1. 21 Aug, 2007 3 commits
  2. 20 Aug, 2007 4 commits
  3. 13 Aug, 2007 1 commit
  4. 09 Aug, 2007 3 commits
  5. 31 Jul, 2007 1 commit
  6. 30 Jul, 2007 5 commits
    • David Zeuthen's avatar
    • David Zeuthen's avatar
      use waitpid() to avoid Zombie processes · 1f90f7e1
      David Zeuthen authored
      1f90f7e1
    • David Zeuthen's avatar
      6e2d74cb
    • David Zeuthen's avatar
      remove the isatty() call so it's easier to audit the helper · 1ac3268b
      David Zeuthen authored
      The isatty() check is just to catch users poking around; it provides little or no real security. With this change, you can do stuff like
      
      $ /usr/libexec/polkit-grant-helper-pam
      davidz
      PAM_PROMPT_ECHO_OFF Password:
      <enter real password here>
      SUCCESS
      
      $ /usr/libexec/polkit-grant-helper-pam
      davidz
      PAM_PROMPT_ECHO_OFF Password:
      not_my_password
      polkit-grant-helper-pam: pam_authenticated failed: Authentication failure
      FAILURE
      
      which is useful for auditing.
      1ac3268b
    • David Zeuthen's avatar
      move PAM stack usage to separate helper · 368397f9
      David Zeuthen authored
      So it turns out that I hadn't been using shadow passwords on my other
      development box (don't ask) and that's why auth as root worked fine
      when just running as an unprivileged user. However, to auth as another
      user (such as root), the process embedding pam needs to run as
      root. Therefore, split out the actual authentication bits into a small
      and easy to audit helper, polkit-grant-helper-pam.
      
      The auth now goes like this:
      
       polkit-gnome <-links with-> libpolkit-grant
                                         ^
                                         |
                                      spawns
                                         |
                                         V
                           /usr/libexec/polkit-grant-helper
                                         ^
                                         |
                                      spawns
                                         |
                                         V
                         /usr/libexec/polkit-grant-helper-pam
      
      where
      
       polkit-grant-helper
          is setgid polkit; it links with libdbus and libpolkit.
      
       polkit-grant-helper-pam
          is setuid root; it links only with libpam
      368397f9
  7. 27 Jul, 2007 1 commit
  8. 26 Jul, 2007 3 commits
  9. 25 Jul, 2007 5 commits
    • David Zeuthen's avatar
    • David Zeuthen's avatar
      fix docs · bc1a540a
      David Zeuthen authored
      bc1a540a
    • David Zeuthen's avatar
      require that policy files also provide a <message> element · e833c740
      David Zeuthen authored
      Declaring an action now requires two textual elements (that both are
      subject to translation):
      
       description: This is intended to be used in policy editors, for
                    example "Mount internal volumes".
       message:     This is to be used in auth dialogs, for example "System
                    Policy prevents mounting this internal volume".
      
      This is actually needed for security reasons. The idea is that the
      desktop environment can provide infrastructure that Callers
      (e.g. applications) can use to ask the user to authenticate to gain a
      privilege. One such example is PolicyKit-gnome; it's a D-Bus session
      based service that applications can use to ask the user to
      auth.
      
      Before this change the caller provided the markup, e.g. gnome-mount
      would do
      
       action = "hal-storage-mount-fixed";
       markup = _("System policy prevents mounting internal drives");
       result = org.gnome.PolicyKit.ShowDialog (action, markup);
      
      and the problem here is that any application in the session can spoof
      the dialog by providing false information and getting to use to click
      through on that.
      
      With this change, where the org.gnome.PolicyKit auth service reads the
      message from a system-controlled file, this can't happen. What the
      user sees really reflects the action he's asking to consider allowing
      to happen.
      
      Especially with things like XACE (previously known as SEX) this is
      important as we can make the process providing the D-Bus service
      org.gnome.PolicyKit run in a dedicated security context, audit it to
      make sure it's secure. Then have the window manager paint trust window
      decorations or other things to make the user feel fuzzy, warm and
      safe.
      
      Btw, with this change the PolicyKit-gnome API will be simplified to
      
       action = "hal-storage-mount-fixed";
       result = org.gnome.PolicyKit.ShowDialog (action);
      
      which is just about as simple as it can get.
      
      Credit goes to Ryan Lortie <desrt@desrt.ca> for pointing this out
      on #gnome-hackers earlier this morning.
      e833c740
    • David Zeuthen's avatar
      fix typo · 4a9a4e18
      David Zeuthen authored
      4a9a4e18
    • David Zeuthen's avatar
      change default username · e54dc440
      David Zeuthen authored
      - change user from 'polkit' to 'polkituser'
      - create directories in /var from polkit instead of polkit-grant
      e54dc440
  10. 24 Jul, 2007 7 commits
  11. 12 Jul, 2007 2 commits
    • David Zeuthen's avatar
      replace configuration reload mechanism · b22ebaba
      David Zeuthen authored
      Instead of asking the user of libpolkit to provide a huge file
      monitoring abstraction we simply ask for a simple interface for
      watching file descriptors and use inotify (on Linux) to watch a file,
      /var/lib/PolicyKit/reload. We provide a new tool,
      polkit-reload-config, that simply touches this file.
      b22ebaba
    • David Zeuthen's avatar
      remove the notion of modules · 608e8745
      David Zeuthen authored
      608e8745
  12. 20 Jun, 2007 5 commits