 01:52:03 +0000 (01:52 +0000)]
Initial revision