polkit merge requestshttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests2024-01-19T12:32:54Zhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/122pkexec: Spawn the local agent2024-01-19T12:32:54ZMarkpkexec: Spawn the local agentSpawn a local agent instead of trying to become one.
Fixes https://gitlab.freedesktop.org/polkit/polkit/-/issues/17.Spawn a local agent instead of trying to become one.
Fixes https://gitlab.freedesktop.org/polkit/polkit/-/issues/17.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/157removed unused getter for directory property2024-01-19T12:32:54ZArvin Schnellremoved unused getter for directory propertySplit of parts of https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/148.Split of parts of https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/148.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/148read actions also from /etc/polkit-1/actions2024-01-19T12:32:53ZArvin Schnellread actions also from /etc/polkit-1/actionsThe MR resolves https://gitlab.freedesktop.org/polkit/polkit/-/issues/179.
Now actions are also loaded from ```/etc/polkit-t/actions/```. It also fixes the lookup in ```parsed_files``` by using ```g_hash_table_lookup_extended()``` inste...The MR resolves https://gitlab.freedesktop.org/polkit/polkit/-/issues/179.
Now actions are also loaded from ```/etc/polkit-t/actions/```. It also fixes the lookup in ```parsed_files``` by using ```g_hash_table_lookup_extended()``` instead of ```g_hash_table_lookup()```. I had the liberty to remove ```polkit_backend_action_pool_get_property()``` since it looked unused to me (so I could also not test it).https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/184Draft: polkitd: add logging for successfully loaded rules2024-01-19T12:32:52ZJan RybarDraft: polkitd: add logging for successfully loaded rulesLog each successful load operation of a rule file including the name
of the loaded file. Getting the list of active rule files from the
logs is an important information in a support case and should not need
additional tracing/debugging. ...Log each successful load operation of a rule file including the name
of the loaded file. Getting the list of active rule files from the
logs is an important information in a support case and should not need
additional tracing/debugging.
---
Built and tested on top of 4b7a5c3. The info is logged during polkitd
startup and with changes of rule files, also in case '--no-debug' is set.
It might be a good idea to add a log_level to the argument list of
polkit_backend_authority_log() but this would affect >60 callers and is
out of scope of this patch.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/146Add similar feature of Linux's prctl() for FreeBSD, using procctl(2)2024-01-19T12:32:51ZOlivier DuchateauAdd similar feature of Linux's prctl() for FreeBSD, using procctl(2)Add support of procctl(2) for FreeBSD. It is similar to Linux's prctl().Add support of procctl(2) for FreeBSD. It is similar to Linux's prctl().https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/133Fix create identity error with pure digital account2024-01-19T12:32:51Zssk-whFix create identity error with pure digital accountIf it is a pure digital account, for example, unix-user: 1234567, the username after unix-user: will be parsed as uid, but in fact this is just the username
------
Can you tell me if this modification is correct? I don't know much about ...If it is a pure digital account, for example, unix-user: 1234567, the username after unix-user: will be parsed as uid, but in fact this is just the username
------
Can you tell me if this modification is correct? I don't know much about the polkit project,thanks!https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/203meson.build: define systemd_dep in broader context2024-01-19T12:32:50ZSergei Trofimovichmeson.build: define systemd_dep in broader contextWithout the change configure fails when `-Dsystemdsystemunitdir=` is
passed explicitly as:
$ meson .. ... -Dsystemdsystemunitdir=/lib/systemd/system ...
...
meson.build:222:37: ERROR: Unknown variable "systemd_dep".Without the change configure fails when `-Dsystemdsystemunitdir=` is
passed explicitly as:
$ meson .. ... -Dsystemdsystemunitdir=/lib/systemd/system ...
...
meson.build:222:37: ERROR: Unknown variable "systemd_dep".https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/28Bind use of cookies to specific PolkitUnixSessions2024-01-19T12:32:49ZAndrea AzzaroneBind use of cookies to specific PolkitUnixSessionsSince 493aa5dc1d278ab9097110c1262f5229bbaf1766 we are binding cookies to
specific UIDs as a form of hardening. Uid binding is too strong and causes
troubles with pkexec:
- pkexec is started, with ruid=$non-zero euid=0
- pkexec registers ...Since 493aa5dc1d278ab9097110c1262f5229bbaf1766 we are binding cookies to
specific UIDs as a form of hardening. Uid binding is too strong and causes
troubles with pkexec:
- pkexec is started, with ruid=$non-zero euid=0
- pkexec registers a local authentication agent.
- polkitd looks up the agent's uid through polkit_system_bus_name_new
(g_dbus_method_invocation_get_sender (invocation)) etc., ultimately calling
DBus' GetConnectionUnixUser. This value is the EUID (0), necessarily, because
AF_UNIX sockets only provide the EUID.
- pkexec calls CheckAuthorization, which results in a callback to its agent.
- The agent runs polkit-agent-helper-1, getting euid=0 and inheriting
ruid=$non-zero
- The agent calls AuthenticationAgentResponse2 with uid=$ruid=$non-zero
- polkitd finds the cookie, but the response's uid=$non-zero doesn't match the
agent's recorded uid=0.
This commit replaces UID binding with PolkitUnixSessions binding: the
PolkitUnixSession of the agent helper should match the PolkitUnixSessions of the
subject being authorized. Skip the check if the subject being authorized does
not have a PolkitUnixSessions.
Closes: https://gitlab.freedesktop.org/polkit/polkit/issues/17https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/204test/mocklibc: fix build against2024-01-19T12:32:48ZSergei Trofimovichtest/mocklibc: fix build against polkit> ../subprojects/mocklibc-1.0/src/netgroup-debug.c: In function 'netgroup_debug_print_entry':
polkit> ../subprojects/mocklibc-1.0/src/netgroup-debug.c:25:3: error: implicit declaration of function 'print_indent' [-Wimplicit... polkit> ../subprojects/mocklibc-1.0/src/netgroup-debug.c: In function 'netgroup_debug_print_entry':
polkit> ../subprojects/mocklibc-1.0/src/netgroup-debug.c:25:3: error: implicit declaration of function 'print_indent' [-Wimplicit-function-declaration]
polkit> 25 | print_indent(stream, indent);
polkit> | ^~~~~~~~~~~~https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/59fix: pkexec fails with "GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: ...2024-01-19T12:32:47Zhuxiaodongfix: pkexec fails with "GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie"bug:https://gitlab.freedesktop.org/polkit/polkit/-/issues/17bug:https://gitlab.freedesktop.org/polkit/polkit/-/issues/17https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/209meson_post_install.py: Avoid failure with -Dlibs-only=true2024-01-17T19:56:24ZJan Alexander Steffensmeson_post_install.py: Avoid failure with -Dlibs-only=trueWhen we are building only libs these do not get installed.When we are building only libs these do not get installed.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/164Draft: packit: enable Packit's Testing Farm2024-01-17T12:35:13ZVincent MihalkovicDraft: packit: enable Packit's Testing Farmdocs: https://packit.dev/docs/testing-farm/, https://tmt.readthedocs.io/en/latest/guide.htmldocs: https://packit.dev/docs/testing-farm/, https://tmt.readthedocs.io/en/latest/guide.htmlhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/194data: Fix policydir variable2023-09-30T03:36:31ZRay Strodedata: Fix policydir variableThe polkit-gobject-1.pc file has apparently had a wrong policydir
definition since it was first added.
It erroneously reused the actiondir as the policydir.
This commit fixes that.The polkit-gobject-1.pc file has apparently had a wrong policydir
definition since it was first added.
It erroneously reused the actiondir as the policydir.
This commit fixes that.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/71Added the ability to add user_of_subject to user_identities list2023-09-19T09:11:40ZIvan SavinAdded the ability to add user_of_subject to user_identities listAdded the ability to add user_of_subject to user_identities list
if user_of_subject is a member of the group with administrator
rights but it is not in /etc/groups.
(If a privileged group is assigned through the NSS.)
This need arises ...Added the ability to add user_of_subject to user_identities list
if user_of_subject is a member of the group with administrator
rights but it is not in /etc/groups.
(If a privileged group is assigned through the NSS.)
This need arises in the next project:
https://github.com/altlinux/libnss-rolehttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/30Harden systemd service2023-08-31T10:43:36ZTopi MiettinenHarden systemd serviceSigned-off-by: Topi Miettinen <toiwoton@gmail.com>Signed-off-by: Topi Miettinen <toiwoton@gmail.com>https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/179Enhance polkit hardening options - Krish2023-08-15T15:02:41ZKrish Jainkjain7@u.rochester.eduEnhance polkit hardening options - Krish## Summary
I was hoping to propose some additional hardening options and have them upstreamed to polkit. This would help reduce exposure, as indicated by the security analysis performed by systemd-analyze. I would greatly appreciate any...## Summary
I was hoping to propose some additional hardening options and have them upstreamed to polkit. This would help reduce exposure, as indicated by the security analysis performed by systemd-analyze. I would greatly appreciate any feedback on the following options and the possibility of getting them incorporated into the upstream repository. Thank you!https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/178Proposal for Further Hardening Polkit's Systemd Service2023-07-18T14:34:13ZJan RybarProposal for Further Hardening Polkit's Systemd Service## Summary
[short description of the problem and the change]: #
(jrybar) On behalf of Krish Jain:
"This would help reduce exposure, as indicated by the security analysis performed by s ystemd-analyze. I have reorganized the options...## Summary
[short description of the problem and the change]: #
(jrybar) On behalf of Krish Jain:
"This would help reduce exposure, as indicated by the security analysis performed by s ystemd-analyze. I have reorganized the options while ensuring that every option from the original list is still included. My intention was to improve the structure of the options and enhance readability by adding comments."https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/45polkitbackend: Re-instate the local authority2023-05-15T20:01:35ZRobert Ancellpolkitbackend: Re-instate the local authorityThe local authority was removed in 0f830c76 (May 2012) as it was deemed
unnecessary as the jsbackend could perform any functionality that was
previously done using the localbackend.
However, for security reasons Debian and Ubuntu did no...The local authority was removed in 0f830c76 (May 2012) as it was deemed
unnecessary as the jsbackend could perform any functionality that was
previously done using the localbackend.
However, for security reasons Debian and Ubuntu did not determine the JS
backend safe enough to ship by default, and thus have remained on polkit
version 105 ever since (though collecting cherry-picked patches from the
following releases).
By re-instating the local authority both Debian and Ubuntu are able to
update to track the latest version of polkit. The JS backend remains by
default and the local backend is only compiled and used if configured
with --disable-javascript.
While supporting two backends does come at an increased cost in this
case it seems reasonable low as the code in this change required almost
no modification to re-introduce.https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/66Add script to convert pkla files to JS-based rules config2023-05-15T12:53:20ZJan Luca NaumannAdd script to convert pkla files to JS-based rules configAt the moment at least Debian sticks to polkit version 0.105 since
they have concerns about the JS-based rules config and the migration
of old pkla configurations, compare [1].
To dispel the converns about automatic migration I develope...At the moment at least Debian sticks to polkit version 0.105 since
they have concerns about the JS-based rules config and the migration
of old pkla configurations, compare [1].
To dispel the converns about automatic migration I developed a little
helper to convert most kinds of pkla config files to JS. I know this
is mainly a Debian-specific problem but maybe upstream is interested
to provide the helper as well.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946231
Signed-off-by: Jan Luca Naumann <j.naumann@fu-berlin.de>Jan RybarJan Rybarhttps://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/60Move polkitd and polkit-agent-helper-1 to $(libexecdir)/polkit-12023-04-25T08:10:46ZLaurent BigonvilleMove polkitd and polkit-agent-helper-1 to $(libexecdir)/polkit-1Fixes: #125Fixes: #125