Commit 8f7727e1 authored by David Zeuthen's avatar David Zeuthen

Port lockdown from pklalockdown(1) to D-Bus methods

Also rename the action from org.freedesktop.policykit.localauthority.lockdown
to org.freedesktop.policykit.lockdown since any authority implementation
can now implement this.

This changes only ABI/API used by e.g. polkit-gnome. This is fine
since we're not at 1.0 yet.
parent 00c00948
......@@ -59,8 +59,8 @@
</defaults>
</action>
<action id="org.freedesktop.policykit.localauthority.lockdown">
<_description>Configure lockdown on the Local Authority</_description>
<action id="org.freedesktop.policykit.lockdown">
<_description>Configure lock down for an action</_description>
<_message>Authentication is required to configure lock down policy</_message>
<defaults>
<allow_any>no</allow_any>
......
......@@ -10,7 +10,6 @@ man_MANS = \
pkexec.1 \
pkcheck.1 \
pkaction.1 \
pklalockdown.1 \
$(NULL)
%.8 %.1 : %.xml
......@@ -25,7 +24,6 @@ EXTRA_DIST = \
pkexec.xml \
pkcheck.xml \
pkaction.xml \
pklalockdown.xml \
$(NULL)
clean-local:
......
<?xml version="1.0"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
<!ENTITY version SYSTEM "../version.xml">
]>
<refentry id="pklalockdown.1" xmlns:xi="http://www.w3.org/2003/XInclude">
<refentryinfo>
<title>pklalockdown</title>
<date>May 2009</date>
<productname>polkit</productname>
</refentryinfo>
<refmeta>
<refentrytitle>pklalockdown</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class="version"></refmiscinfo>
</refmeta>
<refnamediv>
<refname>pklalockdown</refname>
<refpurpose>Configure lockdown for the Local Authority</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>pklalockdown</command>
<arg><option>--version</option></arg>
<arg><option>--help</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>pklalockdown</command>
<arg choice="plain">
<option>--lockdown</option>
<replaceable>action</replaceable>
</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>pklalockdown</command>
<arg choice="plain">
<option>--remove-lockdown</option>
<replaceable>action</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id="pklalockdown-description">
<title>DESCRIPTION</title>
<para>
<command>pklalockdown</command> is used to configure lockdown
for the Local Authority.
</para>
<para>
The effect of locking down an action is that administrator
authentication is always needed in order for subjects to acquire
the authorization for the action in question (and the subject
has to be in an active session on a local console). The obtained
authorization is temporary and as such typically expires five
minutes after being obtained.
</para>
<para>
To lock down <replaceable>action</replaceable> use the <option>--lockdown</option> option.
To remove a lockdown for <replaceable>action</replaceable> use the <option>--remove-lockdown</option> option.
</para>
</refsect1>
<refsect1 id="pklalockdown-required-auhtz">
<title>REQUIRED AUTHORIZATIONS</title>
<para>
The <emphasis>org.freedesktop.policykit.localauthority.lockdown</emphasis>
authorization is needed to add or remove lockdown. By default,
this authorization requires administrator authentication and
cannot be retained.
</para>
</refsect1>
<refsect1 id="pklalockdown-impl-details">
<title>IMPLEMENTATION DETAILS</title>
<para>
Lockdown is implemented through <filename>.pkla</filename>
files. Locked down actions supersede other most other Local
Authority configuration as the <filename>.pkla</filename> files
are placed
in <filename>/var/lib/polkit-1/localauthority90-mandatory.d</filename>.
<para>
</para>
Programs checking authorizations can check whether an action is
locked down via by checking
the <emphasis>polkit.localauthority.lockdown</emphasis> key/value pair in
the details of the authorization response.
</para>
</refsect1>
<refsect1 id="pklalockdown-return-values">
<title>RETURN VALUE</title>
<para>
On success <command>pklalockdown</command> returns 0. Otherwise a
non-zero value is returned and a diagnostic message is printed
on standard error.
</para>
</refsect1>
<refsect1 id="pklalockdown-author"><title>AUTHOR</title>
<para>
Written by David Zeuthen <email>davidz@redhat.com</email> with
a lot of help from many others.
</para>
</refsect1>
<refsect1 id="pklalockdown-bugs">
<title>BUGS</title>
<para>
Please send bug reports to either the distribution or the
polkit-devel mailing list,
see the link <ulink url="http://lists.freedesktop.org/mailman/listinfo/polkit-devel"/>
on how to subscribe.
</para>
</refsect1>
<refsect1 id="pklalockdown-see-also">
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>polkit</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcheck</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pklocalauthority</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
</refentry>
......@@ -74,7 +74,7 @@ polkit_authorization_result_get_is_authorized
polkit_authorization_result_get_is_challenge
polkit_authorization_result_get_retains_authorization
polkit_authorization_result_get_temporary_authorization_id
polkit_authorization_result_get_local_authority_lock_down
polkit_authorization_result_get_locked_down
polkit_authorization_result_get_details
<SUBSECTION Standard>
PolkitAuthorizationResultClass
......
......@@ -1312,7 +1312,7 @@ polkit_authority_revoke_temporary_authorizations (PolkitAuthority *authority
* @res: A #GAsyncResult obtained from the callback.
* @error: Return location for error or %NULL.
*
* Finished revoking temporary authorizations.
* Finishes revoking temporary authorizations.
*
* Returns: %TRUE if all the temporary authorizations was revoked, %FALSE if error is set.
**/
......@@ -1431,7 +1431,7 @@ polkit_authority_revoke_temporary_authorization_by_id (PolkitAuthority *auth
* @res: A #GAsyncResult obtained from the callback.
* @error: Return location for error or %NULL.
*
* Finished revoking a temporary authorization by id.
* Finishes revoking a temporary authorization by id.
*
* Returns: %TRUE if the temporary authorization was revoked, %FALSE if error is set.
**/
......@@ -1550,7 +1550,7 @@ polkit_authority_add_lockdown_for_action (PolkitAuthority *authority,
* @res: A #GAsyncResult obtained from the callback.
* @error: Return location for error or %NULL.
*
* Finished locking down an action.
* Finishes locking down an action.
*
* Returns: %TRUE if the action was locked down, %FALSE if error is set.
**/
......
......@@ -278,25 +278,26 @@ polkit_authorization_result_get_temporary_authorization_id (PolkitAuthorizationR
}
/**
* polkit_authorization_result_get_local_authority_lock_down:
* polkit_authorization_result_get_locked_down:
* @result: A #PolkitAuthorizationResult.
*
* Gets whether the action is locked down in the Local Authority via pklalockdown(1).
* Gets whether the action is locked down via
* e.g. polkit_authority_add_lockdown_for_action().
*
* This method simply reads the value of the key/value pair in @details with the
* key <literal>polkit.localauthority.lockdown</literal>.
* key <literal>polkit.lockdown</literal>.
*
* Returns: %TRUE if the authorization is or will be temporary.
* Returns: %TRUE if the action for the authorization is locked down.
*/
gboolean
polkit_authorization_result_get_local_authority_lock_down (PolkitAuthorizationResult *result)
polkit_authorization_result_get_locked_down (PolkitAuthorizationResult *result)
{
gboolean ret;
PolkitDetails *details;
ret = FALSE;
details = polkit_authorization_result_get_details (result);
if (details != NULL && polkit_details_lookup (details, "polkit.localauthority.lockdown") != NULL)
if (details != NULL && polkit_details_lookup (details, "polkit.lockdown") != NULL)
ret = TRUE;
return ret;
......
......@@ -52,7 +52,7 @@ gboolean polkit_authorization_result_get_is_authorized (P
gboolean polkit_authorization_result_get_is_challenge (PolkitAuthorizationResult *result);
gboolean polkit_authorization_result_get_retains_authorization (PolkitAuthorizationResult *result);
const gchar *polkit_authorization_result_get_temporary_authorization_id (PolkitAuthorizationResult *result);
gboolean polkit_authorization_result_get_local_authority_lock_down (PolkitAuthorizationResult *result);
gboolean polkit_authorization_result_get_locked_down (PolkitAuthorizationResult *result);
/* ---------------------------------------------------------------------------------------------------- */
......
......@@ -481,6 +481,15 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
user_data,
polkit_backend_interactive_authority_check_authorization);
/* handle being called from ourselves */
if (caller == NULL)
{
EggDBusConnection *system_bus;
system_bus = egg_dbus_connection_get_for_bus (EGG_DBUS_BUS_TYPE_SYSTEM);
caller = polkit_system_bus_name_new (egg_dbus_connection_get_unique_name (system_bus));
g_object_unref (system_bus);
}
caller_str = polkit_subject_to_string (caller);
subject_str = polkit_subject_to_string (subject);
......
......@@ -17,7 +17,7 @@ INCLUDES = \
# ----------------------------------------------------------------------------------------------------
bin_PROGRAMS = pkexec pkcheck pkaction pklalockdown
bin_PROGRAMS = pkexec pkcheck pkaction
# ----------------------------------------------------------------------------------------------------
......@@ -82,19 +82,6 @@ pkaction_LDADD = \
# ----------------------------------------------------------------------------------------------------
pklalockdown_SOURCES = pklalockdown.c
pklalockdown_CFLAGS = \
$(GLIB_CFLAGS) \
$(NULL)
pklalockdown_LDADD = \
$(GLIB_LIBS) \
$(top_builddir)/src/polkit/libpolkit-gobject-1.la \
$(NULL)
# ----------------------------------------------------------------------------------------------------
clean-local :
rm -f *~
......
/*
* Copyright (C) 2008 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General
* Public License along with this library; if not, write to the
* Free Software Foundation, Inc., 59 Temple Place, Suite 330,
* Boston, MA 02111-1307, USA.
*
* Author: David Zeuthen <davidz@redhat.com>
*/
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <grp.h>
#include <pwd.h>
#include <errno.h>
#include <glib/gstdio.h>
#include <polkit/polkit.h>
static gchar *get_lockdown_filename (const gchar *action_id);
static gboolean lockdown_exists (const gchar *action_id);
static void
usage (int argc, char *argv[])
{
GError *error;
error = NULL;
if (!g_spawn_command_line_sync ("man pklalockdown",
NULL,
NULL,
NULL,
&error))
{
g_printerr ("Cannot show manual page: %s\n", error->message);
g_error_free (error);
}
}
int
main (int argc, char *argv[])
{
guint n;
guint ret;
gboolean opt_show_help;
gboolean opt_show_version;
gchar *opt_lockdown;
gchar *opt_remove_lockdown;
ret = 1;
opt_show_help = FALSE;
opt_show_version = FALSE;
opt_lockdown = NULL;
opt_remove_lockdown = NULL;
/* if we are not yet uid 0, make us uid 0 through pkexec */
if (getuid () != 0)
{
gchar **exec_argv;
exec_argv = g_new0 (gchar *, argc + 2);
exec_argv[0] = PACKAGE_BIN_DIR "/pkexec";
memcpy (exec_argv + 1, argv, argc * sizeof (gchar *));
if (execv (PACKAGE_BIN_DIR "/pkexec", exec_argv) != 0)
{
g_printerr ("Error executing " PACKAGE_BIN_DIR "/pkexec: %s\n", g_strerror (errno));
goto out;
}
g_assert_not_reached ();
}
/* We are now uid 0 (by default, the user had to authenticate to get
* here) - be careful to check all incoming args
*/
for (n = 1; n < (guint) argc; n++)
{
if (strcmp (argv[n], "--help") == 0)
{
opt_show_help = TRUE;
}
else if (strcmp (argv[n], "--version") == 0)
{
opt_show_version = TRUE;
}
else if (strcmp (argv[n], "--lockdown") == 0 || strcmp (argv[n], "-l") == 0)
{
n++;
if (n >= (guint) argc)
{
usage (argc, argv);
goto out;
}
opt_lockdown = g_strdup (argv[n]);
}
else if (strcmp (argv[n], "--remove-lockdown") == 0 || strcmp (argv[n], "-r") == 0)
{
n++;
if (n >= (guint) argc)
{
usage (argc, argv);
goto out;
}
opt_remove_lockdown = g_strdup (argv[n]);
}
else
{
break;
}
}
if (opt_show_help)
{
usage (argc, argv);
ret = 0;
goto out;
}
else if (opt_show_version)
{
g_print ("pkexec version %s\n", PACKAGE_VERSION);
ret = 0;
goto out;
}
else if (opt_lockdown != NULL)
{
gchar *filename;
gchar *contents;
GError *error;
if (lockdown_exists (opt_lockdown))
{
g_printerr ("Error: action %s is already locked down\n", opt_lockdown);
goto out;
}
filename = get_lockdown_filename (opt_lockdown);
contents = g_strdup_printf ("# Added by pklalockdown(1)\n"
"#\n"
"[Lockdown]\n"
"Identity=unix-user:*\n"
"Action=%s\n"
"ResultAny=no\n"
"ResultInactive=no\n"
"ResultActive=auth_admin_keep\n"
"ReturnValue=polkit.localauthority.lockdown=1",
opt_lockdown);
error = NULL;
if (!g_file_set_contents (filename,
contents,
-1,
&error))
{
g_printerr ("Error: Cannot write to file %s: %s\n", filename, error->message);
g_error_free (error);
g_free (filename);
g_free (contents);
goto out;
}
g_free (filename);
g_free (contents);
ret = 0;
goto out;
}
else if (opt_remove_lockdown != NULL)
{
gchar *filename;
if (!lockdown_exists (opt_remove_lockdown))
{
g_printerr ("Error: action %s is not locked down\n", opt_remove_lockdown);
goto out;
}
filename = get_lockdown_filename (opt_remove_lockdown);
if (g_unlink (filename) != 0)
{
g_printerr ("Error: Cannot unlink file %s: %s\n", filename, g_strerror (errno));
g_free (filename);
goto out;
}
g_free (filename);
ret = 0;
goto out;
}
usage (argc, argv);
out:
g_free (opt_lockdown);
g_free (opt_remove_lockdown);
return ret;
}
static gchar *
get_lockdown_filename (const gchar *action_id)
{
return g_strdup_printf (PACKAGE_LOCALSTATE_DIR
"/lib/polkit-1/localauthority/90-mandatory.d/"
"org.freedesktop.policykit.localauthority.lockdown.action-%s.pkla",
action_id);
}
static gboolean
lockdown_exists (const gchar *action_id)
{
gchar *filename;
gboolean ret;
ret = FALSE;
filename = get_lockdown_filename (action_id);
if (g_file_test (filename, G_FILE_TEST_IS_REGULAR | G_FILE_TEST_EXISTS))
ret = TRUE;
g_free (filename);
return ret;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment