1. 11 Jun, 2021 1 commit
    • Simon McVittie's avatar
      build: Make the directory for helper executables consistent with Autotools · 599ed069
      Simon McVittie authored and Simon McVittie's avatar Simon McVittie committed
      
      
      The Autotools build system has been using /usr/lib/polkit-1 for several
      releases, even on distributions where the library directory is /usr/lib64
      or /usr/lib/x86_64-linux-gnu, so it makes sense for Meson to do the same.
      This lets 32- and 64-bit polkit agents share a single helper executable.
      
      This might be superseded by polkit!63, which requests going back to using
      the libexecdir for these (like polkit 0.105 did), which would also make
      sense; but until that's decided, let's at least be consistent between
      our two build systems.
      
      Every time we change this, all programs that have already loaded
      libpolkit-agent into their address space need to be restarted, unless
      distributions provide compatibility symlinks.
      Signed-off-by: default avatarSimon McVittie <smcv@debian.org>
      599ed069
  2. 02 Jun, 2021 1 commit
  3. 13 Apr, 2021 1 commit
  4. 25 Feb, 2021 1 commit
  5. 03 Nov, 2020 1 commit
    • Matthias Clasen's avatar
      text listener: Add properties · bef8d737
      Matthias Clasen authored and Jan Rybar's avatar Jan Rybar committed
      Add properties to turn off the use of color, to enable
      the use of the alternate screen buffer, and to add a delay
      before switching back from the alernate screen buffer.
      
      This makes the text listener usable in situations where
      just printing the text would disturb formatting on the
      screen.
      bef8d737
  6. 26 Oct, 2020 1 commit
    • Jan Rybar's avatar
      build: Port to meson build system · 957a0151
      Jan Rybar authored
      meson is a build system focused on speed an ease of use, which
      helps speeding up the software development. This patch adds meson
      support along autotools.
      957a0151
  7. 25 Aug, 2020 1 commit
  8. 16 Jun, 2020 1 commit
  9. 21 Feb, 2020 1 commit
  10. 27 Jan, 2020 2 commits
  11. 08 Oct, 2019 1 commit
  12. 01 Aug, 2019 1 commit
  13. 02 Apr, 2019 1 commit
    • Jan Rybar's avatar
      Use JS_EncodeStringToUTF8 consistently with JavaScript · 2bc4e656
      Jan Rybar authored
      When strings handled by the jsbackendauthority contain non-ASCII, the
      code will fail.  For example, on a system having a user with a
      non-ASCII name, the following message will appear when a USB stick is
      plugged in.
      
      mar 04 21:47:31 mimmi polkitd[17163]: Error evaluating authorization rules
      
      The user will not be allowed to do the mount.
      
      The problem is that strings were variously encoded back to C strings
      with JS_EncodeString and JS_EncodeStringToUTF8.  According to the
      documentation
      (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/JSAPI_reference/JS_EncodeString#Description)
      the former will simply drop the high byte from each character.  If
      that happens to a username, it will no longer be found as a valid user
      name on the system.  Explicitly encoding to UTF-8 will at least work
      in UTF-8 locales, which is the increasingly dominant encoding.
      2bc4e656
  14. 26 Mar, 2019 1 commit
  15. 15 Mar, 2019 1 commit
    • Jan Rybar's avatar
      pkttyagent: PolkitAgentTextListener leaves echo tty disabled if SIGINT/SIGTERM · bfb722bb
      Jan Rybar authored
      If no password is typed into terminal during authentication raised by PolkitAgentTextListener, pkttyagent sends kill (it receives from systemctl/hostnamectl e.g.) without chance to restore echoing back on. This cannot be done in on_request() since it's run in a thread without guarantee the signal is distributed there.
      bfb722bb
  16. 12 Mar, 2019 1 commit
    • Emmanuele Bassi's avatar
      Port the JS authority to mozjs-60 · dd00683e
      Emmanuele Bassi authored and Ray Strode's avatar Ray Strode committed
      API changes in mozjs that need to be reflected in the JS authority:
      
       - the JS::CompileOptions constructor and the JS::CompartmentOptions
         do not allow setting a JS version any more
      
       - do not use NULL comparisons for C++ objects
      
       - the resize() method for a vector has a return value that needs
         to be handled
      
       - JSClassOps has different fields
      dd00683e
  17. 05 Feb, 2019 1 commit
    • Matthew Leeds's avatar
      Allow uid of -1 for a PolkitUnixProcess · c05472b8
      Matthew Leeds authored and Jan Rybar's avatar Jan Rybar committed
      Commit 2cb40c4d changed PolkitUnixUser, PolkitUnixGroup, and
      PolkitUnixProcess to allow negative values for their uid/gid properties,
      since these are values above INT_MAX which wrap around but are still
      valid, with the exception of -1 which is not valid. However,
      PolkitUnixProcess allows a uid of -1 to be passed to
      polkit_unix_process_new_for_owner() which means polkit is expected to
      figure out the uid on its own (this happens in the _constructed
      function). So this commit removes the check in
      polkit_unix_process_set_property() so that new_for_owner() can be used
      as documented without producing a critical error message.
      
      This does not affect the protection against CVE-2018-19788 which is
      based on creating a user with a UID up to but not including 4294967295
      (-1).
      c05472b8
  18. 08 Jan, 2019 1 commit
  19. 04 Dec, 2018 1 commit
    • Zbigniew Jędrzejewski-Szmek's avatar
      Allow negative uids/gids in PolkitUnixUser and Group objects · 2cb40c4d
      Zbigniew Jędrzejewski-Szmek authored
      (uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
      there should be no users with such number, see
      https://systemd.io/UIDS-GIDS#special-linux-uids.
      
      (uid_t) -1 is used as the default value in class initialization.
      
      When a user or group above INT32_MAX is created, the numeric uid or
      gid wraps around to negative when the value is assigned to gint, and
      polkit gets confused. Let's accept such gids, except for -1.
      
      A nicer fix would be to change the underlying type to e.g. uint32 to
      not have negative values. But this cannot be done without breaking the
      API, so likely new functions will have to be added (a
      polkit_unix_user_new variant that takes a unsigned, and the same for
      _group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
      require a bigger patch.
      
      Fixes #74.
      2cb40c4d
  20. 29 Nov, 2018 1 commit
  21. 06 Nov, 2018 1 commit
  22. 23 Aug, 2018 2 commits
  23. 15 Aug, 2018 1 commit
    • Jan Rybar's avatar
      Leaking zombie child processes · 8638ec5c
      Jan Rybar authored
      Resolves: bz#106021
      
      Subject: [PATCH] polkitd: fix zombie not reaped when js spawned process timed
       out
      
      The child watch source attached to thread context didn't work due
      to the release of it's main loop and context outside. So we attach
      the source to the global default main context to make it work and
      avoid zombies.
      8638ec5c
  24. 09 Aug, 2018 1 commit
  25. 03 Jul, 2018 1 commit
    • Miloslav Trmač's avatar
      Fix CVE-2018-1116: Trusting client-supplied UID · bc7ffad5
      Miloslav Trmač authored
      As part of CVE-2013-4288, the D-Bus clients were allowed (and
      encouraged) to submit the UID of the subject of authorization checks
      to avoid races against UID changes (notably using executables
      set-UID to root).
      
      However, that also allowed any client to submit an arbitrary UID, and
      that could be used to bypass "can only ask about / affect the same UID"
      checks in CheckAuthorization / RegisterAuthenticationAgent /
      UnregisterAuthenticationAgent.  This allowed an attacker:
      
      - With CheckAuthorization, to cause the registered authentication
        agent in victim's session to pop up a dialog, or to determine whether
        the victim currently has a temporary authorization to perform an
        operation.
      
        (In principle, the attacker can also determine whether JavaScript
        rules allow the victim process to perform an operation; however,
        usually rules base their decisions on information determined from
        the supplied UID, so the attacker usually won't learn anything new.)
      
      - Wi...
      bc7ffad5
  26. 03 Apr, 2018 13 commits