GitLab

The local authority was removed in 0f830c76 (May 2012) as it was deemed
unnecessary as the jsbackend could perform any functionality that was
previously done using the localbackend.

However, for security reasons Debian and Ubuntu did not determine the JS
backend safe enough to ship by default, and thus have remained on polkit
version 105 ever since (though collecting cherry-picked patches from the
following releases).

By re-instating the local authority both Debian and Ubuntu are able to
update to track the latest version of polkit. The JS backend remains by
default and the local backend is only compiled and used if configured
with --disable-javascript.

While supporting two backends does come at an increased cost in this
case it seems reasonable low as the code in this change required almost
no modification to re-introduce.

ci: Add a CI and run tests

See merge request !46

Just compiles and installs polkit

Restoring terminal setting erases unread input

See merge request !40

Freeing uninitialized memory

See merge request !44

jsauthority: Fix two minor memory leaks

See merge request !42

Merge branch 'libreajans/polkit-patch-1'

See merge request !41

Update Swedish translation

See merge request !39

pkttyagent: process stopped by SIGTTOU if run in background job

See merge request polkit/polkit!34

Update Danish translation (da.po)

See merge request polkit/polkit!23

Release 0.116 release notes

See merge request polkit/polkit!32

README update reflecting transition to Gitlab

See merge request !31

Js encode string to utf8

See merge request polkit/polkit!29

When strings handled by the jsbackendauthority contain non-ASCII, the
code will fail.  For example, on a system having a user with a
non-ASCII name, the following message will appear when a USB stick is
plugged in.

mar 04 21:47:31 mimmi polkitd[17163]: Error evaluating authorization rules

The user will not be allowed to do the mount.

The problem is that strings were variously encoded back to C strings
with JS_EncodeString and JS_EncodeStringToUTF8.  According to the
documentation
(https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/JSAPI_reference/JS_EncodeString#Description)
the former will simply drop the high byte from each character.  If
that happens to a username, it will no longer be found as a valid user
name on the system.  Explicitly encoding to UTF-8 will at least work
in UTF-8 locales, which is the increasingly dominant encoding.

Code polish and removal of unused var reported by lint

See merge request polkit/polkit!27

pkttyagent: PolkitAgentTextListener leaves echo tty disabled if SIGINT/SIGTERM

See merge request !24

If no password is typed into terminal during authentication raised by PolkitAgentTextListener, pkttyagent sends kill (it receives from systemctl/hostnamectl e.g.) without chance to restore echoing back on. This cannot be done in on_request() since it's run in a thread without guarantee the signal is distributed there.

Port JavaScript authority to mozjs-60

See merge request !4

API changes in mozjs that need to be reflected in the JS authority:

 - the JS::CompileOptions constructor and the JS::CompartmentOptions
   do not allow setting a JS version any more

 - do not use NULL comparisons for C++ objects

 - the resize() method for a vector has a return value that needs
   to be handled

 - JSClassOps has different fields

This is the new ESR version of the Mozilla JS engine, superceding
mozjs-52.

Allow uid of -1 for a PolkitUnixProcess

See merge request polkit/polkit!17

Commit 2cb40c4d changed PolkitUnixUser, PolkitUnixGroup, and
PolkitUnixProcess to allow negative values for their uid/gid properties,
since these are values above INT_MAX which wrap around but are still
valid, with the exception of -1 which is not valid. However,
PolkitUnixProcess allows a uid of -1 to be passed to
polkit_unix_process_new_for_owner() which means polkit is expected to
figure out the uid on its own (this happens in the _constructed
function). So this commit removes the check in
polkit_unix_process_set_property() so that new_for_owner() can be used
as documented without producing a critical error message.

This does not affect the protection against CVE-2018-19788 which is
based on creating a user with a UID up to but not including 4294967295
(-1).

backend: Compare PolkitUnixProcess uids for temporary authorizations

Closes #75

See merge request !19

It turns out that the combination of `(pid, start time)` is not
enough to be unique.  For temporary authorizations, we can avoid
separate users racing on pid reuse by simply comparing the uid.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1692

And the above original email report is included in full in a new comment.
Reported-by: Jann Horn <jannh@google.com>

Closes: polkit/polkit#75

High uid fixup
CVE-2018-19788

Closes #74

See merge request polkit/polkit!14

(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
there should be no users with such number, see
https://systemd.io/UIDS-GIDS#special-linux-uids.

(uid_t) -1 is used as the default value in class initialization.

When a user or group above INT32_MAX is created, the numeric uid or
gid wraps around to negative when the value is assigned to gint, and
polkit gets confused. Let's accept such gids, except for -1.

A nicer fix would be to change the underlying type to e.g. uint32 to
not have negative values. But this cannot be done without breaking the
API, so likely new functions will have to be added (a
polkit_unix_user_new variant that takes a unsigned, and the same for
_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
require a bigger patch.

Fixes polkit/polkit#74.

configure.ac: fix detection of systemd with cgroups v2

See merge request polkit/polkit!13

sys/fs/cgroup/systemd/ does not exist on modern systems.

polkitbackend: Fix some minor typos in an internal comment

See merge request polkit/polkit!12