Commit f2f2f6db authored by David Zeuthen's avatar David Zeuthen

prepare for merge of rewritten PolicyKit

parent 20d7b8fe
aclocal.m4
autom4te.cache
compile
config.guess
config.h
config.h.in
config.log
config.status
config.sub
configure
depcomp
INSTALL
install-sh
intltool-extract
intltool-extract.in
intltool-merge
intltool-merge.in
intltool-update
intltool-update.in
libtool
ltmain.sh
Makefile
Makefile.in
missing
mkinstalldirs
policy-kit
polkit.pc
py-compile
stamp-h1
*.o
ChangeLog
*.tar.gz
David Zeuthen <davidz@redhat.com>
Copyright (C) 2007-2008 David Zeuthen <davidz@redhat.com>.
All Rights Reserved.
The PolicyKit source code is licensed under the MIT/X11 license. The
license is included below.
-- BEGIN MIT/X11 License ---
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the
Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall
be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
-- END MIT/X11 License ---
SCM
===
- anonymous checkouts
$ git clone git://git.freedesktop.org/git/PolicyKit.git
- checkouts if you got an ssh account on fd.o (username@ is optional)
$ git clone ssh://[username@]git.freedesktop.org/git/PolicyKit.git
- commit to local repository
$ git commit -a
- push local repository to master repository at fd.o (remember most patches
requires review at the mailing list)
$ git push
- pull changes from master repository at fd.o
$ git pull
- diff of working tree versus local repository
$ git diff
- diff of local repository vs. master repository at fd.o
synchronize with upstream repo:
$ git pull
(possibly merge changes)
generate the diff:
$ git diff origin HEAD
- influential environment variables (set these in e.g. .bash_profile)
export GIT_AUTHOR_NAME='Your Full Name'
export GIT_COMMITTER_NAME='Your Full Name'
export GIT_COMMITTER_EMAIL=youremail@domain.net
export GIT_AUTHOR_EMAIL=youremail@domain.net
- see also
http://www.kernel.org/pub/software/scm/git/docs/
Committing code
===
- Commit messages should be of the form (the five lines between the
lines starting with ===)
=== begin example commit ===
short explanation of the commit
Longer explanation explaining exactly what's changed, whether any
external or private interfaces changed, what bugs were fixed (with bug
tracker reference if applicable) and so forth. Be concise but not too brief.
=== end example commit ===
- Always add a brief description of the commit to the _first_ line of
the commit and terminate by two newlines (it will work without the
second newline, but that is not nice for the interfaces).
- First line (the brief description) must only be one sentence and
must not start with a capital letter. Don't use a trailing period
either.
- The main description (the body) is normal prose and should use normal
punctuation and capital letters where appropriate. Normally, for patches
sent to a mailing list it's copied from there.
- When committing code on behalf of others use the --author option, e.g.
git commit -a --author "Joe Coder <joe@coder.org>"
Coding Style
===
- Please follow the coding style already used - it's not a must, but it's
nice to have consistency.
- Write docs for all functions and structs and so on. We use gtkdoc format.
- All external interfaces (network protocols, file formats, etc.)
should have documented specifications sufficient to allow an
alternative implementation to be written. Our implementation should
be strict about specification compliance (should not for example
heuristically parse a file and accept not-well-formed
data). Avoiding heuristics is also important for security reasons;
if it looks funny, ignore it (or exit, or disconnect).
## Process this file with automake to produce Makefile.in
SUBDIRS = data src polkit-backendd doc tools policy po test
# Creating ChangeLog from git log (taken from cairo/Makefile.am):
ChangeLog: $(srcdir)/ChangeLog
$(srcdir)/ChangeLog:
@if test -d "$(srcdir)/.git"; then \
(cd "$(srcdir)" && \
./missing --run git-log --stat) | fmt --split-only > $@.tmp \
&& mv -f $@.tmp $@ \
|| ($(RM) $@.tmp; \
echo Failed to generate ChangeLog, your ChangeLog may be outdated >&2; \
(test -f $@ || echo git-log is required to generate this file >> $@)); \
else \
test -f $@ || \
(echo A git checkout and git-log is required to generate ChangeLog >&2 && \
echo A git checkout and git-log is required to generate this file >> $@); \
fi
if POLKIT_GCOV_ENABLED
.PHONY: ChangeLog $(srcdir)/ChangeLog coverage-report.txt
coverage-report.txt :
make -C src/kit coverage-report.txt
make -C src/polkit coverage-report.txt
make -C src/polkit-dbus coverage-report.txt
make -C src/polkit-grant coverage-report.txt
$(top_srcdir)/test/create-coverage-report.sh "PolicyKit" `cat src/kit/covered-files.txt src/polkit/covered-files.txt src/polkit-dbus/covered-files.txt src/polkit-grant/covered-files.txt` > coverage-report.txt
check-coverage: coverage-report.txt
cat coverage-report.txt
else
.PHONY: ChangeLog $(srcdir)/ChangeLog
coverage-report.txt:
@echo "Need to reconfigure with --enable-gcov"
check-coverage:
@echo "Need to reconfigure with --enable-gcov"
endif
if POLKIT_BUILD_TESTS
install:
@echo "Cowardly refusing to install with --enable-tests."
@exit 1
endif
EXTRA_DIST = \
HACKING \
mkinstalldirs \
ChangeLog \
intltool-extract.in \
intltool-merge.in \
intltool-update.in
DISTCLEANFILES = \
intltool-extract \
intltool-merge \
intltool-update
# xsltproc barfs on 'make distcheck'; disable for now
DISTCHECK_CONFIGURE_FLAGS=--disable-man-pages --disable-gtk-doc
clean-local :
rm -f *~
This diff is collapsed.
PolicyKit is an authorization framework. It is typically used by
privileged user space daemons to control access.
See also the file HACKING for notes of interest to developers working
on PolicyKit.
See http://www.freedesktop.org/wiki/Software/PolicyKit for lots of
documentation, mailing lists, etc.
-------------------------------------------------------
Rationale for permissions/modes for the default backend
-------------------------------------------------------
0770 root:polkituser /var/run/polkit-1
0770 root:polkituser /var/lib/polkit-1
We store authorizations for each user here. Since we don't want users
to know what authorizations other users has, no one can read these
files. However, when checking authorizations we need to be able to
read from here; we use this helper
2755 root:polkituser /usr/libexec/polkit-read-auth-helper-1
which can read from here since it's setgid 'polkituser'. This helper
will refuse to return authorizations for other users than the calling
user except if the calling user is authorized for org.fd.pk.read.
We also want to be able to grant authorizations through authentication.
That happens with this helper
2755 root:polkituser /usr/libexec/polkit-grant-helper-1
This program is setgid 'polkituser' so it can write files in
/var/{run,lib}/polkit-1. Note that these files are created with mode
464.
To do the actual authentication check when granting authorizations
through authentication, polkit-grant-helper-1 uses another helper
4754 root:polkituser /usr/libexec/polkit-grant-helper-pam-1
This one is setuid root because checking authentications might need
require that (you may be checking the root password). The reason
polkit-grant-helper-pam is is owned by group 'polkituser' is to ensure
that random users can't execute it; only setgid 'polkituser' programs
can do this. Which polkit-grant-helper is.
On to
2755 root:polkituser /libexec/polkit-revoke-helper-1
This one is used to revoke authorizations. It will only allow uid 0 and
users with the org.fd.pk.revoke authorization to do so. It needs to be
setgid polkituser to be able to modify authorization files
in /var/{run,lib}/polkit-1.
2755 root:polkituser /usr/libexec/polkit-explicit-grant-helper-1
Same story as for polkit-revoke-helper only this grants authorizations.
Only allowed for uid 0 and users with the org.fd.pk.grant authorization.
On to
0755 polkituser:root /var/lib/polkit-public-1
This is where we store modifications to the defaults. Anyone should be
able to read these files. They are created with mode 644. These files
are written / modified by this helper
4755 polkituser:root /usr/libexec/polkit-set-default-helper-1
which is setuid polkituser to be able to write/modify files.
On to
4755 root:root /usr/libexec/polkit-resolve-exe-helper-1
This is used to find the executable name for a process. On Linux this is
the /proc/<pid>/exe symlink and you can only do this for processes you
own. This helper finds the executable name for processes not owned by
you but only if you have the org.fd.pk.read authorization. This is
important to let e.g. user 'haldaemon' check authorizations for a user
requesting service.
0664 polkituser:polkituser /var/lib/misc/polkit-1.reload
This file is used by libpolkit to detect when something has changed
(authorizations granted/revoked, defaults changed etc.). It is
writable by both user 'polkituser' and group 'polkituser' because we
have helpers running with both euid 'polkituser' and egid 'polkituser'
that wants to trigger a reload.
dnl GTK_DOC_CHECK borrowed from cairo, thanks!
dnl Usage:
dnl GTK_DOC_CHECK([minimum-gtk-doc-version])
AC_DEFUN([GTK_DOC_CHECK],
[
AC_BEFORE([AC_PROG_LIBTOOL],[$0])dnl setup libtool first
AC_BEFORE([AM_PROG_LIBTOOL],[$0])dnl setup libtool first
dnl for overriding the documentation installation directory
AC_ARG_WITH(html-dir,
AC_HELP_STRING([--with-html-dir=PATH], [path to installed docs]),,
[with_html_dir='${datadir}/gtk-doc/html'])
HTML_DIR="$with_html_dir"
AC_SUBST(HTML_DIR)
dnl enable/disable documentation building
AC_ARG_ENABLE(gtk-doc,
AC_HELP_STRING([--enable-gtk-doc],
[use gtk-doc to build documentation [default=yes]]),,
enable_gtk_doc=yes)
have_gtk_doc=no
if test x$enable_gtk_doc = xyes; then
if test -z "$PKG_CONFIG"; then
AC_PATH_PROG(PKG_CONFIG, pkg-config, no)
fi
if test "$PKG_CONFIG" != "no" && $PKG_CONFIG --exists gtk-doc; then
have_gtk_doc=yes
fi
dnl do we want to do a version check?
ifelse([$1],[],,
[gtk_doc_min_version=$1
if test "$have_gtk_doc" = yes; then
AC_MSG_CHECKING([gtk-doc version >= $gtk_doc_min_version])
if $PKG_CONFIG --atleast-version $gtk_doc_min_version gtk-doc; then
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
have_gtk_doc=no
fi
fi
])
if test "$have_gtk_doc" != yes; then
enable_gtk_doc=no
fi
fi
AM_CONDITIONAL(ENABLE_GTK_DOC, test x$enable_gtk_doc = xyes)
AM_CONDITIONAL(GTK_DOC_USE_LIBTOOL, test -n "$LIBTOOL")
])
#!/bin/sh
# Run this to generate all the initial makefiles, etc.
srcdir=`dirname $0`
test -z "$srcdir" && srcdir=.
DIE=0
(test -f $srcdir/configure.in) || {
echo -n "**Error**: Directory $srcdir does not look like the"
echo " top-level package directory"
exit 1
}
(autoconf --version) < /dev/null > /dev/null 2>&1 || {
echo
echo "**Error**: You must have autoconf installed."
echo "Download the appropriate package for your distribution,"
echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
DIE=1
}
(grep "^AM_PROG_LIBTOOL" $srcdir/configure.in >/dev/null) && {
(libtool --version) < /dev/null > /dev/null 2>&1 || {
echo
echo "**Error**: You must have libtool installed."
echo "You can get it from: ftp://ftp.gnu.org/pub/gnu/"
DIE=1
}
}
(automake --version) < /dev/null > /dev/null 2>&1 || {
echo
echo "**Error**: You must have automake installed."
echo "You can get it from: ftp://ftp.gnu.org/pub/gnu/"
DIE=1
NO_AUTOMAKE=yes
}
# if no automake, don't bother testing for aclocal
test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
echo
echo "**Error**: Missing aclocal. The version of automake"
echo "installed doesn't appear recent enough."
echo "You can get automake from ftp://ftp.gnu.org/pub/gnu/"
DIE=1
}
if test "$DIE" -eq 1; then
exit 1
fi
if test -z "$*"; then
echo "**Warning**: I am going to run configure with no arguments."
echo "If you wish to pass any to it, please specify them on the"
echo $0 " command line."
echo
fi
case $CC in
xlc )
am_opt=--include-deps;;
esac
aclocalinclude="$ACLOCAL_FLAGS"
if grep "^AM_PROG_LIBTOOL" configure.in >/dev/null; then
if test -z "$NO_LIBTOOLIZE" ; then
echo "Running libtoolize..."
libtoolize --force --copy
fi
fi
echo "Running aclocal $aclocalinclude ..."
aclocal $aclocalinclude
if grep "^AM_CONFIG_HEADER" configure.in >/dev/null; then
echo "Running autoheader..."
autoheader
fi
echo "Running automake --gnu -Wno-portability $am_opt ..."
automake --add-missing --gnu -Wno-portability $am_opt
echo "Running autoconf ..."
autoconf
intltoolize --copy --force --automake || exit 1
conf_flags="--enable-maintainer-mode --enable-gtk-doc"
if test x$NOCONFIGURE = x; then
echo "Running $srcdir/configure $conf_flags $@ ..."
$srcdir/configure $conf_flags "$@" \
&& echo "Now type make to compile." || exit 1
else
echo "Skipping configure process."
fi
This diff is collapsed.
## Process this file with automake to produce Makefile.in
# See polkit-grant/Makefile.am for discussion
#
if POLKIT_AUTHFW_PAM
pamdir = $(sysconfdir)/pam.d
pam_DATA = polkit-grant-1
endif
pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = polkit-1.pc polkit-grant-1.pc
dbusifdir = $(datadir)/dbus-1/interfaces
dbusif_DATA = org.freedesktop.PolicyKit.AuthenticationAgent1.xml
DISTCLEANFILES = polkit-1.pc polkit-grant-1.pc
EXTRA_DIST = polkit-grant-1.in polkit-1.pc.in polkit-grant-1.pc.in org.freedesktop.PolicyKit.AuthenticationAgent1.xml
clean-local :
rm -f *~
<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<!-- This file is provided by the PolicyKit project -->
<node>
<interface name="org.freedesktop.PolicyKit.AuthenticationAgent1">
<method name="ObtainAuthorization">
<!-- IN: PolicyKit action identifier; see PolKitAction -->
<arg name="action_id" direction="in" type="s"/>
<!-- IN: X11 window ID for the top-level X11 window the dialog will be transient for (pass zero if no window) -->
<arg name="xid" direction="in" type="u"/>
<!-- IN: Process ID to grant authorization to -->
<arg name="pid" direction="in" type="u"/>
<!-- OUT: whether the user gained the authorization -->
<arg name="gained_authorization" direction="out" type="b"/>
</method>
</interface>
</node>
prefix=@prefix@
exec_prefix=@exec_prefix@
libdir=@libdir@
includedir=@includedir@
policydir=@datarootdir@/polkit-1/policy/
actiondir=@datarootdir@/polkit-1/policy/
Name: polkit
Description: Authorization API
Version: @VERSION@
Libs: -L${libdir} -lpolkit-1
Cflags: -I${includedir}/polkit-1
#%PAM-1.0
auth include @PAM_FILE_INCLUDE_AUTH@
account include @PAM_FILE_INCLUDE_ACCOUNT@
password include @PAM_FILE_INCLUDE_PASSWORD@
session include @PAM_FILE_INCLUDE_SESSION@
prefix=@prefix@
exec_prefix=@exec_prefix@
libdir=@libdir@
includedir=@includedir@
Name: polkit-grant-1
Description: Library for obtaining authorizations through authentication
Version: @VERSION@
Requires: polkit-1
Libs: -L${libdir} -lpolkit-grant-1
Cflags: -I${includedir}/polkit-1
Makefile
Makefile.in
*.o
## Process this file with automake to create Makefile.in.
SUBDIRS = man
NULL =
AUTOMAKE_OPTIONS = 1.7
# The name of the module.
DOC_MODULE=polkit-1
# The top-level SGML file.
DOC_MAIN_SGML_FILE=polkit-docs.xml
# Extra options to supply to gtkdoc-scan
SCAN_OPTIONS=--ignore-headers=config.h
# The directory containing the source code. Relative to $(srcdir)
DOC_SOURCE_DIR=../src
# Used for dependencies
HFILE_GLOB=$(top_srcdir)/src/*/*.h
CFILE_GLOB=$(top_srcdir)/src/*/*.c
# Headers to ignore
IGNORE_HFILES= \
$(NULL)
# CFLAGS and LDFLAGS for compiling scan program. Only needed
# if $(DOC_MODULE).types is non-empty.
INCLUDES = \
$(DBUS_GLIB_CFLAGS) \
$(GLIB_CFLAGS) \
-I$(top_srcdir)/src \
-I$(top_builddir)/src \
$(NULL)
GTKDOC_LIBS = \
$(DBUS_GLIB_LIBS) \
$(GLIB_LIBS) \
$(top_builddir)/src/kit/libkit.la \
$(top_builddir)/src/polkit/libpolkit.la \
$(top_builddir)/src/polkit-dbus/libpolkit-dbus.la \
$(top_builddir)/src/polkit-grant/libpolkit-grant.la \
$(NULL)
# Extra options to supply to gtkdoc-mkdb
MKDB_OPTIONS=--sgml-mode --output-format=xml
# Extra options to supply to gtkdoc-mktmpl
MKTMPL_OPTIONS=
# Non-autogenerated SGML files to be included in $(DOC_MAIN_SGML_FILE)
content_files = \
version.xml \
man/PolicyKit.xml \
man/polkit-auth.xml \
man/polkit-action.xml \
man/polkit-policy-file-validate.xml \
spec/polkit-spec-configuration.xml \
spec/polkit-spec-introduction.xml \
spec/polkit-spec-model.xml \
$(NULL)
# Images to copy into HTML directory
HTML_IMAGES = \
diagram-bus-model.png \
diagram-interaction.png
# Extra options to supply to gtkdoc-fixref
FIXXREF_OPTIONS=
MAINTAINERCLEANFILES = \
*~ \
Makefile.in \
polkit.types \
polkit-*.txt \
$(NULL)
if ENABLE_GTK_DOC
include $(top_srcdir)/gtk-doc.make
else
EXTRA_DIST =
endif
# Version information for marking the documentation
EXTRA_DIST += version.xml.in
- On every polkit_context_is_[caller|session]_authorized we load
all .policy XML files. This is bad. Dave Jones will kill us.
We should
1. Suggest that a single .policy file only contains actions
with a given name space com.example.MyApp. We do this
by printing a big fat WARNING in polkit-policy-file-validate(1)
if it isn't the case.
2. We make the policy cache smart and look for the right .policy
file when called from the is_*_authorized path. If it aint there
or if it doesn't contain the given action we load all the
.policy XML files.
3. When we break ABI (for 1.0 or sooner) we turn the WARNING
from 1. into an ERROR and drop the "Load all XML files"
from the is_*_authorized path. Of course, other paths
(iterate over all declared actions; find action by
annotation) will still need to load the bulk of the files.
But normally only polkit-auth(1) and polkit-action(1)
and other management tools will ever do this.
- Increase test suite coverage
- Finish up documentation; in particular how results from
config files, defaults and authorizations play together
- Potentially drop the glib dependency from polkit-grant
- Kill the config file
- Add support for granting authorizations to a) UNIX Groups; and
b) SELinux security contexts
- Add API and support in polkit-auth/polkit-action for maintaining
a list of entities for whom implicit authorizations do not apply.
(Typical example is that in a desktop OS one wants a UNIX group
for "Restricted Users". Another example is a guest account.)
- Add API and support in polkit-auth/polkit-action to define what
administrator auth means.
- Add k/v dictionaries to Actions; e.g. the Mechanism for dial-up
networking can attach the key/value pair
"phone_number" -> "555-123-4567"
The is a bit like Objects mentioned in the spec (and what we used
to have as PolKitResource) but a bit more blurry. They need to be
typed too for presentation in the UI
- Go to 1.0 soon
- Include the patch from Piter PUNK to optionally avoid the PAM
dependency (manually checks against /etc/shadow instead)
- To avoid work we should maintain a cache in the get_exe_for_pid()
functions. The key into the cache should be (pid, pid_start_time)
and the values should be the exe-paths
if MAN_PAGES_ENABLED