Commit e55cb236 authored by David Zeuthen's avatar David Zeuthen

make config file override grant database

Even though a caller may have an entry in the grant database (and as
such will see POLKIT_RESULT_YES), change the behavior such that this
is no longer honored unless the config file specifies the result
POLKIT_RESULT_ONLY_VIA_[SELF|ADMIN]_AUTH_{,KEEP_SESSION|KEEP_ALWAYS}.

E.g. this allows the sysadmin to specify things like POLKIT_RESULT_NO
in the config file and that will now make existing grants
useless. This behavior is a lot more natural.
parent 4f807a94
......@@ -538,6 +538,8 @@ polkit_context_can_caller_do_action (PolKitContext *pk_context,
PolKitPolicyCache *cache;
PolKitPolicyFileEntry *pfe;
PolKitResult result;
PolKitResult result_from_config;
PolKitResult result_from_grantdb;
PolKitPolicyDefault *policy_default;
PolKitConfig *config;
......@@ -580,17 +582,27 @@ polkit_context_can_caller_do_action (PolKitContext *pk_context,
polkit_policy_file_entry_debug (pfe);
/* first, check if the grant database specifies a result */
result = _polkit_grantdb_check_can_caller_do_action (pk_context, action, caller);
if (result != POLKIT_RESULT_UNKNOWN)
goto found;
/* second, check if the config file specifies a result */
result = polkit_config_can_caller_do_action (config, action, caller);
if (result != POLKIT_RESULT_UNKNOWN)
result_from_config = polkit_config_can_caller_do_action (config, action, caller);
result_from_grantdb = _polkit_grantdb_check_can_caller_do_action (pk_context, action, caller);
/* fist, check if the config file specifies a result */
if (result_from_config != POLKIT_RESULT_UNKNOWN) {
/* it does.. use it.. although try to use an existing grant if there is one */
if ((result_from_config == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH ||
result_from_config == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION ||
result_from_config == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS ||
result_from_config == POLKIT_RESULT_ONLY_VIA_SELF_AUTH ||
result_from_config == POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION ||
result_from_config == POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS) &&
result_from_grantdb == POLKIT_RESULT_YES) {
result = POLKIT_RESULT_YES;
} else {
result = result_from_config;
}
goto found;
}
/* if no, just use the defaults */
/* use defaults as specified in the .policy file */
policy_default = polkit_policy_file_entry_get_default (pfe);
if (policy_default == NULL) {
g_warning ("no default policy for action!");
......@@ -598,6 +610,17 @@ polkit_context_can_caller_do_action (PolKitContext *pk_context,
}
result = polkit_policy_default_can_caller_do_action (policy_default, action, caller);
/* use this result.. although try to use an existing grant if there is one */
if ((result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH ||
result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_SESSION ||
result == POLKIT_RESULT_ONLY_VIA_ADMIN_AUTH_KEEP_ALWAYS ||
result == POLKIT_RESULT_ONLY_VIA_SELF_AUTH ||
result == POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_SESSION ||
result == POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS) &&
result_from_grantdb == POLKIT_RESULT_YES) {
result = POLKIT_RESULT_YES;
}
found:
/* Never return UNKNOWN to user */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment