From b5e019d783af8651db8e962c47b39942677ca6fd Mon Sep 17 00:00:00 2001 From: Carlos Corbacho Date: Sun, 16 Dec 2007 21:21:16 -0500 Subject: [PATCH] split out authentication framework from authorisation database As per discussions with David Zeuthen, alter the build system so that we can have different authentication frameworks for the authorisation databases. For now, the dummy database will only accept 'none' for the authentication framework (this will be autoselected if not specified, and configure will throw an error if any other framework than 'none' is specified is passed in). For the default database, the only available framework for now is 'pam' (as with 'none' and dummy, 'pam' will be autoselected if specified as the framework. If 'none' is passed as a framework, configure will reject this and fail). PAM specific code is now also marked with POLKIT_AUTHFW_PAM, so that it can be easily compiled out if other frameworks are added in future. --- configure.in | 51 ++++++++++++++++++++++++++++++++-- data/Makefile.am | 2 +- src/polkit-grant/Makefile.am | 18 ++++++++++-- src/polkit-grant/polkit-grant-helper.c | 6 ++++ 4 files changed, 72 insertions(+), 5 deletions(-) diff --git a/configure.in b/configure.in index 5e1f8e1..e415c12 100644 --- a/configure.in +++ b/configure.in @@ -269,12 +269,10 @@ AC_DEFINE_UNQUOTED(POLKIT_AUTHDB,"$POLKIT_AUTHDB", [Authorization Database to us case $POLKIT_AUTHDB in dummy) - need_pam=no AC_DEFINE(POLKIT_AUTHDB_DUMMY, 1, [If using the dummy authorization database]) ;; default) - need_pam=yes AC_DEFINE(POLKIT_AUTHDB_DEFAULT, 1, [If using the default authorization database]) ;; @@ -286,6 +284,54 @@ esac AM_CONDITIONAL(POLKIT_AUTHDB_DUMMY, [test x$POLKIT_AUTHDB = xdummy], [Using dummy authdb]) AM_CONDITIONAL(POLKIT_AUTHDB_DEFAULT, [test x$POLKIT_AUTHDB = xdefault], [Using default authdb]) +dnl --------------------------------------------------------------------------- +dnl - Select which authentication framework to use +dnl --------------------------------------------------------------------------- + +AC_ARG_WITH([authfw], + AS_HELP_STRING([--with-authfw=], + [Authentication framework (none/pam)])) +if ! test -z "$with_authfw" ; then + if test x$with_authdb = xdummy ; then + if ! test x$with_authfw = xnone ; then + AC_MSG_ERROR([Only 'none' is a valid authentication framework for the dummy authorization database]) + fi + else + if test x$with_authfw = xnone ; then + AC_MSG_ERROR(['none' is only a valid authentication framework for the dummy authorization database]) + fi + fi + POLKIT_AUTHFW=$with_authfw +else + if test x$with_authdb = xdummy ; then + POLKIT_AUTHFW=none + else + POLKIT_AUTHFW=pam + fi +fi + +AC_SUBST(POLKIT_AUTHFW) +AC_DEFINE_UNQUOTED(POLKIT_AUTHFW,"$POLKIT_AUTHFW", [Authentication Framework to use]) + +case $POLKIT_AUTHFW in + none) + need_pam=no + AC_DEFINE(POLKIT_AUTHFW_NONE, 1, [If using no authentication framework]) + ;; + + pam) + need_pam=yes + AC_DEFINE(POLKIT_AUTHFW_PAM, 1, [If using the PAM authentication framework]) + ;; + + *) + AC_MSG_ERROR([Unknown Authentication Framework: $POLKIT_AUTHFW]) + ;; +esac + +AM_CONDITIONAL(POLKIT_AUTHFW_NONE, [test x$POLKIT_AUTHFW = xnone], [Using no authfw]) +AM_CONDITIONAL(POLKIT_AUTHFW_PAM, [test x$POLKIT_AUTHFW = xpam], [Using PAM authfw]) + dnl --------------------------------------------------------------------------- dnl - Check for PAM @@ -498,6 +544,7 @@ echo " group for PolicyKit: ${POLKIT_GROUP} authorization database: ${POLKIT_AUTHDB} + authentication framework: ${POLKIT_AUTHFW} Distribution/OS: ${with_os_type} SELinux support: ${have_selinux} diff --git a/data/Makefile.am b/data/Makefile.am index 36bd7c0..8b91bc3 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -2,7 +2,7 @@ # See polkit-grant/Makefile.am for discussion # -if POLKIT_AUTHDB_DEFAULT +if POLKIT_AUTHFW_PAM pamdir = $(sysconfdir)/pam.d pam_DATA = polkit endif diff --git a/src/polkit-grant/Makefile.am b/src/polkit-grant/Makefile.am index 0ac986c..261f01f 100644 --- a/src/polkit-grant/Makefile.am +++ b/src/polkit-grant/Makefile.am @@ -41,13 +41,21 @@ libpolkit_grant_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE # adjust the PAM stuff in data/Makefile.am # if POLKIT_AUTHDB_DEFAULT -libexec_PROGRAMS = polkit-grant-helper polkit-grant-helper-pam polkit-explicit-grant-helper polkit-revoke-helper +libexec_PROGRAMS = polkit-grant-helper + +if POLKIT_AUTHFW_PAM +libexec_PROGRAMS += polkit-grant-helper-pam +endif + +libexec_PROGRAMS += polkit-explicit-grant-helper polkit-revoke-helper polkit_grant_helper_SOURCES = polkit-grant-helper.c polkit_grant_helper_LDADD = @GLIB_LIBS@ @DBUS_LIBS@ $(top_builddir)/src/polkit/libpolkit.la $(top_builddir)/src/polkit-dbus/libpolkit-dbus.la libpolkit-grant.la +if POLKIT_AUTHFW_PAM polkit_grant_helper_pam_SOURCES = polkit-grant-helper-pam.c polkit_grant_helper_pam_LDADD = @AUTH_LIBS@ +endif polkit_explicit_grant_helper_SOURCES = polkit-explicit-grant-helper.c polkit_explicit_grant_helper_CFLAGS = @DBUS_CFLAGS@ @@ -60,7 +68,7 @@ polkit_revoke_helper_LDADD = $(top_builddir)/src/polkit/libpolkit.la $(top_build # polkit-grant-helper needs to be setgid polkituser to be able to # write cookies to /var/lib/PolicyKit and /var/run/PolicyKit # -# polkit-grant-helper-pam need to be setuid root because it's used to +# polkit-grant-helper-* need to be setuid root because it's used to # authenticate not only the invoking user, but possibly also root # and/or other users. As only polkit-grant-helper will invoke it # we make it owned by the polkitiuser group and non-readable / @@ -77,8 +85,10 @@ polkit_revoke_helper_LDADD = $(top_builddir)/src/polkit/libpolkit.la $(top_build install-exec-hook: -chgrp $(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-grant-helper -chmod 2755 $(DESTDIR)$(libexecdir)/polkit-grant-helper +if POLKIT_AUTHFW_PAM -chgrp $(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-grant-helper-pam -chmod 4750 $(DESTDIR)$(libexecdir)/polkit-grant-helper-pam +endif -chgrp $(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-explicit-grant-helper -chmod 2755 $(DESTDIR)$(libexecdir)/polkit-explicit-grant-helper -chgrp $(POLKIT_GROUP) $(DESTDIR)$(libexecdir)/polkit-revoke-helper @@ -111,7 +121,9 @@ covered-files.txt : if POLKIT_AUTHDB_DEFAULT echo src/polkit-grant/polkit-explicit-grant-helper.c >> covered-files.txt echo src/polkit-grant/polkit-grant-helper.c >> covered-files.txt +if POLKIT_AUTHFW_PAM echo src/polkit-grant/polkit-grant-helper-pam.c >> covered-files.txt +endif echo src/polkit-grant/polkit-revoke-helper.c >> covered-files.txt endif @@ -120,7 +132,9 @@ coverage-report.txt : covered-files.txt clean-gcov all check if POLKIT_AUTHDB_DEFAULT gcov polkit-explicit-grant-helper.c -o .libs/ > /dev/null gcov polkit-grant-helper.c -o .libs/ > /dev/null +if POLKIT_AUTHFW_PAM gcov polkit-grant-helper-pam.c -o .libs/ > /dev/null +endif gcov polkit-revoke-helper.c -o .libs/ > /dev/null endif $(top_srcdir)/test/create-coverage-report.sh "module polkit-grant" `cat covered-files.txt` > coverage-report.txt diff --git a/src/polkit-grant/polkit-grant-helper.c b/src/polkit-grant/polkit-grant-helper.c index a3edefc..84462a9 100644 --- a/src/polkit-grant/polkit-grant-helper.c +++ b/src/polkit-grant/polkit-grant-helper.c @@ -39,7 +39,11 @@ #include #include #include + +#ifdef POLKIT_AUTHFW_PAM #include +#endif + #include #include #include @@ -163,7 +167,9 @@ do_auth (const char *user_to_auth, gboolean *empty_conversation) int helper_stdin; int helper_stdout; GError *g_error; +#ifdef POLKIT_AUTHFW_PAM char *helper_argv[2] = {PACKAGE_LIBEXEC_DIR "/polkit-grant-helper-pam", NULL}; +#endif char buf[256]; FILE *child_stdin; FILE *child_stdout; -- 2.7.4