Commit 2a356677 authored by David Zeuthen's avatar David Zeuthen

bump to version 0.90 and ensure we're parallel installable with 0.9

This is the first move towards 1.0; also

 - kill the config file
 - merge libpolkit and libpolkit-dbus

Now to write a system daemon that libpolkit will use for the
backend. Expect HEAD to be broken for a few weeks at least.

Also see http://ometer.com/parallel.html for what "parallel
installable" means. As a result, all the binaries, man pages, .policy
file dir and so forth have been renamed too. I expect the API to
change a bit. So some (not much though) porting to PolicyKit 1.0 will
be required by current users.
parent 2aa16b5e
## Process this file with automake to produce Makefile.in ## Process this file with automake to produce Makefile.in
SUBDIRS = data src polkitd doc tools policy po test SUBDIRS = data src doc tools policy po test
# Creating ChangeLog from git log (taken from cairo/Makefile.am): # Creating ChangeLog from git log (taken from cairo/Makefile.am):
ChangeLog: $(srcdir)/ChangeLog ChangeLog: $(srcdir)/ChangeLog
......
...@@ -12,15 +12,15 @@ documentation, mailing lists, etc. ...@@ -12,15 +12,15 @@ documentation, mailing lists, etc.
Rationale for permissions/modes for the default backend Rationale for permissions/modes for the default backend
------------------------------------------------------- -------------------------------------------------------
0770 root:polkituser /var/run/PolicyKit 0770 root:polkituser /var/run/polkit-1
0770 root:polkituser /var/lib/PolicyKit 0770 root:polkituser /var/lib/polkit-1
We store authorizations for each user here. Since we don't want users We store authorizations for each user here. Since we don't want users
to know what authorizations other users has, no one can read these to know what authorizations other users has, no one can read these
files. However, when checking authorizations we need to be able to files. However, when checking authorizations we need to be able to
read from here; we use this helper read from here; we use this helper
2755 root:polkituser /usr/libexec/polkit-read-auth-helper 2755 root:polkituser /usr/libexec/polkit-read-auth-helper-1
which can read from here since it's setgid 'polkituser'. This helper which can read from here since it's setgid 'polkituser'. This helper
will refuse to return authorizations for other users than the calling will refuse to return authorizations for other users than the calling
...@@ -29,16 +29,16 @@ user except if the calling user is authorized for org.fd.pk.read. ...@@ -29,16 +29,16 @@ user except if the calling user is authorized for org.fd.pk.read.
We also want to be able to grant authorizations through authentication. We also want to be able to grant authorizations through authentication.
That happens with this helper That happens with this helper
2755 root:polkituser /usr/libexec/polkit-grant-helper 2755 root:polkituser /usr/libexec/polkit-grant-helper-1
This program is setgid 'polkituser' so it can write files in This program is setgid 'polkituser' so it can write files in
/var/{run,lib}/PolicyKit. Note that these files are created with mode /var/{run,lib}/polkit-1. Note that these files are created with mode
464. 464.
To do the actual authentication check when granting authorizations To do the actual authentication check when granting authorizations
through authentication, polkit-grant-helper uses another helper through authentication, polkit-grant-helper-1 uses another helper
4754 root:polkituser /usr/libexec/polkit-grant-helper-pam 4754 root:polkituser /usr/libexec/polkit-grant-helper-pam-1
This one is setuid root because checking authentications might need This one is setuid root because checking authentications might need
require that (you may be checking the root password). The reason require that (you may be checking the root password). The reason
...@@ -48,33 +48,33 @@ can do this. Which polkit-grant-helper is. ...@@ -48,33 +48,33 @@ can do this. Which polkit-grant-helper is.
On to On to
2755 root:polkituser /libexec/polkit-revoke-helper 2755 root:polkituser /libexec/polkit-revoke-helper-1
This one is used to revoke authorizations. It will only allow uid 0 and This one is used to revoke authorizations. It will only allow uid 0 and
users with the org.fd.pk.revoke authorization to do so. It needs to be users with the org.fd.pk.revoke authorization to do so. It needs to be
setgid polkituser to be able to modify authorization files setgid polkituser to be able to modify authorization files
in /var/{run,lib}/PolicyKit. in /var/{run,lib}/polkit-1.
2755 root:polkituser /usr/libexec/polkit-explicit-grant-helper 2755 root:polkituser /usr/libexec/polkit-explicit-grant-helper-1
Same story as for polkit-revoke-helper only this grants authorizations. Same story as for polkit-revoke-helper only this grants authorizations.
Only allowed for uid 0 and users with the org.fd.pk.grant authorization. Only allowed for uid 0 and users with the org.fd.pk.grant authorization.
On to On to
0755 polkituser:root /var/lib/PolicyKit-public 0755 polkituser:root /var/lib/polkit-public-1
This is where we store modifications to the defaults. Anyone should be This is where we store modifications to the defaults. Anyone should be
able to read these files. They are created with mode 644. These files able to read these files. They are created with mode 644. These files
are written / modified by this helper are written / modified by this helper
4755 polkituser:root /usr/libexec/polkit-set-default-helper 4755 polkituser:root /usr/libexec/polkit-set-default-helper-1
which is setuid polkituser to be able to write/modify files. which is setuid polkituser to be able to write/modify files.
On to On to
4755 root:root /usr/libexec/polkit-resolve-exe-helper 4755 root:root /usr/libexec/polkit-resolve-exe-helper-1
This is used to find the executable name for a process. On Linux this is This is used to find the executable name for a process. On Linux this is
the /proc/<pid>/exe symlink and you can only do this for processes you the /proc/<pid>/exe symlink and you can only do this for processes you
...@@ -83,7 +83,7 @@ you but only if you have the org.fd.pk.read authorization. This is ...@@ -83,7 +83,7 @@ you but only if you have the org.fd.pk.read authorization. This is
important to let e.g. user 'haldaemon' check authorizations for a user important to let e.g. user 'haldaemon' check authorizations for a user
requesting service. requesting service.
0664 polkituser:polkituser /var/lib/misc/PolicyKit.reload 0664 polkituser:polkituser /var/lib/misc/polkit-1.reload
This file is used by libpolkit to detect when something has changed This file is used by libpolkit to detect when something has changed
(authorizations granted/revoked, defaults changed etc.). It is (authorizations granted/revoked, defaults changed etc.). It is
......
dnl Process this file with autoconf to produce a configure script. dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59c) AC_PREREQ(2.59c)
AC_INIT(PolicyKit, 0.9, http://lists.freedesktop.org/mailman/listinfo/polkit-devel) AC_INIT(PolicyKit, 0.90, http://lists.freedesktop.org/mailman/listinfo/polkit-devel)
AM_INIT_AUTOMAKE(PolicyKit, 0.9) AM_INIT_AUTOMAKE(PolicyKit, 0.90)
AM_CONFIG_HEADER(config.h) AM_CONFIG_HEADER(config.h)
AM_MAINTAINER_MODE AM_MAINTAINER_MODE
...@@ -10,7 +10,7 @@ AM_MAINTAINER_MODE ...@@ -10,7 +10,7 @@ AM_MAINTAINER_MODE
# #
# See http://sources.redhat.com/autobook/autobook/autobook_91.html#SEC91 for details # See http://sources.redhat.com/autobook/autobook/autobook_91.html#SEC91 for details
# #
LT_CURRENT=2 LT_CURRENT=1
LT_REVISION=0 LT_REVISION=0
LT_AGE=0 LT_AGE=0
AC_SUBST(LT_CURRENT) AC_SUBST(LT_CURRENT)
...@@ -560,16 +560,13 @@ AC_DEFINE_UNQUOTED([GETTEXT_PACKAGE],["$GETTEXT_PACKAGE"],[gettext domain]) ...@@ -560,16 +560,13 @@ AC_DEFINE_UNQUOTED([GETTEXT_PACKAGE],["$GETTEXT_PACKAGE"],[gettext domain])
AC_OUTPUT([ AC_OUTPUT([
Makefile Makefile
data/Makefile data/Makefile
data/polkit data/polkit-grant-1
data/polkit.pc data/polkit-1.pc
data/polkit-dbus.pc data/polkit-grant-1.pc
data/polkit-grant.pc
src/Makefile src/Makefile
src/kit/Makefile src/kit/Makefile
src/polkit/Makefile src/polkit/Makefile
src/polkit-dbus/Makefile
src/polkit-grant/Makefile src/polkit-grant/Makefile
polkitd/Makefile
tools/Makefile tools/Makefile
doc/Makefile doc/Makefile
doc/version.xml doc/version.xml
...@@ -641,36 +638,36 @@ if test "${POLKIT_AUTHDB}" = default ; then ...@@ -641,36 +638,36 @@ if test "${POLKIT_AUTHDB}" = default ; then
echo "NOTE: Remember to create user ${POLKIT_USER} and group ${POLKIT_GROUP}" echo "NOTE: Remember to create user ${POLKIT_USER} and group ${POLKIT_GROUP}"
echo " before 'make install'" echo " before 'make install'"
echo echo
echo "NOTE: The directories ${localstatedir}/run/PolicyKit and ${localstatedir}/lib/PolicyKit will be" echo "NOTE: The directories ${localstatedir}/run/polkit-1 and ${localstatedir}/lib/polkit-1 will be"
echo " owned by group ${POLKIT_GROUP} and will be mode 770." echo " owned by group ${POLKIT_GROUP} and will be mode 770."
echo echo
echo "NOTE: The directory ${localstatedir}/lib/PolicyKit-public will be" echo "NOTE: The directory ${localstatedir}/lib/polkit-public-1 will be"
echo " owned by user ${POLKIT_USER} and will be mode 755." echo " owned by user ${POLKIT_USER} and will be mode 755."
echo echo
echo "NOTE: The file ${localstatedir}/lib/misc/PolicyKit.reload will be" echo "NOTE: The file ${localstatedir}/lib/misc/polkit-1.reload will be"
echo " owned by user ${POLKIT_USER} and group ${POLKIT_GROUP} and will be mode 664." echo " owned by user ${POLKIT_USER} and group ${POLKIT_GROUP} and will be mode 664."
echo echo
echo "NOTE: ${libexecdir}/polkit-set-default-helper will be owned by" echo "NOTE: ${libexecdir}/polkit-set-default-helper-1 will be owned by"
echo " user ${POLKIT_USER} and installed with mode 4755 (setuid binary)." echo " user ${POLKIT_USER} and installed with mode 4755 (setuid binary)."
echo echo
echo "NOTE: ${libexecdir}/polkit-read-auth-helper will be owned by" echo "NOTE: ${libexecdir}/polkit-read-auth-helper-1 will be owned by"
echo " group ${POLKIT_GROUP} and installed with mode 2755 (setgid binary)." echo " group ${POLKIT_GROUP} and installed with mode 2755 (setgid binary)."
echo echo
echo "NOTE: ${libexecdir}/polkit-revoke-helper will be owned by" echo "NOTE: ${libexecdir}/polkit-revoke-helper-1 will be owned by"
echo " group '${POLKIT_GROUP} and installed with mode 2755 (setgid binary)." echo " group '${POLKIT_GROUP} and installed with mode 2755 (setgid binary)."
echo echo
echo "NOTE: ${libexecdir}/polkit-grant-helper will be owned by" echo "NOTE: ${libexecdir}/polkit-grant-helper-1 will be owned by"
echo " group ${POLKIT_GROUP} and installed with mode 2755 (setgid binary)." echo " group ${POLKIT_GROUP} and installed with mode 2755 (setgid binary)."
echo echo
echo "NOTE: ${libexecdir}/polkit-explicit-grant-helper will be owned by" echo "NOTE: ${libexecdir}/polkit-explicit-grant-helper-1 will be owned by"
echo " group ${POLKIT_GROUP} and installed with mode 2755 (setgid binary)." echo " group ${POLKIT_GROUP} and installed with mode 2755 (setgid binary)."
echo echo
echo "NOTE: ${libexecdir}/polkit-grant-helper-pam will be owned by group" echo "NOTE: ${libexecdir}/polkit-grant-helper-pam-1 will be owned by group"
echo " ${POLKIT_GROUP} and installed with mode 4754 (setuid root binary)." echo " ${POLKIT_GROUP} and installed with mode 4754 (setuid root binary)."
fi fi
echo echo
echo "NOTE: ${libexecdir}/polkit-resolve-exe-helper will be installed with" echo "NOTE: ${libexecdir}/polkit-resolve-exe-helper-1 will be installed with"
echo " mode 4755 (setuid root binary)." echo " mode 4755 (setuid root binary)."
echo echo
echo "NOTE: For packaging, remember to retain the modes and ownership." echo "NOTE: For packaging, remember to retain the modes and ownership."
......
...@@ -4,33 +4,18 @@ ...@@ -4,33 +4,18 @@
# #
if POLKIT_AUTHFW_PAM if POLKIT_AUTHFW_PAM
pamdir = $(sysconfdir)/pam.d pamdir = $(sysconfdir)/pam.d
pam_DATA = polkit pam_DATA = polkit-grant-1
endif endif
pkgconfigdir = $(libdir)/pkgconfig pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = polkit.pc polkit-dbus.pc polkit-grant.pc pkgconfig_DATA = polkit-1.pc polkit-grant-1.pc
confdir = $(sysconfdir)/PolicyKit
conf_DATA = PolicyKit.conf
dtddir = $(datadir)/PolicyKit
dtd_DATA = config.dtd
dbusifdir = $(datadir)/dbus-1/interfaces dbusifdir = $(datadir)/dbus-1/interfaces
dbusif_DATA = org.freedesktop.PolicyKit.AuthenticationAgent.xml dbusif_DATA = org.freedesktop.PolicyKit.AuthenticationAgent1.xml
DISTCLEANFILES = polkit.pc polkit-dbus.pc polkit-grant.pc PolicyKit.conf DISTCLEANFILES = polkit-1.pc polkit-grant-1.pc
EXTRA_DIST = polkit.in polkit.pc.in polkit-dbus.pc.in polkit-grant.pc.in PolicyKit.conf.in config.dtd org.freedesktop.PolicyKit.AuthenticationAgent.xml EXTRA_DIST = polkit-grant-1.in polkit-1.pc.in polkit-grant-1.pc.in org.freedesktop.PolicyKit.AuthenticationAgent1.xml
clean-local : clean-local :
rm -f *~ rm -f *~
PolicyKit.conf: PolicyKit.conf.in Makefile
$(edit) $< >$@
edit = sed \
-e 's|@docdir[@]|$(docdir)|g' \
-e 's|@sbindir[@]|$(sbindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
-e 's|@datadir[@]|$(datadir)|g'
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE pkconfig PUBLIC "-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">
<!-- See the manual page PolicyKit.conf(5) for file format -->
<config version="0.1">
</config>
<!-- Document Type for PolicyKit configuration file -->
<!-- <config> is the top-level element of the config file. -->
<!ELEMENT config (match|return)* >
<!ATTLIST config
version (0.1) #REQUIRED
>
<!ELEMENT match (match|return)* >
<!ATTLIST match
action CDATA #IMPLIED
user CDATA #IMPLIED
>
<!ELEMENT return (#PCDATA) >
<!ATTLIST return
result (no|auth_root|auth_root_keep_session|auth_root_keep_always|auth_self|auth_self_keep_session|auth_self_keep_always|yes) #REQUIRED
>
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
<!-- This file is provided by the PolicyKit project --> <!-- This file is provided by the PolicyKit project -->
<node> <node>
<interface name="org.freedesktop.PolicyKit.AuthenticationAgent"> <interface name="org.freedesktop.PolicyKit.AuthenticationAgent1">
<method name="ObtainAuthorization"> <method name="ObtainAuthorization">
<!-- IN: PolicyKit action identifier; see PolKitAction --> <!-- IN: PolicyKit action identifier; see PolKitAction -->
......
...@@ -2,10 +2,11 @@ prefix=@prefix@ ...@@ -2,10 +2,11 @@ prefix=@prefix@
exec_prefix=@exec_prefix@ exec_prefix=@exec_prefix@
libdir=@libdir@ libdir=@libdir@
includedir=@includedir@ includedir=@includedir@
policydir=@datarootdir@/PolicyKit/policy/ policydir=@datarootdir@/polkit-1/policy/
actiondir=@datarootdir@/polkit-1/policy/
Name: polkit Name: polkit
Description: library for querying system-wide policy Description: Authorization API
Version: @VERSION@ Version: @VERSION@
Libs: -L${libdir} -lpolkit Libs: -L${libdir} -lpolkit-1
Cflags: -I${includedir}/PolicyKit Cflags: -I${includedir}/polkit-1
prefix=@prefix@
exec_prefix=@exec_prefix@
libdir=@libdir@
includedir=@includedir@
Name: polkit-dbus
Description: helper library for obtaining seat, session and caller information via D-Bus and ConsoleKit
Version: @VERSION@
Requires: polkit dbus-1
Libs: -L${libdir} -lpolkit-dbus
Cflags: -I${includedir}/PolicyKit
...@@ -3,9 +3,9 @@ exec_prefix=@exec_prefix@ ...@@ -3,9 +3,9 @@ exec_prefix=@exec_prefix@
libdir=@libdir@ libdir=@libdir@
includedir=@includedir@ includedir=@includedir@
Name: polkit-grant Name: polkit-grant-1
Description: library for obtaining privileges via PolicyKit Description: Library for obtaining authorizations through authentication
Version: @VERSION@ Version: @VERSION@
Requires: glib-2.0 polkit Requires: polkit-1
Libs: -L${libdir} -lpolkit-grant Libs: -L${libdir} -lpolkit-grant-1
Cflags: -I${includedir}/PolicyKit Cflags: -I${includedir}/polkit-1
...@@ -7,7 +7,7 @@ NULL = ...@@ -7,7 +7,7 @@ NULL =
AUTOMAKE_OPTIONS = 1.7 AUTOMAKE_OPTIONS = 1.7
# The name of the module. # The name of the module.
DOC_MODULE=polkit DOC_MODULE=polkit-1
# The top-level SGML file. # The top-level SGML file.
DOC_MAIN_SGML_FILE=polkit-docs.xml DOC_MAIN_SGML_FILE=polkit-docs.xml
...@@ -51,17 +51,15 @@ MKDB_OPTIONS=--sgml-mode --output-format=xml ...@@ -51,17 +51,15 @@ MKDB_OPTIONS=--sgml-mode --output-format=xml
MKTMPL_OPTIONS= MKTMPL_OPTIONS=
# Non-autogenerated SGML files to be included in $(DOC_MAIN_SGML_FILE) # Non-autogenerated SGML files to be included in $(DOC_MAIN_SGML_FILE)
content_files = \ content_files = \
version.xml \ version.xml \
man/PolicyKit.xml \ man/PolicyKit.xml \
man/PolicyKit.conf.xml \ man/polkit-auth.xml \
man/polkit-auth.xml \ man/polkit-action.xml \
man/polkit-action.xml \ man/polkit-policy-file-validate.xml \
man/polkit-policy-file-validate.xml \ spec/polkit-spec-configuration.xml \
man/polkit-config-file-validate.xml \ spec/polkit-spec-introduction.xml \
spec/polkit-spec-configuration.xml \ spec/polkit-spec-model.xml \
spec/polkit-spec-introduction.xml \
spec/polkit-spec-model.xml \
$(NULL) $(NULL)
# Images to copy into HTML directory # Images to copy into HTML directory
......
if MAN_PAGES_ENABLED if MAN_PAGES_ENABLED
man_MANS = polkit-auth.1 \ man_MANS = polkit-auth-1.1 \
polkit-action.1 \ polkit-action-1.1 \
polkit-config-file-validate.1 \ polkit-policy-file-validate-1.1 \
polkit-policy-file-validate.1 \ PolicyKit-1.8
PolicyKit.conf.5 \
PolicyKit.8
%.1 %.5 %.8 : %.xml %-1.1 %-1.8 : %.xml
$(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $< $(XSLTPROC) -nonet http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
endif # MAN_PAGES_ENABLED endif # MAN_PAGES_ENABLED
EXTRA_DIST= PolicyKit.conf.xml \ EXTRA_DIST= PolicyKit.xml \
PolicyKit.xml \ polkit-auth.xml \
polkit-config-file-validate.xml \ polkit-action.xml \
polkit-auth.xml \
polkit-action.xml \
polkit-policy-file-validate.xml polkit-policy-file-validate.xml
clean-local: clean-local:
......
<refentry id="PolicyKit.conf.5">
<refentryinfo>
<title>PolicyKit.conf</title>
<date>August 2007</date>
<productname>PolicyKit</productname>
</refentryinfo>
<refmeta>
<refentrytitle>PolicyKit.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="version"></refmiscinfo>
</refmeta>
<refnamediv>
<refname>PolicyKit.conf</refname>
<refpurpose>PolicyKit configuration file</refpurpose>
</refnamediv>
<refsect1><title>DESCRIPTION</title>
<para>
The <filename>/etc/PolicyKit/PolicyKit.conf</filename>
configuration file provides a way for system administrators to
override policy for mechanisms that use the PolicyKit library to
determine whether a caller is allowed to use the mechanism.
</para>
<para>
Changes to this configuration file are immediately propagated to
running processes using the PolicyKit library. If the
configuration file is invalid, processes using this library will
log this fact to the system logger and the library will only
only return <emphasis>no</emphasis> as the answer to processes
using it.
</para>
<para>
The <citerefentry><refentrytitle>polkit-config-file-validate</refentrytitle><manvolnum>1</manvolnum></citerefentry>
tool can be used to verify that the configuration file is
valid.
</para>
</refsect1>
<refsect1>
<title>FILE FORMAT</title>
<para>
The configuration file is an XML document. It must have the
following doctype declaration:
</para>
<programlisting>
<![CDATA[
<!DOCTYPE pkconfig PUBLIC
"-//freedesktop//DTD PolicyKit Configuration 1.0//EN"
"http://hal.freedesktop.org/releases/PolicyKit/1.0/config.dtd">
]]>
</programlisting>
<para>
The following elements may be present in the configuration file:
</para>
<refsect2>
<title>config</title>
<para>
This is the root element. A single
attribute <emphasis>version</emphasis> must be present and
must be set to "0.1" at this point. There can only be one
<emphasis>config</emphasis> element in the configuration file.
</para>
</refsect2>
<refsect2>
<title>match</title>
<para>
This element is for matching information related to the
decision making process and includes values describing both
the caller and the action. This element can be embedded in
both <emphasis>config</emphasis> and
other <emphasis>match</emphasis> elements (hence allowing for
nested matching).
</para>
<para>
There can only be a single attribute in
each <emphasis>match</emphasis> element and POSIX Extended
Regular Expression syntax are supported in the value part. The
following attributes are supported:
</para>
<variablelist>
<varlistentry>
<term><emphasis>user</emphasis></term>
<listitem>
<para>
This matches on the users login name.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>action</emphasis></term>
<listitem>
<para>
For matching on the given action being queried for, for
example
<emphasis>action="org.foo.*"</emphasis> will match
on all actions whose action identifier begins with
the string "org.foo.".
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2>
<title>return</title>
<para>
This element is for used to specify what result the PolicyKit
library will return. It can only be embedded in
<emphasis>config</emphasis> and <emphasis>match</emphasis>
elements and can embed no elements
itself. The <emphasis>return</emphasis> element is
typically used deeply inside a number
of <emphasis>match</emphasis> elements. A single attribute,
<emphasis>result</emphasis> is supported and it can assume
the following values:
</para>
<variablelist>
<varlistentry>
<term><emphasis>no</emphasis></term>
<listitem>
<para>
Access denied.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>auth_self</emphasis></term>
<listitem>
<para>