1. 18 Dec, 2007 1 commit
  2. 17 Dec, 2007 5 commits
    • Carlos Corbacho's avatar
      0d716714
    • Carlos Corbacho's avatar
      add Shadow authentication framework · ba2003a9
      Carlos Corbacho authored
      Add Piter PUNK's polkit-grant-helper-shadow, and link against the
      appropriate libraries.
      
      For now, the Shadow framework must be explictily called - in future,
      this could also be added as a fallback if PAM is not available.
      ba2003a9
    • David Zeuthen's avatar
      make polkit-grant-helper-pam world readable · 59081d0a
      David Zeuthen authored
      This is to avoid breaking various backup and IDS software - proposed
      by Michael Biebl <mbiebl@gmail.com>.
      59081d0a
    • Carlos Corbacho's avatar
      split out authentication framework from authorisation database · b5e019d7
      Carlos Corbacho authored
      As per discussions with David Zeuthen, alter the build system so that we
      can have different authentication frameworks for the authorisation
      databases.
      
      For now, the dummy database will only accept 'none' for the authentication
      framework (this will be autoselected if not specified, and configure will
      throw an error if any other framework than 'none' is specified is passed
      in).
      
      For the default database, the only available framework for now is 'pam'
      (as with 'none' and dummy, 'pam' will be autoselected if specified as the
      framework. If 'none' is passed as a framework, configure will reject this
      and fail).
      
      PAM specific code is now also marked with POLKIT_AUTHFW_PAM, so that it
      can be easily compiled out if other frameworks are added in future.
      b5e019d7
    • Carlos Corbacho's avatar
      remove unncessary PAM header inclusions · 28dc3169
      Carlos Corbacho authored
      Many files are needlessly including PAM headers, when the code in question
      has no PAM dependency - remove the PAM includes from these.
      28dc3169
  3. 07 Dec, 2007 9 commits
    • David Zeuthen's avatar
      cd836a75
    • David Zeuthen's avatar
      fix typo in docs · 2c331fe6
      David Zeuthen authored
      2c331fe6
    • David Zeuthen's avatar
    • David Zeuthen's avatar
      add additional checks when using strtoul · 46005c49
      David Zeuthen authored
      Pointed out by Martin Pitt <martin.pitt@ubuntu.com>.
      46005c49
    • David Zeuthen's avatar
      5f42b40d
    • David Zeuthen's avatar
      add constraints for exe and SELinux context when granting an authorization · a8e46ceb
      David Zeuthen authored
      The way it works is that added constraints now look like this
      
      scope=always:action-id=org.pulseaudio.acquire-high-priority:when=1197004781:auth-as=0:constraint=local:constraint=active:constraint=exe%3A%2Fusr%2Fbin%2Fpulseaudio:constraint=selinux_context%3Asystem_u%3Asystem_r%3Aunconfined_t
      
      or if not using SELinux like this
      
      scope=always:action-id=org.freedesktop.hal.storage.mount-fixed:when=1197008218:auth-as=0:constraint=local:constraint=active:constraint=exe%3A%2Fusr%2Fbin%2Fgnome-mount
      
      This is a bit icky to implement for mechanisms, like HAL, running as
      an unprivileged user. The problem is that we can't resolve the symlink
      /proc/pid/exe. On the other hands such mechanisms has the
      authorization org.freedesktop.policykit.read already. So use that.
      
      Note that this is what some people call snake-oil. The reason is in the
      docs for polkit_sysdeps_get_pid_for_exe(); copying it here so I can point
      people to this commit in the future
      
        Get the name of the binary a given process was started from.
      
        Note that this is not necessary reliable information and as such
        shouldn't be relied on 100% to make a security decision. In fact,
        this information is only trustworthy in situations where the given
        binary is securely locked down meaning that 1) it can't be
        ptrace(2)'d; 2) libc secure mode kicks in (e.g LD_PRELOAD won't
        work); 3) there are no other attack vectors (e.g. GTK_MODULES, X11,
        CORBA, D-Bus) to patch running code into the process.
      
        In other words: the risk of relying on constraining an authorization
        to the output of this function is high. Suppose that the program
        /usr/bin/gullible obtains an authorization via authentication for
        the action org.example.foo. We add a constraint to say that the
        gained authorization only applies to processes for whom
        /proc/pid/exe points to /usr/bin/gullible. Now enter
        /usr/bin/evil. It knows that the program /usr/bin/gullible is not
        "securely locked down" (per the definition in the above
        paragraph). So /usr/bin/evil simply sets LD_PRELOAD and execs
        /usr/bin/gullible and it can now run code in a process where
        /proc/pid/exe points to /usr/bin/gullible. Thus, the recently gained
        authorization for org.example.foo applies. Also, /usr/bin/evil could
        use a host of other attack vectors to run it's own code under the
        disguise of pretending to be /usr/bin/gullible.
      
        Specifically for interpreted languages like Python and Mono it is
        the case that /proc/pid/exe always points to /usr/bin/python
        resp. /usr/bin/mono. Thus, it's not very useful to rely on that the
        result for this function if you want to constrain an authorization
        to e.g. /usr/bin/tomboy or /usr/bin/banshee.
      
      However. Once we have a framework for running secure desktop apps this
      will start to make sense. Such a framework includes securing X (using
      e.g. XACE with SELinux) and making the UI toolkit secure as well. It's
      a lot of work.
      
      Until then these constraints at least makes it harder to for malicious
      apps to abuse PolicyKit authorizations gained by other users.
      a8e46ceb
    • David Zeuthen's avatar
      add bogus Returns: to make gtk-doc happy · 0bb7eeac
      David Zeuthen authored
      0bb7eeac
    • David Zeuthen's avatar
      use strlen to avoid writing garbage at the end of the test auth file · 5ea38976
      David Zeuthen authored
      While this seems like a grave bug it is not. First, this only affects
      the test cases and the file is guaranteed to be zero terminated before
      the garbage anyway.
      5ea38976
    • David Zeuthen's avatar
      post release version bump to 0.8 · c11ea1f0
      David Zeuthen authored
      c11ea1f0
  4. 06 Dec, 2007 7 commits
  5. 05 Dec, 2007 1 commit
    • David Zeuthen's avatar
      don't require .policy files for auth lookups · ea7da4ea
      David Zeuthen authored
      With this change, 'make check' now works even when PolicyKit isn't
      installed (as it should). Before this change it failed because the
      .policy files for org.freedesktop.policykit.read and .grant was not
      available.
      ea7da4ea
  6. 01 Dec, 2007 5 commits
  7. 30 Nov, 2007 3 commits
  8. 29 Nov, 2007 6 commits
  9. 28 Nov, 2007 1 commit
  10. 25 Nov, 2007 2 commits