diff options
author | Michael Olbrich <m.olbrich@pengutronix.de> | 2010-07-20 09:55:36 +0200 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2010-07-20 09:55:36 +0200 |
commit | 4c8f5b703e1d7376e704e674f800d003a770bce4 (patch) | |
tree | cb6bd2841fb223fb68be91e2a93cf52ac982ee4b /patches | |
parent | d0cbad19bf770a5f448088b353de3a1babac8ca8 (diff) | |
download | ptxdist-4c8f5b703e1d7376e704e674f800d003a770bce4.tar.gz ptxdist-4c8f5b703e1d7376e704e674f800d003a770bce4.tar.xz |
[polkit] use patch from upstream git and add more bugfixes
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'patches')
-rw-r--r-- | patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch | 68 | ||||
-rw-r--r-- | patches/polkit-0.96/0002-Add-shadow-support.patch (renamed from patches/polkit-0.96/polkit-shadow.diff) | 282 | ||||
-rw-r--r-- | patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch | 45 | ||||
-rw-r--r-- | patches/polkit-0.96/series | 4 |
4 files changed, 259 insertions, 140 deletions
diff --git a/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch b/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch new file mode 100644 index 000000000..3c8efb61b --- /dev/null +++ b/patches/polkit-0.96/0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch @@ -0,0 +1,68 @@ +From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <dan.j.rosenberg@gmail.com> +Date: Wed, 10 Mar 2010 12:46:19 -0500 +Subject: [PATCH 1/3] =?UTF-8?q?Bug=2026982=20=E2=80=93=20pkexec=20information=20disclosure=20vulnerability?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +pkexec is vulnerable to a minor information disclosure vulnerability +that allows an attacker to verify whether or not arbitrary files +exist, violating directory permissions. I reproduced the issue on my +Karmic installation as follows: + + $ mkdir secret + $ sudo chown root:root secret + $ sudo chmod 400 secret + $ sudo touch secret/hidden + $ pkexec /home/drosenbe/secret/hidden + (password prompt) + $ pkexec /home/drosenbe/secret/doesnotexist + Error getting information about /home/drosenbe/secret/doesnotexist: No such + file or directory + +I've attached my patch for the issue. I replaced the stat() call +entirely with access() using F_OK, so rather than check that the +target exists, pkexec now checks if the user has permission to verify +the existence of the program. There might be another way of doing +this, such as chdir()'ing to the parent directory of the target and +calling lstat(), but this seemed like more code than necessary to +prevent such a minor problem. I see no reason to allow pkexec to +execute targets that are not accessible to the executing user because +of directory permissions. This is such a limited use case anyway that +this doesn't really affect functionality. + +http://bugs.freedesktop.org/show_bug.cgi?id=26982 + +Signed-off-by: David Zeuthen <davidz@redhat.com> +--- + src/programs/pkexec.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 860e665..17c191e 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -411,7 +411,6 @@ main (int argc, char *argv[]) + gchar *opt_user; + pid_t pid_of_caller; + uid_t uid_of_caller; +- struct stat statbuf; + + ret = 127; + authority = NULL; +@@ -520,9 +519,9 @@ main (int argc, char *argv[]) + g_free (path); + argv[n] = path = s; + } +- if (stat (path, &statbuf) != 0) ++ if (access (path, F_OK) != 0) + { +- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno)); ++ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); + goto out; + } + command_line = g_strjoinv (" ", argv + n); +-- +1.7.1 + diff --git a/patches/polkit-0.96/polkit-shadow.diff b/patches/polkit-0.96/0002-Add-shadow-support.patch index 3938d1d61..b9119e13f 100644 --- a/patches/polkit-0.96/polkit-shadow.diff +++ b/patches/polkit-0.96/0002-Add-shadow-support.patch @@ -1,40 +1,62 @@ -Subject: /etc/shadow support +From a2edcef54d2ab1a92f729e34dfa0c183b2533c61 Mon Sep 17 00:00:00 2001 From: Andrew Psaltis <ampsaltis@gmail.com> +Date: Mon, 28 Jun 2010 22:04:00 -0400 +Subject: [PATCH 2/3] Add shadow support -This patch is taken from http://bugs.gentoo.org/291116 +Added support for the shadow authentication framework instead of PAM. +Enable it by passing --with-authfw=shadow to configure. -It makes it possible to compile polkit without PAM. +This is done by splitting the polkitagenthelper source into separate +parts, one that does auth with PAM, and another that does auth with +shadow, sharing functions where appropriate. -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +Also, all PAM-dependendent code in all other files has been #ifdef'd. +The only affected file is src/programs/pkexec.c + +Signed-off-by: David Zeuthen <davidz@redhat.com> +--- + src/polkitagent/Makefile.am | 9 +- + src/polkitagent/polkitagenthelper-pam.c | 264 ++++++++++++++++++++++ + src/polkitagent/polkitagenthelper-shadow.c | 198 ++++++++++++++++ + src/polkitagent/polkitagenthelper.c | 339 ---------------------------- + src/polkitagent/polkitagenthelperprivate.c | 106 +++++++++ + src/polkitagent/polkitagenthelperprivate.h | 45 ++++ + src/programs/pkexec.c | 8 + + 7 files changed, 629 insertions(+), 340 deletions(-) + create mode 100644 src/polkitagent/polkitagenthelper-pam.c + create mode 100644 src/polkitagent/polkitagenthelper-shadow.c + delete mode 100644 src/polkitagent/polkitagenthelper.c + create mode 100644 src/polkitagent/polkitagenthelperprivate.c + create mode 100644 src/polkitagent/polkitagenthelperprivate.h diff --git a/src/polkitagent/Makefile.am b/src/polkitagent/Makefile.am -index 3f38329..e114d01 100644 +index 3f38329..820be4d 100644 --- a/src/polkitagent/Makefile.am +++ b/src/polkitagent/Makefile.am -@@ -68,8 +68,15 @@ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)' +@@ -68,9 +68,16 @@ libpolkit_agent_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)' libexec_PROGRAMS = polkit-agent-helper-1 polkit_agent_helper_1_SOURCES = \ - polkitagenthelper.c \ -- $(NULL) -+ polkitagenthelperprivate.c polkitagenthelperprivate.h -+ ++ polkitagenthelperprivate.c polkitagenthelperprivate.h \ + $(NULL) + +if POLKIT_AUTHFW_PAM +polkit_agent_helper_1_SOURCES += polkitagenthelper-pam.c +endif +if POLKIT_AUTHFW_SHADOW +polkit_agent_helper_1_SOURCES += polkitagenthelper-shadow.c +endif -+polkit_agent_helper_1_SOURCES += $(NULL) - ++ polkit_agent_helper_1_CFLAGS = \ -D_POLKIT_COMPILATION \ + $(GLIB_CFLAGS) \ diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/polkitagenthelper-pam.c new file mode 100644 -index 0000000..3b649e9 +index 0000000..5e8b54c --- /dev/null +++ b/src/polkitagent/polkitagenthelper-pam.c -@@ -0,0 +1,288 @@ +@@ -0,0 +1,264 @@ +/* + * Copyright (C) 2008, 2010 Red Hat, Inc. + * @@ -57,6 +79,8 @@ index 0000000..3b649e9 + */ + +#include "config.h" ++#include "polkitagenthelperprivate.h" ++ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> @@ -67,31 +91,6 @@ index 0000000..3b649e9 +#include <security/pam_appl.h> + +#include <polkit/polkit.h> -+#include "polkitagenthelperprivate.h" -+ -+#ifdef HAVE_SOLARIS -+# define LOG_AUTHPRIV (10<<3) -+#endif -+ -+#ifndef HAVE_CLEARENV -+extern char **environ; -+ -+static int -+clearenv (void) -+{ -+ if (environ != NULL) -+ environ[0] = NULL; -+ return 0; -+} -+#endif -+ -+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ -+ * enable this in production builds; it may leak passwords and other -+ * sensitive information. -+ */ -+#undef PAH_DEBUG -+// #define PAH_DEBUG -+ + +static int conversation_function (int n, const struct pam_message **msg, struct pam_response **resp, void *data); + @@ -109,7 +108,7 @@ index 0000000..3b649e9 + pam_h = NULL; + + /* clear the entire environment to avoid attacks using with libraries honoring environment variables */ -+ if (clearenv () != 0) ++ if (_polkit_clearenv () != 0) + goto error; + + /* set a minimal environment */ @@ -322,13 +321,12 @@ index 0000000..3b649e9 + *resp = NULL; + return PAM_CONV_ERR; +} -+ diff --git a/src/polkitagent/polkitagenthelper-shadow.c b/src/polkitagent/polkitagenthelper-shadow.c new file mode 100644 -index 0000000..1a48e04 +index 0000000..a4f73ac --- /dev/null +++ b/src/polkitagent/polkitagenthelper-shadow.c -@@ -0,0 +1,204 @@ +@@ -0,0 +1,198 @@ +/* + * Copyright (C) 2008 Red Hat, Inc. + * Copyright (C) 2009-2010 Andrew Psaltis <ampsaltis@gmail.com> @@ -354,6 +352,8 @@ index 0000000..1a48e04 + */ + +#include "config.h" ++#include "polkitagenthelperprivate.h" ++ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> @@ -367,21 +367,8 @@ index 0000000..1a48e04 +#include <time.h> + +#include <polkit/polkit.h> -+#include "polkitagenthelperprivate.h" -+ -+#ifdef HAVE_SOLARIS -+# define LOG_AUTHPRIV (10<<3) -+#endif -+ -+/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ -+ * enable this in production builds; it may leak passwords and other -+ * sensitive information. -+ */ -+#undef PAH_DEBUG -+//#define PAH_DEBUG + -+extern char *crypt (); -+static int shadow_authenticate(struct spwd *shadow); ++static gboolean shadow_authenticate (struct spwd *shadow); + +int +main (int argc, char *argv[]) @@ -389,11 +376,11 @@ index 0000000..1a48e04 + struct spwd *shadow; + const char *user_to_auth; + const char *cookie; -+ time_t tm; ++ time_t now; + + /* clear the entire environment to avoid attacks with + libraries honoring environment variables */ -+ if (clearenv () != 0) ++ if (_polkit_clearenv () != 0) + goto error; + + /* set a minimal environment */ @@ -402,8 +389,8 @@ index 0000000..1a48e04 + /* check that we are setuid root */ + if (geteuid () != 0) + { -+ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); -+ goto error; ++ fprintf (stderr, "polkit-agent-helper-1: needs to be setuid root\n"); ++ goto error; + } + + openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); @@ -421,9 +408,9 @@ index 0000000..1a48e04 + /* check we're running with a non-tty stdin */ + if (isatty (STDIN_FILENO) != 0) + { -+ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ()); -+ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n"); -+ goto error; ++ syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ()); ++ fprintf (stderr, "polkit-agent-helper-1: inappropriate use of helper, stdin is a tty. This incident has been logged.\n"); ++ goto error; + } + } + @@ -434,45 +421,50 @@ index 0000000..1a48e04 + fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth); +#endif /* PAH_DEBUG */ + ++ + /* Ask shadow about the user requesting authentication */ -+ if ((shadow = getspnam (user_to_auth)) == NULL) ++ shadow = getspnam (user_to_auth); ++ ++ if (shadow == NULL) + { -+ syslog (LOG_NOTICE, "shadow file data information request for user %s [uid=%d] failed", user_to_auth, getuid()); -+ fprintf(stderr, "polkit-agent-helper-1: could not get shadow information for%.100s", user_to_auth); -+ goto error; ++ syslog (LOG_NOTICE, "shadow file data information request for user '%s' [uid=%d] failed", user_to_auth, getuid ()); ++ fprintf(stderr, "polkit-agent-helper-1: could not get shadow information for '%s'", user_to_auth); ++ goto error; + } -+ ++ + /* Check the user's identity */ -+ if(!shadow_authenticate (shadow)) ++ if (shadow_authenticate (shadow) == FALSE) + { -+ syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth); -+ fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n"); -+ goto error; ++ syslog (LOG_NOTICE, "authentication failure [uid=%d] trying to authenticate '%s'", getuid (), user_to_auth); ++ fprintf (stderr, "polkit-agent-helper-1: authentication failure. This incident has been logged.\n"); ++ goto error; + } + + /* Check whether the user's password has expired */ -+ time(&tm); -+ if( (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 * 24 >= tm) ++ now = time (NULL); ++ if (shadow->sp_max >= 0 && (shadow->sp_lstchg + shadow->sp_max) * 60 * 60 * 24 <= now) + { -+ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () ); -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); ++ syslog (LOG_NOTICE, "password expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ()); ++ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); ++ goto error; + } + + /* Check whether the user's password has aged (and account expired along + * with it) + */ -+ if( (shadow->sp_lstchg + shadow->sp_max + shadow->sp_inact) * 60 * 60 * 24 >= tm) ++ if (shadow->sp_inact >= 0 && (shadow->sp_lstchg + shadow->sp_max + shadow->sp_inact) * 60 * 60 * 24 <= now) + { -+ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () ); -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); ++ syslog (LOG_NOTICE, "password aged for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ()); ++ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); ++ goto error; + } + + /* Check whether the user's account has expired */ -+ if(shadow->sp_expire * 60 * 60 * 24 >= tm) ++ if (shadow->sp_expire >= 0 && shadow->sp_expire * 60 * 60 * 24 <= now) + { -+ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid () ); -+ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); -+ ++ syslog (LOG_NOTICE, "account expired for user '%s' [uid=%d] trying to authenticate", user_to_auth, getuid ()); ++ fprintf (stderr, "polkit-agent-helper-1: authorization failure. This incident has been logged.\n"); ++ goto error; + } + +#ifdef PAH_DEBUG @@ -495,44 +487,44 @@ index 0000000..1a48e04 +#endif /* PAH_DEBUG */ + + fprintf (stdout, "SUCCESS\n"); -+ flush_and_wait(); ++ flush_and_wait (); + return 0; + +error: -+ sleep (2); /* Discourage brute force attackers */ + fprintf (stdout, "FAILURE\n"); -+ flush_and_wait(); ++ flush_and_wait (); + return 1; +} + -+static int -+shadow_authenticate(struct spwd *shadow) ++static gboolean ++shadow_authenticate (struct spwd *shadow) +{ -+ /* Speak PAM to the daemon, thanks to David Zeuthen for the idea. */ -+ char passwd[256]; -+ fprintf(stdout, "PAM_PROMPT_ECHO_OFF password:\n"); -+ //fprintf(stderr, "PAM_PROMPT_ECHO_OFF password:\n"); -+ fflush(stdout); ++ char passwd[512], *crypt_pass; ++ ++ fprintf (stdout, "PAM_PROMPT_ECHO_OFF password:\n"); ++ fflush (stdout); + usleep (10 * 1000); /* since fflush(3) seems buggy */ + -+ //fprintf(stderr, "Waiting for password...\n"); + if (fgets (passwd, sizeof (passwd), stdin) == NULL) + goto error; -+ //fprintf(stderr, "Got password\n"); + + if (strlen (passwd) > 0 && passwd[strlen (passwd) - 1] == '\n') + passwd[strlen (passwd) - 1] = '\0'; -+ //fprintf(stderr, "Checking password...\n"); ++ ++ /* Use the encrypted password as the salt, according to the crypt(3) man page, ++ * it will perform whatever encryption method is specified in /etc/shadow ++ */ ++ crypt_pass = crypt (passwd, shadow->sp_pwdp); ++ ++ if (crypt_pass == NULL) ++ goto error; ++ + if (strcmp (shadow->sp_pwdp, crypt (passwd, shadow->sp_pwdp)) != 0) + goto error; -+ //fprintf(stderr, "Correct.\n"); + return 1; +error: -+ //fprintf(stderr, "Something failed. :(\n"); + return 0; +} -+ -+//static int shadow_acct_mgmt(shadow diff --git a/src/polkitagent/polkitagenthelper.c b/src/polkitagent/polkitagenthelper.c deleted file mode 100644 index cca86db..0000000 @@ -880,10 +872,10 @@ index cca86db..0000000 -} diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c new file mode 100644 -index 0000000..5fa4519 +index 0000000..be495e9 --- /dev/null +++ b/src/polkitagent/polkitagenthelperprivate.c -@@ -0,0 +1,83 @@ +@@ -0,0 +1,106 @@ +/* + * Copyright (C) 2009-2010 Red Hat, Inc. + * @@ -902,12 +894,34 @@ index 0000000..5fa4519 + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + * Boston, MA 02110-1301, USA. + * -+ * Authosr: David Zeuthen <davidz@redhat.com>, ++ * Authors: David Zeuthen <davidz@redhat.com>, + * Andrew Psaltis <ampsaltis@gmail.com> + */ + ++#include "config.h" +#include "polkitagenthelperprivate.h" +#include <stdio.h> ++#include <stdlib.h> ++#include <unistd.h> ++ ++#ifndef HAVE_CLEARENV ++extern char **environ; ++ ++int ++_polkit_clearenv (void) ++{ ++ if (environ != NULL) ++ environ[0] = NULL; ++ return 0; ++} ++#else ++int ++_polkit_clearenv (void) ++{ ++ return clearenv (); ++} ++#endif ++ + +gboolean +send_dbus_message (const char *cookie, const char *user) @@ -959,7 +973,8 @@ index 0000000..5fa4519 + +/* fflush(3) stdin and stdout and wait a little bit. + * This replaces the three-line commands at the bottom of -+ * polkit-agent-helper-1's main() function. */ ++ * polkit-agent-helper-1's main() function. ++ */ +void +flush_and_wait () +{ @@ -969,10 +984,10 @@ index 0000000..5fa4519 +} diff --git a/src/polkitagent/polkitagenthelperprivate.h b/src/polkitagent/polkitagenthelperprivate.h new file mode 100644 -index 0000000..7e51440 +index 0000000..7294d46 --- /dev/null +++ b/src/polkitagent/polkitagenthelperprivate.h -@@ -0,0 +1,38 @@ +@@ -0,0 +1,45 @@ +/* + * Copyright (C) 2009-2010 Red Hat, Inc. + * @@ -997,57 +1012,44 @@ index 0000000..7e51440 +#ifndef __POLKIT_AGENT_HELPER_PRIVATE_H +#define __POLKIT_AGENT_HELPER_PRIVATE_H + ++#define _GNU_SOURCE +#include <polkit/polkit.h> -+ ++ +/* Development aid: define PAH_DEBUG to get debugging output. Do _NOT_ + * enable this in production builds; it may leak passwords and other + * sensitive information. + */ -+//#undef PAH_DEBUG ++#undef PAH_DEBUG +// #define PAH_DEBUG + ++#ifdef HAVE_SOLARIS ++# define LOG_AUTHPRIV (10<<3) ++#endif ++ ++int _polkit_clearenv (void); ++ +gboolean send_dbus_message (const char *cookie, const char *user); + +void flush_and_wait (); + +#endif /* __POLKIT_AGENT_HELPER_PRIVATE_H */ -diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c -index b919e0a..6c5e3e8 100644 ---- a/src/polkitagent/polkitagentsession.c -+++ b/src/polkitagent/polkitagentsession.c -@@ -348,14 +348,16 @@ io_watch_have_data (GIOChannel *channel, - if (strlen (line) > 0 && line[strlen (line) - 1] == '\n') - line[strlen (line) - 1] = '\0'; - -- //g_debug ("Got '%s' from helper", line); -+ g_debug ("Got '%s' from helper", line); - - if (g_str_has_prefix (line, "PAM_PROMPT_ECHO_OFF ")) - { -+ //fprintf(stderr, "Got PAM_PROMPT_ECHO_OFF\n"); - g_signal_emit_by_name (session, "request", line + sizeof "PAM_PROMPT_ECHO_OFF " - 1, FALSE); - } - else if (g_str_has_prefix (line, "PAM_PROMPT_ECHO_ON ")) - { -+ //printf(stderr, "Got PAM_PROMPT_ECHO_ON\n"); - g_signal_emit_by_name (session, "request", line + sizeof "PAM_PROMPT_ECHO_ON " - 1, TRUE); - } - else if (g_str_has_prefix (line, "PAM_ERROR_MSG ")) diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 860e665..b08aa6e 100644 +index 17c191e..b0193f4 100644 --- a/src/programs/pkexec.c +++ b/src/programs/pkexec.c -@@ -34,7 +34,9 @@ +@@ -34,7 +34,11 @@ #include <grp.h> #include <pwd.h> #include <errno.h> ++ +#ifdef POLKIT_AUTHFW_PAM #include <security/pam_appl.h> +#endif /* POLKIT_AUTHFW_PAM */ ++ #include <syslog.h> #include <stdarg.h> -@@ -115,6 +117,7 @@ log_message (gint level, +@@ -115,6 +119,7 @@ log_message (gint level, /* ---------------------------------------------------------------------------------------------------- */ @@ -1055,25 +1057,27 @@ index 860e665..b08aa6e 100644 static int pam_conversation_function (int n, const struct pam_message **msg, -@@ -167,6 +170,7 @@ out: +@@ -167,6 +172,7 @@ out: pam_end (pam_h, rc); return ret; } -+#endif /*POLKIT_AUTHFW_PAM*/ ++#endif /* POLKIT_AUTHFW_PAM */ /* ---------------------------------------------------------------------------------------------------- */ -@@ -742,11 +746,12 @@ main (int argc, char *argv[]) +@@ -741,10 +747,12 @@ main (int argc, char *argv[]) * TODO: The question here is whether we should clear the limits before applying them? * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this. */ -+#ifdef POLKIT_AUTHW_PAM ++#ifdef POLKIT_AUTHFW_PAM if (!open_session (pw->pw_name)) { goto out; } -- +#endif /* POLKIT_AUTHFW_PAM */ + /* become the user */ if (setgroups (0, NULL) != 0) - { +-- +1.7.1 + diff --git a/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch b/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch new file mode 100644 index 000000000..d9cf8c23b --- /dev/null +++ b/patches/polkit-0.96/0003-Bug-29051-Configuration-reload-on-every-query.patch @@ -0,0 +1,45 @@ +From 779c0153fc0bd3c2e302dac1979d17638f054229 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Mr=C3=A1zek?= <peterix@gmail.com> +Date: Wed, 14 Jul 2010 02:59:12 +0200 +Subject: [PATCH 3/3] =?UTF-8?q?Bug=2029051=20=E2=80=93=20Configuration=20reload=20on=20every=20query?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Set has_data to true after the data is loaded to prevent excessive +reloading of config files. + +Signed-off-by: David Zeuthen <davidz@redhat.com> +--- + src/polkitbackend/polkitbackendconfigsource.c | 1 + + .../polkitbackendlocalauthorizationstore.c | 2 ++ + 2 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/src/polkitbackend/polkitbackendconfigsource.c b/src/polkitbackend/polkitbackendconfigsource.c +index 224d0d0..465da96 100644 +--- a/src/polkitbackend/polkitbackendconfigsource.c ++++ b/src/polkitbackend/polkitbackendconfigsource.c +@@ -386,6 +386,7 @@ polkit_backend_config_source_ensure (PolkitBackendConfigSource *source) + } + + source->priv->key_files = g_list_reverse (source->priv->key_files); ++ source->priv->has_data = TRUE; + + out: + g_list_foreach (files, (GFunc) g_object_unref, NULL); +diff --git a/src/polkitbackend/polkitbackendlocalauthorizationstore.c b/src/polkitbackend/polkitbackendlocalauthorizationstore.c +index 5d5dc14..b959269 100644 +--- a/src/polkitbackend/polkitbackendlocalauthorizationstore.c ++++ b/src/polkitbackend/polkitbackendlocalauthorizationstore.c +@@ -641,6 +641,8 @@ polkit_backend_local_authorization_store_ensure (PolkitBackendLocalAuthorization + g_free (filename); + } + ++ store->priv->has_data = TRUE; ++ + out: + g_list_foreach (files, (GFunc) g_object_unref, NULL); + g_list_free (files); +-- +1.7.1 + diff --git a/patches/polkit-0.96/series b/patches/polkit-0.96/series index d72814876..ee29cd64e 100644 --- a/patches/polkit-0.96/series +++ b/patches/polkit-0.96/series @@ -1 +1,3 @@ -polkit-shadow.diff +0001-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch +0002-Add-shadow-support.patch +0003-Bug-29051-Configuration-reload-on-every-query.patch |