polkit merge requestshttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests2022-03-30T12:52:41Zhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/112Add Dutch translation2022-03-30T12:52:41ZNathan FollensAdd Dutch translationFirst time creating a merge request, please let me know if I've made any mistakes.First time creating a merge request, please let me know if I've made any mistakes.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/71Added the ability to add user_of_subject to user_identities list2023-09-19T09:11:40ZIvan SavinAdded the ability to add user_of_subject to user_identities listAdded the ability to add user_of_subject to user_identities list
if user_of_subject is a member of the group with administrator
rights but it is not in /etc/groups.
(If a privileged group is assigned through the NSS.)
This need arises ...Added the ability to add user_of_subject to user_identities list
if user_of_subject is a member of the group with administrator
rights but it is not in /etc/groups.
(If a privileged group is assigned through the NSS.)
This need arises in the next project:
https://github.com/altlinux/libnss-rolehttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/36Add en_GB translation2020-01-29T14:08:36ZZander BrownAdd en_GB translationhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/136Add missing send_destination to org.freedesktop.PolicyKit1.conf2022-10-25T00:52:46ZLuciano Santosluc14n0@opensuse.orgAdd missing send_destination to org.freedesktop.PolicyKit1.confI've been seeing this **RPM Lint** error for a while now:
```
polkit.x86_64: E: dbus-policy-allow-without-destination
<allow send_interface="org.freedesktop.PolicyKit1.AuthenticationAgent"/>
/usr/share/dbus-1/system.d/org.freedesktop.Po...I've been seeing this **RPM Lint** error for a while now:
```
polkit.x86_64: E: dbus-policy-allow-without-destination
<allow send_interface="org.freedesktop.PolicyKit1.AuthenticationAgent"/>
/usr/share/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
'allow' directives must always specify a 'send_destination'.
```
The relevant piece in question:
``` xml
<policy user="@polkitd_user@">
<allow send_interface="org.freedesktop.PolicyKit1.AuthenticationAgent"/>
</policy>
```
We're allowing the use of an interface without specifying a connection, as far as I can tell.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/55Add Norwegian Nynorsk translation2020-06-17T16:41:11ZKarl Ove HufthammerAdd Norwegian Nynorsk translationhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/78Add out param GI annotation to polkit_implicit_authorization_from_string2023-04-25T08:00:01ZVal Packettval@packett.coolAdd out param GI annotation to polkit_implicit_authorization_from_stringThis helps binding generators like the Rust gir crate recognize the out parameter and generate correct handling code.This helps binding generators like the Rust gir crate recognize the out parameter and generate correct handling code.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/200Add pidfd parameter to CheckAuthorization()2023-12-21T18:12:50ZLuca BoccassiAdd pidfd parameter to CheckAuthorization()Allows to verify arbitrary processes by PIDFD, like it is already allowed
for D-Bus clients.
Fixes polkit/polkit#206
```
root@localhost:~# systemd-run --unit good.service -p DynamicUser=yes sleep infinity
Running as unit: good.service;...Allows to verify arbitrary processes by PIDFD, like it is already allowed
for D-Bus clients.
Fixes polkit/polkit#206
```
root@localhost:~# systemd-run --unit good.service -p DynamicUser=yes sleep infinity
Running as unit: good.service; invocation ID: 21c19fb228a149e4ba0b8e5372181461
root@localhost:~# systemd-run --unit bad.service -p DynamicUser=yes sleep infinity
Running as unit: bad.service; invocation ID: 4af9bb51e19149028bb197e16c120baf
root@localhost:~# test `systemctl show -P MainPID bad`
pid 643: authorized: 0, challenge: 1
root@localhost:~# test `systemctl show -P MainPID good`
pid 641: authorized: 1, challenge: 0
```
test rules:
```
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.reload-daemon" && subject.system_unit == "good.service") {
if (subject.session) {
polkit.log(subject.session);
}
if (subject.seat) {
polkit.log(subject.seat);
}
if (subject.system_unit) {
polkit.log(subject.system_unit);
} else {
polkit.log("no system_unit found");
}
if (subject.no_new_privileges) {
polkit.log("no_new_privileges set");
}
return polkit.Result.YES;
}
});
```
test program:
```
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <systemd/sd-bus.h>
#define _cleanup_(f) __attribute__((cleanup(f)))
#define DESTINATION "org.freedesktop.PolicyKit1"
#define PATH "/org/freedesktop/PolicyKit1/Authority"
#define INTERFACE "org.freedesktop.PolicyKit1.Authority"
#define MEMBER "CheckAuthorization"
static int log_error(int error, const char *message) {
errno = -error;
fprintf(stderr, "%s: %m\n", message);
return error;
}
int main (int argc, char **argv) {
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL, *m = NULL;
int authorized = 0, challenge = 0, pid, r;
if (argc < 2)
return log_error(-EINVAL, "Usage: <prog> <pid>");
pid = atoi(argv[1]);
r = sd_bus_open_system(&bus);
if (r < 0)
return log_error(r, "Failed to acquire bus");
r = sd_bus_message_new_method_call(bus, &m, DESTINATION, PATH, INTERFACE, MEMBER);
if (r < 0)
return log_error(r, "Failed to create bus message");
r = sd_bus_message_append(m, "(sa{sv})s", "unix-process", 1, "pidfd", "h", pidfd_open(pid, 0), "org.freedesktop.systemd1.reload-daemon");
if (r < 0)
return r;
r = sd_bus_message_open_container(m, SD_BUS_TYPE_ARRAY, "{ss}");
if (r < 0)
return log_error(r, "Failed to append to bus message");
r = sd_bus_message_close_container(m);
if (r < 0)
return log_error(r, "Failed to append to bus message");
r = sd_bus_message_append(m, "us", 0, NULL);
if (r < 0)
return log_error(r, "Failed to append to bus message");
r = sd_bus_call(bus, m, -1, &error, &reply);
if (r < 0)
return log_error(r, MEMBER " call failed");
r = sd_bus_message_enter_container(reply, 'r', "bba{ss}");
if (r < 0)
return r;
r = sd_bus_message_read(reply, "bb", &authorized, &challenge);
if (r < 0)
return r;
printf("pid %d: authorized: %d, challenge: %d\n", pid, authorized, challenge);
return 0;
}
```Jan RybarJan Rybarhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/62add polkitbackendjsauthoritytest-wrapper.py into release tarball2020-08-20T17:51:33ZXi Ruoyaoadd polkitbackendjsauthoritytest-wrapper.py into release tarballI got polkit-0.117 release tarball at https://www.freedesktop.org/software/polkit/releases/polkit-0.117.tar.gz. Unfortunately `make check` fails for it because a script `polkitbackendjsauthoritytest-wrapper.py` is missing.
Add it into ...I got polkit-0.117 release tarball at https://www.freedesktop.org/software/polkit/releases/polkit-0.117.tar.gz. Unfortunately `make check` fails for it because a script `polkitbackendjsauthoritytest-wrapper.py` is missing.
Add it into `polkitbackendjsauthoritytest_SOURCES` so that autotools will add it into the release tarball created with `make dist-gzip`.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/89Add Portuguese Translation2021-07-21T12:46:50ZHugo CarvalhoAdd Portuguese Translationhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/87Add Romanian translation2021-07-21T12:53:17ZSergiu BivolAdd Romanian translationhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/51Add Russian translation2020-11-03T13:24:05ZАртемий СудаковAdd Russian translation100% complete100% completehttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/66Add script to convert pkla files to JS-based rules config2023-05-15T12:53:20ZJan Luca NaumannAdd script to convert pkla files to JS-based rules configAt the moment at least Debian sticks to polkit version 0.105 since
they have concerns about the JS-based rules config and the migration
of old pkla configurations, compare [1].
To dispel the converns about automatic migration I develope...At the moment at least Debian sticks to polkit version 0.105 since
they have concerns about the JS-based rules config and the migration
of old pkla configurations, compare [1].
To dispel the converns about automatic migration I developed a little
helper to convert most kinds of pkla config files to JS. I know this
is mainly a Debian-specific problem but maybe upstream is interested
to provide the helper as well.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946231
Signed-off-by: Jan Luca Naumann <j.naumann@fu-berlin.de>Jan RybarJan Rybarhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/146Add similar feature of Linux's prctl() for FreeBSD, using procctl(2)2024-01-19T12:32:51ZOlivier DuchateauAdd similar feature of Linux's prctl() for FreeBSD, using procctl(2)Add support of procctl(2) for FreeBSD. It is similar to Linux's prctl().Add support of procctl(2) for FreeBSD. It is similar to Linux's prctl().https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/152Add SRPM build dependencies for Packit2023-01-04T14:15:16ZMatej FockoAdd SRPM build dependencies for PackitAdd dependencies to enable building SRPM in Copr.
Signed-off-by: Matej Focko <mfocko@redhat.com>Add dependencies to enable building SRPM in Copr.
Signed-off-by: Matej Focko <mfocko@redhat.com>https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/201Add sysusers file2023-12-08T11:05:10ZZbigniew Jędrzejewski-SzmekAdd sysusers fileThis adds a sysusers file so that the polkitd user can be created automatically on systems with empty /etc. It also allows rpm to create the user.This adds a sysusers file so that the polkitd user can be created automatically on systems with empty /etc. It also allows rpm to create the user.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/17Allow uid of -1 for a PolkitUnixProcess2019-02-05T15:53:32ZPhaedrus LeedsAllow uid of -1 for a PolkitUnixProcessCommit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and
PolkitUnixProcess to allow negative values for their uid/gid properties,
since these are values above INT_MAX which wrap around but are still
valid, with the exception of -1 w...Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and
PolkitUnixProcess to allow negative values for their uid/gid properties,
since these are values above INT_MAX which wrap around but are still
valid, with the exception of -1 which is not valid. However,
PolkitUnixProcess allows a uid of -1 to be passed to
polkit_unix_process_new_for_owner() which means polkit is expected to
figure out the uid on its own (this happens in the _constructed
function). So this commit removes the check in
polkit_unix_process_set_property() so that new_for_owner() can be used
as documented without producing a critical error message.
This does not affect the protection against CVE-2018-19788 which is
based on creating a user with a UID up to but not including 4294967295
(-1).https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/73Avoid calling external processes2021-04-22T14:03:20ZHendrik WernerAvoid calling external processesPython already offers functions for chowning and chmodding files in its
standard library. The os module is even already imported. This commit removes
external process calls in favor of using these built-in Python functions.Python already offers functions for chowning and chmodding files in its
standard library. The os module is even already imported. This commit removes
external process calls in favor of using these built-in Python functions.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/102backend: Check for subject's primary group when expanding admin group2022-06-01T15:30:17ZDan Nicholsonbackend: Check for subject's primary group when expanding admin groupThe group database entries as returned by `getgrgid` do not contain
users who are members of the group as their primary group. In order to
find all members of a group, the primary group of all users must be
checked.
Since it could be ex...The group database entries as returned by `getgrgid` do not contain
users who are members of the group as their primary group. In order to
find all members of a group, the primary group of all users must be
checked.
Since it could be expensive to read through all passwd entries on large
multiuser systems, a compromise is to just check if the group is the
subject user's primary group. This may not provide all possible
admin identities to the authentication agent, but it should ensure that
any user in an admin group can authenticate as themselves.
Fixes: #131https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/19backend: Compare PolkitUnixProcess uids for temporary authorizations2019-01-11T13:58:34ZColin Waltersbackend: Compare PolkitUnixProcess uids for temporary authorizationsIt turns out that the combination of `(pid, start time)` is not
enough to be unique. For temporary authorizations, we can avoid
separate users racing on pid reuse by simply comparing the uid.
https://bugs.chromium.org/p/project-zero/is...It turns out that the combination of `(pid, start time)` is not
enough to be unique. For temporary authorizations, we can avoid
separate users racing on pid reuse by simply comparing the uid.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
And the above original email report is included in full in a new comment.
Reported-by: Jann Horn <jannh@google.com>
Closes: https://gitlab.freedesktop.org/polkit/polkit/issues/75https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/18backend: Dedup some code for temporary auth subjects2022-06-08T08:18:57ZColin Waltersbackend: Dedup some code for temporary auth subjectsSee https://bugs.freedesktop.org/show_bug.cgi?id=23867
which turned up from `git annotate` here.
This code was copied, and we may want to change it in the future.
Deduplicate it.See https://bugs.freedesktop.org/show_bug.cgi?id=23867
which turned up from `git annotate` here.
This code was copied, and we may want to change it in the future.
Deduplicate it.