Submitted By: Armin K. Date: 2015-06-25 Initial Package Version: 0.112 Upstream Status: Fixed Origin: Upstream Description: Various commits from the upstream repositories, including the fixes for memory leaks and multiple CVEs. --- a/actions/Makefile.in 2015-06-25 15:14:04.776558759 +0200 +++ b/actions/Makefile.in 2015-06-25 15:11:45.747664567 +0200 @@ -212,6 +212,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ --- a/config.h.in 2015-06-25 15:14:04.777558780 +0200 +++ b/config.h.in 2015-06-25 15:11:45.747664567 +0200 @@ -27,6 +27,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_EXPAT_H +/* Define to 1 if you have the `fdatasync' function. */ +#undef HAVE_FDATASYNC + /* Is this a FreeBSD system? */ #undef HAVE_FREEBSD @@ -39,8 +42,8 @@ /* Define if your file defines LC_MESSAGES. */ #undef HAVE_LC_MESSAGES -/* Define to 1 if libsystemd-login is available */ -#undef HAVE_LIBSYSTEMD_LOGIN +/* Define to 1 if libsystemd is available */ +#undef HAVE_LIBSYSTEMD /* Define to 1 if you have the header file. */ #undef HAVE_LOCALE_H @@ -60,6 +63,12 @@ /* "Have pam_vsyslog" */ #undef HAVE_PAM_VSYSLOG +/* Define to 1 if you have the `sd_uid_get_display' function. */ +#undef HAVE_SD_UID_GET_DISPLAY + +/* Define to 1 if setnetgrent has return value */ +#undef HAVE_SETNETGRENT_RETURN + /* Is this a Solaris system? */ #undef HAVE_SOLARIS --- a/configure 2015-06-25 15:14:04.785558944 +0200 +++ b/configure 2015-06-25 15:11:45.750664630 +0200 @@ -734,10 +734,14 @@ HAVE_SYSTEMD_FALSE HAVE_SYSTEMD_TRUE systemdsystemunitdir -HAVE_LIBSYSTEMD_LOGIN_FALSE -HAVE_LIBSYSTEMD_LOGIN_TRUE +HAVE_LIBSYSTEMD_FALSE +HAVE_LIBSYSTEMD_TRUE LIBSYSTEMD_LOGIN_LIBS LIBSYSTEMD_LOGIN_CFLAGS +LIBSYSTEMD_LIBS +LIBSYSTEMD_CFLAGS +BUILD_TEST_FALSE +BUILD_TEST_TRUE EXPAT_LIBS LIBJS_LIBS LIBJS_CFLAGS @@ -906,6 +910,7 @@ enable_gtk_doc_pdf with_mozjs with_expat +enable_test enable_libsystemd_login with_systemdsystemunitdir with_polkitd_user @@ -936,6 +941,8 @@ GLIB_LIBS LIBJS_CFLAGS LIBJS_LIBS +LIBSYSTEMD_CFLAGS +LIBSYSTEMD_LIBS LIBSYSTEMD_LOGIN_CFLAGS LIBSYSTEMD_LOGIN_LIBS SUID_CFLAGS @@ -1578,8 +1585,9 @@ --enable-gtk-doc use gtk-doc to build documentation [[default=no]] --enable-gtk-doc-html build documentation in html format [[default=yes]] --enable-gtk-doc-pdf build documentation in pdf format [[default=no]] + --disable-test Do not build tests --enable-libsystemd-login=[auto/yes/no] - Use libsystemd-login (auto/yes/no) + Use libsystemd (auto/yes/no) --enable-introspection=[no/auto/yes] Enable introspection for this build --enable-examples Build the example programs @@ -1630,6 +1638,10 @@ LIBJS_CFLAGS C compiler flags for LIBJS, overriding pkg-config LIBJS_LIBS linker flags for LIBJS, overriding pkg-config + LIBSYSTEMD_CFLAGS + C compiler flags for LIBSYSTEMD, overriding pkg-config + LIBSYSTEMD_LIBS + linker flags for LIBSYSTEMD, overriding pkg-config LIBSYSTEMD_LOGIN_CFLAGS C compiler flags for LIBSYSTEMD_LOGIN, overriding pkg-config LIBSYSTEMD_LOGIN_LIBS @@ -13301,12 +13313,12 @@ pkg_cv_GLIB_CFLAGS="$GLIB_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gmodule-2.0 gio-2.0 >= 2.30.0\""; } >&5 - ($PKG_CONFIG --exists --print-errors "gmodule-2.0 gio-2.0 >= 2.30.0") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gmodule-2.0 gio-unix-2.0 >= 2.30.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gmodule-2.0 gio-unix-2.0 >= 2.30.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_GLIB_CFLAGS=`$PKG_CONFIG --cflags "gmodule-2.0 gio-2.0 >= 2.30.0" 2>/dev/null` + pkg_cv_GLIB_CFLAGS=`$PKG_CONFIG --cflags "gmodule-2.0 gio-unix-2.0 >= 2.30.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -13318,12 +13330,12 @@ pkg_cv_GLIB_LIBS="$GLIB_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gmodule-2.0 gio-2.0 >= 2.30.0\""; } >&5 - ($PKG_CONFIG --exists --print-errors "gmodule-2.0 gio-2.0 >= 2.30.0") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gmodule-2.0 gio-unix-2.0 >= 2.30.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gmodule-2.0 gio-unix-2.0 >= 2.30.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_GLIB_LIBS=`$PKG_CONFIG --libs "gmodule-2.0 gio-2.0 >= 2.30.0" 2>/dev/null` + pkg_cv_GLIB_LIBS=`$PKG_CONFIG --libs "gmodule-2.0 gio-unix-2.0 >= 2.30.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -13344,14 +13356,14 @@ _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then - GLIB_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gmodule-2.0 gio-2.0 >= 2.30.0" 2>&1` + GLIB_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gmodule-2.0 gio-unix-2.0 >= 2.30.0" 2>&1` else - GLIB_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gmodule-2.0 gio-2.0 >= 2.30.0" 2>&1` + GLIB_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gmodule-2.0 gio-unix-2.0 >= 2.30.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$GLIB_PKG_ERRORS" >&5 - as_fn_error $? "Package requirements (gmodule-2.0 gio-2.0 >= 2.30.0) were not met: + as_fn_error $? "Package requirements (gmodule-2.0 gio-unix-2.0 >= 2.30.0) were not met: $GLIB_PKG_ERRORS @@ -13718,12 +13730,13 @@ -for ac_func in clearenv +for ac_func in clearenv fdatasync do : - ac_fn_c_check_func "$LINENO" "clearenv" "ac_cv_func_clearenv" -if test "x$ac_cv_func_clearenv" = xyes; then : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF -#define HAVE_CLEARENV 1 +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi @@ -13734,8 +13747,47 @@ LDFLAGS="-Wl,--as-needed $LDFLAGS" fi +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include + #include + +int +main () +{ + + int r = setnetgrent (NULL); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +$as_echo "#define HAVE_SETNETGRENT_RETURN 1" >>confdefs.h + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +# Check whether --enable-test was given. +if test "${enable_test+set}" = set; then : + enableval=$enable_test; enable_test=$enableval +else + enable_test=yes +fi -have_libsystemd_login=no + + if test "x$enable_test" = "xyes"; then + BUILD_TEST_TRUE= + BUILD_TEST_FALSE='#' +else + BUILD_TEST_TRUE='#' + BUILD_TEST_FALSE= +fi + + + +have_libsystemd=no SESSION_TRACKING=ConsoleKit # Check whether --enable-libsystemd-login was given. @@ -13748,6 +13800,143 @@ if test "$enable_libsystemd_login" != "no"; then pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBSYSTEMD" >&5 +$as_echo_n "checking for LIBSYSTEMD... " >&6; } + +if test -n "$LIBSYSTEMD_CFLAGS"; then + pkg_cv_LIBSYSTEMD_CFLAGS="$LIBSYSTEMD_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBSYSTEMD_CFLAGS=`$PKG_CONFIG --cflags "libsystemd" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$LIBSYSTEMD_LIBS"; then + pkg_cv_LIBSYSTEMD_LIBS="$LIBSYSTEMD_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBSYSTEMD_LIBS=`$PKG_CONFIG --libs "libsystemd" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LIBSYSTEMD_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd" 2>&1` + else + LIBSYSTEMD_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$LIBSYSTEMD_PKG_ERRORS" >&5 + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBSYSTEMD_LOGIN" >&5 +$as_echo_n "checking for LIBSYSTEMD_LOGIN... " >&6; } + +if test -n "$LIBSYSTEMD_LOGIN_CFLAGS"; then + pkg_cv_LIBSYSTEMD_LOGIN_CFLAGS="$LIBSYSTEMD_LOGIN_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-login\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd-login") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBSYSTEMD_LOGIN_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-login" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$LIBSYSTEMD_LOGIN_LIBS"; then + pkg_cv_LIBSYSTEMD_LOGIN_LIBS="$LIBSYSTEMD_LOGIN_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-login\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd-login") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBSYSTEMD_LOGIN_LIBS=`$PKG_CONFIG --libs "libsystemd-login" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LIBSYSTEMD_LOGIN_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-login" 2>&1` + else + LIBSYSTEMD_LOGIN_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-login" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$LIBSYSTEMD_LOGIN_PKG_ERRORS" >&5 + + have_libsystemd=no +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + have_libsystemd=no +else + LIBSYSTEMD_LOGIN_CFLAGS=$pkg_cv_LIBSYSTEMD_LOGIN_CFLAGS + LIBSYSTEMD_LOGIN_LIBS=$pkg_cv_LIBSYSTEMD_LOGIN_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + have_libsystemd=yes + LIBSYSTEMD_CFLAGS="$LIBSYSTEMD_LOGIN_CFLAGS" + LIBSYSTEMD_LIBS="$LIBSYSTEMD_LOGIN_LIBS" + +fi +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBSYSTEMD_LOGIN" >&5 $as_echo_n "checking for LIBSYSTEMD_LOGIN... " >&6; } @@ -13805,44 +13994,69 @@ # Put the nasty error message in config.log where it belongs echo "$LIBSYSTEMD_LOGIN_PKG_ERRORS" >&5 - have_libsystemd_login=no + have_libsystemd=no elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - have_libsystemd_login=no + have_libsystemd=no else LIBSYSTEMD_LOGIN_CFLAGS=$pkg_cv_LIBSYSTEMD_LOGIN_CFLAGS LIBSYSTEMD_LOGIN_LIBS=$pkg_cv_LIBSYSTEMD_LOGIN_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - have_libsystemd_login=yes + + have_libsystemd=yes + LIBSYSTEMD_CFLAGS="$LIBSYSTEMD_LOGIN_CFLAGS" + LIBSYSTEMD_LIBS="$LIBSYSTEMD_LOGIN_LIBS" + +fi +else + LIBSYSTEMD_CFLAGS=$pkg_cv_LIBSYSTEMD_CFLAGS + LIBSYSTEMD_LIBS=$pkg_cv_LIBSYSTEMD_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + have_libsystemd=yes fi - if test "$have_libsystemd_login" = "yes"; then + if test "$have_libsystemd" = "yes"; then SESSION_TRACKING=libsystemd-login -$as_echo "#define HAVE_LIBSYSTEMD_LOGIN 1" >>confdefs.h +$as_echo "#define HAVE_LIBSYSTEMD 1" >>confdefs.h + save_LIBS=$LIBS + LIBS=$LIBSYSTEMD_LIBS + for ac_func in sd_uid_get_display +do : + ac_fn_c_check_func "$LINENO" "sd_uid_get_display" "ac_cv_func_sd_uid_get_display" +if test "x$ac_cv_func_sd_uid_get_display" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SD_UID_GET_DISPLAY 1 +_ACEOF + +fi +done + + LIBS=$save_LIBS else if test "$enable_libsystemd_login" = "yes"; then - as_fn_error $? "libsystemd-login support requested but libsystemd-login library not found" "$LINENO" 5 + as_fn_error $? "libsystemd support requested but libsystemd or libsystemd-login library not found" "$LINENO" 5 fi fi fi if test "x$cross_compiling" != "xyes" ; then : - if test "$have_libsystemd_login" = "yes"; then : + if test "$have_libsystemd" = "yes"; then : if test ! -d /sys/fs/cgroup/systemd/ ; then : if test "$enable_libsystemd_login" = "yes"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libsystemd-login requested but system does not appear to be using systemd" >&5 -$as_echo "$as_me: WARNING: libsystemd-login requested but system does not appear to be using systemd" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libsystemd requested but system does not appear to be using systemd" >&5 +$as_echo "$as_me: WARNING: libsystemd requested but system does not appear to be using systemd" >&2;} else - as_fn_error $? "libsystemd-login autoconfigured, but system does not appear to use systemd" "$LINENO" 5 + as_fn_error $? "libsystemd autoconfigured, but system does not appear to use systemd" "$LINENO" 5 fi @@ -13859,7 +14073,7 @@ else - as_fn_error $? "ConsoleKit autoconfigured, but systemd is in use (missing libsystemd-login pkg-config?)" "$LINENO" 5 + as_fn_error $? "ConsoleKit autoconfigured, but systemd is in use (missing libsystemd or libsystemd-login pkg-config?)" "$LINENO" 5 fi @@ -13871,12 +14085,12 @@ - if test "$have_libsystemd_login" = "yes"; then - HAVE_LIBSYSTEMD_LOGIN_TRUE= - HAVE_LIBSYSTEMD_LOGIN_FALSE='#' + if test "$have_libsystemd" = "yes"; then + HAVE_LIBSYSTEMD_TRUE= + HAVE_LIBSYSTEMD_FALSE='#' else - HAVE_LIBSYSTEMD_LOGIN_TRUE='#' - HAVE_LIBSYSTEMD_LOGIN_FALSE= + HAVE_LIBSYSTEMD_TRUE='#' + HAVE_LIBSYSTEMD_FALSE= fi @@ -16141,8 +16355,12 @@ as_fn_error $? "conditional \"GTK_DOC_USE_REBASE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${HAVE_LIBSYSTEMD_LOGIN_TRUE}" && test -z "${HAVE_LIBSYSTEMD_LOGIN_FALSE}"; then - as_fn_error $? "conditional \"HAVE_LIBSYSTEMD_LOGIN\" was never defined. +if test -z "${BUILD_TEST_TRUE}" && test -z "${BUILD_TEST_FALSE}"; then + as_fn_error $? "conditional \"BUILD_TEST\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_LIBSYSTEMD_TRUE}" && test -z "${HAVE_LIBSYSTEMD_FALSE}"; then + as_fn_error $? "conditional \"HAVE_LIBSYSTEMD\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${HAVE_SYSTEMD_TRUE}" && test -z "${HAVE_SYSTEMD_FALSE}"; then --- a/configure.ac 2015-06-25 15:14:04.786558965 +0200 +++ b/configure.ac 2015-06-25 15:11:45.750664630 +0200 @@ -121,7 +121,7 @@ changequote([,])dnl fi -PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-2.0 >= 2.30.0]) +PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0]) AC_SUBST(GLIB_CFLAGS) AC_SUBST(GLIB_LIBS) AC_DEFINE([GLIB_VERSION_MIN_REQUIRED], [GLIB_VERSION_2_30], @@ -158,45 +158,76 @@ [AC_MSG_ERROR([Can't find expat library. Please install expat.])]) AC_SUBST(EXPAT_LIBS) -AC_CHECK_FUNCS(clearenv) +AC_CHECK_FUNCS(clearenv fdatasync) if test "x$GCC" = "xyes"; then LDFLAGS="-Wl,--as-needed $LDFLAGS" fi dnl --------------------------------------------------------------------------- +dnl - Check whether setnetgrent has a return value +dnl --------------------------------------------------------------------------- +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include + #include +]], [[ + int r = setnetgrent (NULL);]])], +[AC_DEFINE([HAVE_SETNETGRENT_RETURN], 1, [Define to 1 if setnetgrent has return value])]) + +dnl --------------------------------------------------------------------------- +dnl - Check whether we want to build test +dnl --------------------------------------------------------------------------- +AC_ARG_ENABLE([test], + [AS_HELP_STRING([--disable-test], [Do not build tests])], + [enable_test=$enableval], [enable_test=yes]) + +AM_CONDITIONAL(BUILD_TEST, [test "x$enable_test" = "xyes"]) + +dnl --------------------------------------------------------------------------- dnl - Select wether to use libsystemd-login or ConsoleKit for session tracking dnl --------------------------------------------------------------------------- -have_libsystemd_login=no +have_libsystemd=no SESSION_TRACKING=ConsoleKit AC_ARG_ENABLE([libsystemd-login], - AS_HELP_STRING([--enable-libsystemd-login[=@<:@auto/yes/no@:>@]], [Use libsystemd-login (auto/yes/no)]), + [AS_HELP_STRING([--enable-libsystemd-login[=@<:@auto/yes/no@:>@]], [Use libsystemd (auto/yes/no)])], [enable_libsystemd_login=$enableval], [enable_libsystemd_login=auto]) if test "$enable_libsystemd_login" != "no"; then - PKG_CHECK_MODULES(LIBSYSTEMD_LOGIN, - [libsystemd-login], - have_libsystemd_login=yes, - have_libsystemd_login=no) - if test "$have_libsystemd_login" = "yes"; then + PKG_CHECK_MODULES([LIBSYSTEMD], + [libsystemd], + [have_libsystemd=yes], + dnl if libsystemd is not available, fall back to the older libsystemd-login + [PKG_CHECK_MODULES([LIBSYSTEMD_LOGIN], + [libsystemd-login], + [ + have_libsystemd=yes + LIBSYSTEMD_CFLAGS="$LIBSYSTEMD_LOGIN_CFLAGS" + LIBSYSTEMD_LIBS="$LIBSYSTEMD_LOGIN_LIBS" + ], + [have_libsystemd=no])]) + if test "$have_libsystemd" = "yes"; then SESSION_TRACKING=libsystemd-login - AC_DEFINE([HAVE_LIBSYSTEMD_LOGIN], 1, [Define to 1 if libsystemd-login is available]) + AC_DEFINE([HAVE_LIBSYSTEMD], 1, [Define to 1 if libsystemd is available]) + save_LIBS=$LIBS + LIBS=$LIBSYSTEMD_LIBS + AC_CHECK_FUNCS(sd_uid_get_display) + LIBS=$save_LIBS else if test "$enable_libsystemd_login" = "yes"; then - AC_MSG_ERROR([libsystemd-login support requested but libsystemd-login library not found]) + AC_MSG_ERROR([libsystemd support requested but libsystemd or libsystemd-login library not found]) fi fi fi AS_IF([test "x$cross_compiling" != "xyes" ], [ - AS_IF([test "$have_libsystemd_login" = "yes"], [ + AS_IF([test "$have_libsystemd" = "yes"], [ AS_IF([test ! -d /sys/fs/cgroup/systemd/ ], [ AS_IF([test "$enable_libsystemd_login" = "yes"], [ - AC_MSG_WARN([libsystemd-login requested but system does not appear to be using systemd]) + AC_MSG_WARN([libsystemd requested but system does not appear to be using systemd]) ], [ - AC_MSG_ERROR([libsystemd-login autoconfigured, but system does not appear to use systemd]) + AC_MSG_ERROR([libsystemd autoconfigured, but system does not appear to use systemd]) ]) ]) ], [ @@ -204,15 +235,15 @@ AS_IF([test "$enable_libsystemd_login" = "no" ], [ AC_MSG_WARN([ConsoleKit requested but system appears to use systemd]) ], [ - AC_MSG_ERROR([ConsoleKit autoconfigured, but systemd is in use (missing libsystemd-login pkg-config?)]) + AC_MSG_ERROR([ConsoleKit autoconfigured, but systemd is in use (missing libsystemd or libsystemd-login pkg-config?)]) ]) ]) ]) ]) -AC_SUBST(LIBSYSTEMD_LOGIN_CFLAGS) -AC_SUBST(LIBSYSTEMD_LOGIN_LIBS) -AM_CONDITIONAL(HAVE_LIBSYSTEMD_LOGIN, [test "$have_libsystemd_login" = "yes"], [Using libsystemd-login]) +AC_SUBST(LIBSYSTEMD_CFLAGS) +AC_SUBST(LIBSYSTEMD_LIBS) +AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes"], [Using libsystemd]) dnl --------------------------------------------------------------------------- dnl - systemd unit / service files --- a/data/Makefile.in 2015-06-25 15:14:04.787558986 +0200 +++ b/data/Makefile.in 2015-06-25 15:11:45.750664630 +0200 @@ -216,6 +216,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ --- a/docs/Makefile.in 2015-06-25 15:14:04.789559027 +0200 +++ b/docs/Makefile.in 2015-06-25 15:11:45.750664630 +0200 @@ -242,6 +242,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ --- a/docs/man/Makefile.in 2015-06-25 15:14:04.789559027 +0200 +++ b/docs/man/Makefile.in 2015-06-25 15:11:45.751664651 +0200 @@ -213,6 +213,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ --- a/docs/man/pkexec.xml 2015-06-25 15:14:04.790559047 +0200 +++ b/docs/man/pkexec.xml 2015-06-25 15:11:45.751664651 +0200 @@ -47,11 +47,12 @@ DESCRIPTION - pkexec allows an authorized user to - execute PROGRAM as another - user. If username is not specified, - then the program will be executed as the administrative super - user, root. + pkexec allows an authorized user to execute + PROGRAM as another user. If + PROGRAM is not specified, the default + shell will be run. If username is + not specified, then the program will be executed as the + administrative super user, root. --- a/docs/polkit/Makefile.am 2015-06-25 15:14:04.809559438 +0200 +++ b/docs/polkit/Makefile.am 2015-06-25 15:11:45.751664651 +0200 @@ -30,7 +30,7 @@ # CFLAGS and LDFLAGS for compiling scan program. Only needed # if $(DOC_MODULE).types is non-empty. -INCLUDES = \ +AM_CPPFLAGS = \ $(GLIB_CFLAGS) \ -I$(top_srcdir)/src/polkit \ -I$(top_builddir)/src/polkit \ --- a/docs/polkit/Makefile.in 2015-06-25 15:14:04.810559459 +0200 +++ b/docs/polkit/Makefile.in 2015-06-25 15:13:20.027635003 +0200 @@ -188,6 +188,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -332,7 +334,7 @@ # CFLAGS and LDFLAGS for compiling scan program. Only needed # if $(DOC_MODULE).types is non-empty. -INCLUDES = \ +AM_CPPFLAGS = \ $(GLIB_CFLAGS) \ -I$(top_srcdir)/src/polkit \ -I$(top_builddir)/src/polkit \ @@ -595,10 +597,11 @@ @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." @ENABLE_GTK_DOC_FALSE@uninstall-local: +@ENABLE_GTK_DOC_FALSE@maintainer-clean-local: @ENABLE_GTK_DOC_FALSE@distclean-local: @ENABLE_GTK_DOC_FALSE@install-data-local: -@ENABLE_GTK_DOC_FALSE@maintainer-clean-local: @ENABLE_GTK_DOC_FALSE@clean-local: + clean: clean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am --- a/Makefile.am 2015-06-25 15:14:04.818559623 +0200 +++ b/Makefile.am 2015-06-25 15:11:45.751664651 +0200 @@ -1,6 +1,10 @@ ## Process this file with automake to produce Makefile.in -SUBDIRS = actions data src docs po test +SUBDIRS = actions data src docs po + +if BUILD_TEST +SUBDIRS += test +endif NULL = --- a/Makefile.in 2015-06-25 15:14:04.818559623 +0200 +++ b/Makefile.in 2015-06-25 15:12:20.955404507 +0200 @@ -77,6 +77,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +@BUILD_TEST_TRUE@am__append_1 = test subdir = . DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \ $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ @@ -149,7 +150,7 @@ ETAGS = etags CTAGS = ctags CSCOPE = cscope -DIST_SUBDIRS = $(SUBDIRS) +DIST_SUBDIRS = actions data src docs po test DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) @@ -265,6 +266,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -378,7 +381,7 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -SUBDIRS = actions data src docs po test +SUBDIRS = actions data src docs po $(am__append_1) NULL = EXTRA_DIST = \ HACKING \ --- a/src/examples/Makefile.am 2015-06-25 15:14:04.820559664 +0200 +++ b/src/examples/Makefile.am 2015-06-25 15:11:45.752664672 +0200 @@ -1,7 +1,7 @@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -DPACKAGE_LIBEXEC_DIR=\""$(libexecdir)"\" \ --- a/src/examples/Makefile.in 2015-06-25 15:14:04.821559685 +0200 +++ b/src/examples/Makefile.in 2015-06-25 15:11:45.752664672 +0200 @@ -279,6 +279,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -393,7 +395,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -DPACKAGE_LIBEXEC_DIR=\""$(libexecdir)"\" \ --- a/src/Makefile.in 2015-06-25 15:14:04.821559685 +0200 +++ b/src/Makefile.in 2015-06-25 15:11:45.752664672 +0200 @@ -242,6 +242,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ --- a/src/polkit/Makefile.am 2015-06-25 15:14:04.822559705 +0200 +++ b/src/polkit/Makefile.am 2015-06-25 15:11:45.752664672 +0200 @@ -1,6 +1,6 @@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -DPACKAGE_LIBEXEC_DIR=\""$(libexecdir)"\" \ @@ -81,7 +81,7 @@ polkitpermission.c polkitpermission.h \ $(NULL) -if HAVE_LIBSYSTEMD_LOGIN +if HAVE_LIBSYSTEMD libpolkit_gobject_1_la_SOURCES += \ polkitunixsession-systemd.c polkitunixsession.h else @@ -92,12 +92,12 @@ libpolkit_gobject_1_la_CFLAGS = \ -D_POLKIT_COMPILATION \ $(GLIB_CFLAGS) \ - $(LIBSYSTEMD_LOGIN_CFLAGS) \ + $(LIBSYSTEMD_CFLAGS) \ $(NULL) libpolkit_gobject_1_la_LIBADD = \ $(GLIB_LIBS) \ - $(LIBSYSTEMD_LOGIN_LIBS) \ + $(LIBSYSTEMD_LIBS) \ $(NULL) libpolkit_gobject_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)' --- a/src/polkit/Makefile.in 2015-06-25 15:14:04.822559705 +0200 +++ b/src/polkit/Makefile.in 2015-06-25 15:11:45.753664693 +0200 @@ -80,11 +80,11 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@HAVE_LIBSYSTEMD_LOGIN_TRUE@am__append_1 = \ -@HAVE_LIBSYSTEMD_LOGIN_TRUE@ polkitunixsession-systemd.c polkitunixsession.h +@HAVE_LIBSYSTEMD_TRUE@am__append_1 = \ +@HAVE_LIBSYSTEMD_TRUE@ polkitunixsession-systemd.c polkitunixsession.h -@HAVE_LIBSYSTEMD_LOGIN_FALSE@am__append_2 = \ -@HAVE_LIBSYSTEMD_LOGIN_FALSE@ polkitunixsession.c polkitunixsession.h +@HAVE_LIBSYSTEMD_FALSE@am__append_2 = \ +@HAVE_LIBSYSTEMD_FALSE@ polkitunixsession.c polkitunixsession.h subdir = src/polkit DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ @@ -151,8 +151,8 @@ am__objects_1 = am__objects_2 = libpolkit_gobject_1_la-polkitenumtypes.lo \ $(am__objects_1) -@HAVE_LIBSYSTEMD_LOGIN_TRUE@am__objects_3 = libpolkit_gobject_1_la-polkitunixsession-systemd.lo -@HAVE_LIBSYSTEMD_LOGIN_FALSE@am__objects_4 = libpolkit_gobject_1_la-polkitunixsession.lo +@HAVE_LIBSYSTEMD_TRUE@am__objects_3 = libpolkit_gobject_1_la-polkitunixsession-systemd.lo +@HAVE_LIBSYSTEMD_FALSE@am__objects_4 = libpolkit_gobject_1_la-polkitunixsession.lo am_libpolkit_gobject_1_la_OBJECTS = $(am__objects_2) \ libpolkit_gobject_1_la-polkitactiondescription.lo \ libpolkit_gobject_1_la-polkitauthorityfeatures.lo \ @@ -317,6 +317,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -431,7 +433,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -DPACKAGE_LIBEXEC_DIR=\""$(libexecdir)"\" \ @@ -495,12 +497,12 @@ libpolkit_gobject_1_la_CFLAGS = \ -D_POLKIT_COMPILATION \ $(GLIB_CFLAGS) \ - $(LIBSYSTEMD_LOGIN_CFLAGS) \ + $(LIBSYSTEMD_CFLAGS) \ $(NULL) libpolkit_gobject_1_la_LIBADD = \ $(GLIB_LIBS) \ - $(LIBSYSTEMD_LOGIN_LIBS) \ + $(LIBSYSTEMD_LIBS) \ $(NULL) libpolkit_gobject_1_la_LDFLAGS = -export-symbols-regex '(^polkit_.*)' --- a/src/polkit/polkitauthority.c 2015-06-25 15:14:04.824559747 +0200 +++ b/src/polkit/polkitauthority.c 2015-06-25 15:11:45.753664693 +0200 @@ -715,7 +715,6 @@ while ((child = g_variant_iter_next_value (&iter)) != NULL) { ret = g_list_prepend (ret, polkit_action_description_new_for_gvariant (child)); - g_variant_ref_sink (child); g_variant_unref (child); } ret = g_list_reverse (ret); --- a/src/polkit/polkitpermission.c 2015-06-25 15:14:04.827559808 +0200 +++ b/src/polkit/polkitpermission.c 2015-06-25 15:11:45.753664693 +0200 @@ -122,7 +122,7 @@ PolkitPermission *permission = POLKIT_PERMISSION (object); if (permission->subject == NULL) - permission->subject = polkit_unix_process_new (getpid ()); + permission->subject = polkit_unix_process_new_for_owner (getpid (), 0, getuid ()); if (G_OBJECT_CLASS (polkit_permission_parent_class)->constructed != NULL) G_OBJECT_CLASS (polkit_permission_parent_class)->constructed (object); --- a/src/polkit/polkitsubject.c 2015-06-25 15:14:04.827559808 +0200 +++ b/src/polkit/polkitsubject.c 2015-06-25 15:11:45.754664714 +0200 @@ -247,11 +247,15 @@ } else if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT, &scanned_pid, &scanned_starttime) == 2) { + G_GNUC_BEGIN_IGNORE_DEPRECATIONS subject = polkit_unix_process_new_full (scanned_pid, scanned_starttime); + G_GNUC_END_IGNORE_DEPRECATIONS } else if (sscanf (str, "unix-process:%d", &scanned_pid) == 1) { + G_GNUC_BEGIN_IGNORE_DEPRECATIONS subject = polkit_unix_process_new (scanned_pid); + G_GNUC_END_IGNORE_DEPRECATIONS if (polkit_unix_process_get_start_time (POLKIT_UNIX_PROCESS (subject)) == 0) { g_object_unref (subject); @@ -424,7 +428,7 @@ start_time = g_variant_get_uint64 (v); g_variant_unref (v); - v = lookup_asv (details_gvariant, "uid", G_VARIANT_TYPE_INT32, error); + v = lookup_asv (details_gvariant, "uid", G_VARIANT_TYPE_INT32, NULL); if (v != NULL) { uid = g_variant_get_int32 (v); --- a/src/polkit/polkitsystembusname.c 2015-06-25 15:14:04.828559829 +0200 +++ b/src/polkit/polkitsystembusname.c 2015-06-25 15:11:45.754664714 +0200 @@ -25,6 +25,7 @@ #include #include "polkitsystembusname.h" +#include "polkitunixuser.h" #include "polkitsubject.h" #include "polkitprivate.h" @@ -340,6 +341,116 @@ /* ---------------------------------------------------------------------------------------------------- */ +typedef struct { + GError **error; + guint retrieved_uid : 1; + guint retrieved_pid : 1; + guint caught_error : 1; + + guint32 uid; + guint32 pid; +} AsyncGetBusNameCredsData; + +static void +on_retrieved_unix_uid_pid (GObject *src, + GAsyncResult *res, + gpointer user_data) +{ + AsyncGetBusNameCredsData *data = user_data; + GVariant *v; + + v = g_dbus_connection_call_finish ((GDBusConnection*)src, res, + data->caught_error ? NULL : data->error); + if (!v) + { + data->caught_error = TRUE; + } + else + { + guint32 value; + g_variant_get (v, "(u)", &value); + g_variant_unref (v); + if (!data->retrieved_uid) + { + data->retrieved_uid = TRUE; + data->uid = value; + } + else + { + g_assert (!data->retrieved_pid); + data->retrieved_pid = TRUE; + data->pid = value; + } + } +} + +static gboolean +polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus_name, + guint32 *out_uid, + guint32 *out_pid, + GCancellable *cancellable, + GError **error) +{ + gboolean ret = FALSE; + AsyncGetBusNameCredsData data = { 0, }; + GDBusConnection *connection = NULL; + GMainContext *tmp_context = NULL; + + connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, cancellable, error); + if (connection == NULL) + goto out; + + data.error = error; + + tmp_context = g_main_context_new (); + g_main_context_push_thread_default (tmp_context); + + /* Do two async calls as it's basically as fast as one sync call. + */ + g_dbus_connection_call (connection, + "org.freedesktop.DBus", /* name */ + "/org/freedesktop/DBus", /* object path */ + "org.freedesktop.DBus", /* interface name */ + "GetConnectionUnixUser", /* method */ + g_variant_new ("(s)", system_bus_name->name), + G_VARIANT_TYPE ("(u)"), + G_DBUS_CALL_FLAGS_NONE, + -1, + cancellable, + on_retrieved_unix_uid_pid, + &data); + g_dbus_connection_call (connection, + "org.freedesktop.DBus", /* name */ + "/org/freedesktop/DBus", /* object path */ + "org.freedesktop.DBus", /* interface name */ + "GetConnectionUnixProcessID", /* method */ + g_variant_new ("(s)", system_bus_name->name), + G_VARIANT_TYPE ("(u)"), + G_DBUS_CALL_FLAGS_NONE, + -1, + cancellable, + on_retrieved_unix_uid_pid, + &data); + + while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) + g_main_context_iteration (tmp_context, TRUE); + + if (out_uid) + *out_uid = data.uid; + if (out_pid) + *out_pid = data.pid; + ret = TRUE; + out: + if (tmp_context) + { + g_main_context_pop_thread_default (tmp_context); + g_main_context_unref (tmp_context); + } + if (connection != NULL) + g_object_unref (connection); + return ret; +} + /** * polkit_system_bus_name_get_process_sync: * @system_bus_name: A #PolkitSystemBusName. @@ -356,43 +467,53 @@ GCancellable *cancellable, GError **error) { - GDBusConnection *connection; - PolkitSubject *ret; - GVariant *result; + PolkitSubject *ret = NULL; guint32 pid; + guint32 uid; g_return_val_if_fail (POLKIT_IS_SYSTEM_BUS_NAME (system_bus_name), NULL); g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL); g_return_val_if_fail (error == NULL || *error == NULL, NULL); - ret = NULL; - - connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, cancellable, error); - if (connection == NULL) + if (!polkit_system_bus_name_get_creds_sync (system_bus_name, &uid, &pid, + cancellable, error)) goto out; - result = g_dbus_connection_call_sync (connection, - "org.freedesktop.DBus", /* name */ - "/org/freedesktop/DBus", /* object path */ - "org.freedesktop.DBus", /* interface name */ - "GetConnectionUnixProcessID", /* method */ - g_variant_new ("(s)", system_bus_name->name), - G_VARIANT_TYPE ("(u)"), - G_DBUS_CALL_FLAGS_NONE, - -1, - cancellable, - error); - if (result == NULL) - goto out; + ret = polkit_unix_process_new_for_owner (pid, 0, uid); - g_variant_get (result, "(u)", &pid); - g_variant_unref (result); + out: + return ret; +} + +/** + * polkit_system_bus_name_get_user_sync: + * @system_bus_name: A #PolkitSystemBusName. + * @cancellable: (allow-none): A #GCancellable or %NULL. + * @error: (allow-none): Return location for error or %NULL. + * + * Synchronously gets a #PolkitUnixUser object for @system_bus_name; + * the calling thread is blocked until a reply is received. + * + * Returns: (allow-none) (transfer full): A #PolkitUnixUser object or %NULL if @error is set. + **/ +PolkitUnixUser * +polkit_system_bus_name_get_user_sync (PolkitSystemBusName *system_bus_name, + GCancellable *cancellable, + GError **error) +{ + PolkitUnixUser *ret = NULL; + guint32 uid; - ret = polkit_unix_process_new (pid); + g_return_val_if_fail (POLKIT_IS_SYSTEM_BUS_NAME (system_bus_name), NULL); + g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL); + g_return_val_if_fail (error == NULL || *error == NULL, NULL); + + if (!polkit_system_bus_name_get_creds_sync (system_bus_name, &uid, NULL, + cancellable, error)) + goto out; + + ret = (PolkitUnixUser*)polkit_unix_user_new (uid); out: - if (connection != NULL) - g_object_unref (connection); return ret; } - --- a/src/polkit/polkitsystembusname.h 2015-06-25 15:14:04.828559829 +0200 +++ b/src/polkit/polkitsystembusname.h 2015-06-25 15:11:45.754664714 +0200 @@ -56,6 +56,10 @@ GCancellable *cancellable, GError **error); +PolkitUnixUser * polkit_system_bus_name_get_user_sync (PolkitSystemBusName *system_bus_name, + GCancellable *cancellable, + GError **error); + G_END_DECLS #endif /* __POLKIT_SYSTEM_BUS_NAME_H */ --- a/src/polkitagent/Makefile.am 2015-06-25 15:14:04.831559891 +0200 +++ b/src/polkitagent/Makefile.am 2015-06-25 15:11:45.754664714 +0200 @@ -1,6 +1,6 @@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_builddir)/src/polkit \ --- a/src/polkitagent/Makefile.in 2015-06-25 15:14:04.831559891 +0200 +++ b/src/polkitagent/Makefile.in 2015-06-25 15:11:45.754664714 +0200 @@ -304,6 +304,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -418,7 +420,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_builddir)/src/polkit \ --- a/src/polkitagent/polkitagenthelper-pam.c 2015-06-25 15:14:04.832559911 +0200 +++ b/src/polkitagent/polkitagenthelper-pam.c 2015-06-25 15:11:45.755664735 +0200 @@ -65,7 +65,7 @@ { int rc; const char *user_to_auth; - const char *cookie; + char *cookie = NULL; struct pam_conv pam_conversation; pam_handle_t *pam_h; const void *authed_user; @@ -97,7 +97,7 @@ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); /* check for correct invocation */ - if (argc != 3) + if (!(argc == 2 || argc == 3)) { syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ()); fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n"); @@ -105,7 +105,10 @@ } user_to_auth = argv[1]; - cookie = argv[2]; + + cookie = read_cookie (argc, argv); + if (!cookie) + goto error; if (getuid () != 0) { @@ -203,6 +206,8 @@ goto error; } + free (cookie); + #ifdef PAH_DEBUG fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n"); #endif /* PAH_DEBUG */ @@ -212,6 +217,7 @@ return 0; error: + free (cookie); if (pam_h != NULL) pam_end (pam_h, rc); @@ -230,7 +236,7 @@ gchar *tmp = NULL; size_t len; - data = data; + (void)data; if (n <= 0 || n > PAM_MAX_NUM_MSG) return PAM_CONV_ERR; --- a/src/polkitagent/polkitagenthelperprivate.c 2015-06-25 15:14:04.832559911 +0200 +++ b/src/polkitagent/polkitagenthelperprivate.c 2015-06-25 15:11:45.755664735 +0200 @@ -23,6 +23,7 @@ #include "config.h" #include "polkitagenthelperprivate.h" #include +#include #include #include @@ -45,6 +46,38 @@ #endif +char * +read_cookie (int argc, char **argv) +{ + /* As part of CVE-2015-4625, we started passing the cookie + * on standard input, to ensure it's not visible to other + * processes. However, to ensure that things continue + * to work if the setuid binary is upgraded while old + * agents are still running (this will be common with + * package managers), we support both modes. + */ + if (argc == 3) + return strdup (argv[2]); + else + { + char *ret = NULL; + size_t n = 0; + ssize_t r = getline (&ret, &n, stdin); + if (r == -1) + { + if (!feof (stdin)) + perror ("getline"); + free (ret); + return NULL; + } + else + { + g_strchomp (ret); + return ret; + } + } +} + gboolean send_dbus_message (const char *cookie, const char *user) { @@ -103,7 +136,12 @@ { fflush (stdout); fflush (stderr); +#ifdef HAVE_FDATASYNC fdatasync (fileno(stdout)); fdatasync (fileno(stderr)); +#else + fsync (fileno(stdout)); + fsync (fileno(stderr)); +#endif usleep (100 * 1000); } --- a/src/polkitagent/polkitagenthelperprivate.h 2015-06-25 15:14:04.832559911 +0200 +++ b/src/polkitagent/polkitagenthelperprivate.h 2015-06-25 15:11:45.755664735 +0200 @@ -38,6 +38,8 @@ int _polkit_clearenv (void); +char *read_cookie (int argc, char **argv); + gboolean send_dbus_message (const char *cookie, const char *user); void flush_and_wait (); --- a/src/polkitagent/polkitagenthelper-shadow.c 2015-06-25 15:14:04.832559911 +0200 +++ b/src/polkitagent/polkitagenthelper-shadow.c 2015-06-25 15:11:45.755664735 +0200 @@ -46,7 +46,7 @@ { struct spwd *shadow; const char *user_to_auth; - const char *cookie; + char *cookie = NULL; time_t now; /* clear the entire environment to avoid attacks with @@ -67,7 +67,7 @@ openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); /* check for correct invocation */ - if (argc != 3) + if (!(argc == 2 || argc == 3)) { syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ()); fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n"); @@ -86,7 +86,10 @@ } user_to_auth = argv[1]; - cookie = argv[2]; + + cookie = read_cookie (argc, argv); + if (!cookie) + goto error; #ifdef PAH_DEBUG fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth); @@ -153,6 +156,8 @@ goto error; } + free (cookie); + #ifdef PAH_DEBUG fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n"); #endif /* PAH_DEBUG */ @@ -162,6 +167,7 @@ return 0; error: + free (cookie); fprintf (stdout, "FAILURE\n"); flush_and_wait (); return 1; --- a/src/polkitagent/polkitagentsession.c 2015-06-25 15:14:04.833559932 +0200 +++ b/src/polkitagent/polkitagentsession.c 2015-06-25 15:11:45.755664735 +0200 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include "polkitagentmarshal.h" @@ -88,11 +89,10 @@ gchar *cookie; PolkitIdentity *identity; - int child_stdin; + GOutputStream *child_stdin; int child_stdout; GPid child_pid; - GSource *child_watch_source; GSource *child_stdout_watch_source; GIOChannel *child_stdout_channel; @@ -130,7 +130,6 @@ static void polkit_agent_session_init (PolkitAgentSession *session) { - session->child_stdin = -1; session->child_stdout = -1; } @@ -377,13 +376,6 @@ session->child_pid = 0; } - if (session->child_watch_source != NULL) - { - g_source_destroy (session->child_watch_source); - g_source_unref (session->child_watch_source); - session->child_watch_source = NULL; - } - if (session->child_stdout_watch_source != NULL) { g_source_destroy (session->child_stdout_watch_source); @@ -403,11 +395,7 @@ session->child_stdout = -1; } - if (session->child_stdin != -1) - { - g_warn_if_fail (close (session->child_stdin) == 0); - session->child_stdin = -1; - } + g_clear_object (&session->child_stdin); session->helper_is_running = FALSE; @@ -429,26 +417,6 @@ } } -static void -child_watch_func (GPid pid, - gint status, - gpointer user_data) -{ - PolkitAgentSession *session = POLKIT_AGENT_SESSION (user_data); - - if (G_UNLIKELY (_show_debug ())) - { - g_print ("PolkitAgentSession: in child_watch_func for pid %d (WIFEXITED=%d WEXITSTATUS=%d)\n", - (gint) pid, - WIFEXITED(status), - WEXITSTATUS(status)); - } - - /* kill all the watches we have set up, except for the child since it has exited already */ - session->child_pid = 0; - complete_session (session, FALSE); -} - static gboolean io_watch_have_data (GIOChannel *channel, GIOCondition condition, @@ -475,10 +443,13 @@ NULL, NULL, &error); - if (error != NULL) + if (error != NULL || line == NULL) { - g_warning ("Error reading line from helper: %s", error->message); - g_error_free (error); + /* In case we get just G_IO_HUP, line is NULL but error is + unset.*/ + g_warning ("Error reading line from helper: %s", + error ? error->message : "nothing to read"); + g_clear_error (&error); complete_session (session, FALSE); goto out; @@ -540,6 +511,9 @@ g_free (line); g_free (unescaped); + if (condition & (G_IO_ERR | G_IO_HUP)) + complete_session (session, FALSE); + /* keep the IOChannel around */ return TRUE; } @@ -567,9 +541,9 @@ add_newline = (response[response_len] != '\n'); - write (session->child_stdin, response, response_len); + (void) g_output_stream_write_all (session->child_stdin, response, response_len, NULL, NULL, NULL); if (add_newline) - write (session->child_stdin, newline, 1); + (void) g_output_stream_write_all (session->child_stdin, newline, 1, NULL, NULL, NULL); } /** @@ -589,8 +563,9 @@ { uid_t uid; GError *error; - gchar *helper_argv[4]; + gchar *helper_argv[3]; struct passwd *passwd; + int stdin_fd = -1; g_return_if_fail (POLKIT_AGENT_IS_SESSION (session)); @@ -622,10 +597,8 @@ helper_argv[0] = PACKAGE_PREFIX "/lib/polkit-1/polkit-agent-helper-1"; helper_argv[1] = passwd->pw_name; - helper_argv[2] = session->cookie; - helper_argv[3] = NULL; + helper_argv[2] = NULL; - session->child_stdin = -1; session->child_stdout = -1; error = NULL; @@ -637,7 +610,7 @@ NULL, NULL, &session->child_pid, - &session->child_stdin, + &stdin_fd, &session->child_stdout, NULL, &error)) @@ -650,12 +623,16 @@ if (G_UNLIKELY (_show_debug ())) g_print ("PolkitAgentSession: spawned helper with pid %d\n", (gint) session->child_pid); - session->child_watch_source = g_child_watch_source_new (session->child_pid); - g_source_set_callback (session->child_watch_source, (GSourceFunc) child_watch_func, session, NULL); - g_source_attach (session->child_watch_source, g_main_context_get_thread_default ()); + session->child_stdin = (GOutputStream*)g_unix_output_stream_new (stdin_fd, TRUE); + + /* Write the cookie on stdin so it can't be seen by other processes */ + (void) g_output_stream_write_all (session->child_stdin, session->cookie, strlen (session->cookie), + NULL, NULL, NULL); + (void) g_output_stream_write_all (session->child_stdin, "\n", 1, NULL, NULL, NULL); session->child_stdout_channel = g_io_channel_unix_new (session->child_stdout); - session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, G_IO_IN); + session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, + G_IO_IN | G_IO_ERR | G_IO_HUP); g_source_set_callback (session->child_stdout_watch_source, (GSourceFunc) io_watch_have_data, session, NULL); g_source_attach (session->child_stdout_watch_source, g_main_context_get_thread_default ()); --- a/src/polkitagent/polkitagenttextlistener.c 2015-06-25 15:14:04.834559952 +0200 +++ b/src/polkitagent/polkitagenttextlistener.c 2015-06-25 15:11:45.755664735 +0200 @@ -546,12 +546,10 @@ GAsyncResult *res, GError **error) { - PolkitAgentTextListener *listener = POLKIT_AGENT_TEXT_LISTENER (_listener); gboolean ret; g_warn_if_fail (g_simple_async_result_get_source_tag (G_SIMPLE_ASYNC_RESULT (res)) == polkit_agent_text_listener_initiate_authentication); - g_assert (listener->active_session == NULL); ret = FALSE; --- a/src/polkitbackend/Makefile.am 2015-06-25 15:14:04.835559973 +0200 +++ b/src/polkitbackend/Makefile.am 2015-06-25 15:11:45.756664756 +0200 @@ -2,7 +2,7 @@ BUILT_SOURCES = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_builddir)/src/polkit \ @@ -38,7 +38,7 @@ polkitbackendactionlookup.h polkitbackendactionlookup.c \ $(NULL) -if HAVE_LIBSYSTEMD_LOGIN +if HAVE_LIBSYSTEMD libpolkit_backend_1_la_SOURCES += \ polkitbackendsessionmonitor.h polkitbackendsessionmonitor-systemd.c else @@ -50,13 +50,13 @@ -D_POLKIT_COMPILATION \ -D_POLKIT_BACKEND_COMPILATION \ $(GLIB_CFLAGS) \ - $(LIBSYSTEMD_LOGIN_CFLAGS) \ + $(LIBSYSTEMD_CFLAGS) \ $(LIBJS_CFLAGS) \ $(NULL) libpolkit_backend_1_la_LIBADD = \ $(GLIB_LIBS) \ - $(LIBSYSTEMD_LOGIN_LIBS) \ + $(LIBSYSTEMD_LIBS) \ $(top_builddir)/src/polkit/libpolkit-gobject-1.la \ $(EXPAT_LIBS) \ $(LIBJS_LIBS) \ --- a/src/polkitbackend/Makefile.in 2015-06-25 15:14:04.835559973 +0200 +++ b/src/polkitbackend/Makefile.in 2015-06-25 15:11:45.756664756 +0200 @@ -80,11 +80,11 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@HAVE_LIBSYSTEMD_LOGIN_TRUE@am__append_1 = \ -@HAVE_LIBSYSTEMD_LOGIN_TRUE@ polkitbackendsessionmonitor.h polkitbackendsessionmonitor-systemd.c +@HAVE_LIBSYSTEMD_TRUE@am__append_1 = \ +@HAVE_LIBSYSTEMD_TRUE@ polkitbackendsessionmonitor.h polkitbackendsessionmonitor-systemd.c -@HAVE_LIBSYSTEMD_LOGIN_FALSE@am__append_2 = \ -@HAVE_LIBSYSTEMD_LOGIN_FALSE@ polkitbackendsessionmonitor.h polkitbackendsessionmonitor.c +@HAVE_LIBSYSTEMD_FALSE@am__append_2 = \ +@HAVE_LIBSYSTEMD_FALSE@ polkitbackendsessionmonitor.h polkitbackendsessionmonitor.c libpriv_PROGRAMS = polkitd$(EXEEXT) subdir = src/polkitbackend @@ -117,8 +117,8 @@ polkitbackendsessionmonitor-systemd.c \ polkitbackendsessionmonitor.c am__objects_1 = -@HAVE_LIBSYSTEMD_LOGIN_TRUE@am__objects_2 = libpolkit_backend_1_la-polkitbackendsessionmonitor-systemd.lo -@HAVE_LIBSYSTEMD_LOGIN_FALSE@am__objects_3 = libpolkit_backend_1_la-polkitbackendsessionmonitor.lo +@HAVE_LIBSYSTEMD_TRUE@am__objects_2 = libpolkit_backend_1_la-polkitbackendsessionmonitor-systemd.lo +@HAVE_LIBSYSTEMD_FALSE@am__objects_3 = libpolkit_backend_1_la-polkitbackendsessionmonitor.lo am_libpolkit_backend_1_la_OBJECTS = $(am__objects_1) \ libpolkit_backend_1_la-polkitbackendauthority.lo \ libpolkit_backend_1_la-polkitbackendinteractiveauthority.lo \ @@ -309,6 +309,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -424,7 +426,7 @@ top_srcdir = @top_srcdir@ NULL = BUILT_SOURCES = initjs.h -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_builddir)/src/polkit \ @@ -455,13 +457,13 @@ -D_POLKIT_COMPILATION \ -D_POLKIT_BACKEND_COMPILATION \ $(GLIB_CFLAGS) \ - $(LIBSYSTEMD_LOGIN_CFLAGS) \ + $(LIBSYSTEMD_CFLAGS) \ $(LIBJS_CFLAGS) \ $(NULL) libpolkit_backend_1_la_LIBADD = \ $(GLIB_LIBS) \ - $(LIBSYSTEMD_LOGIN_LIBS) \ + $(LIBSYSTEMD_LIBS) \ $(top_builddir)/src/polkit/libpolkit-gobject-1.la \ $(EXPAT_LIBS) \ $(LIBJS_LIBS) \ --- a/src/polkitbackend/polkitbackendinteractiveauthority.c 2015-06-25 15:14:04.840560076 +0200 +++ b/src/polkitbackend/polkitbackendinteractiveauthority.c 2015-06-25 15:11:45.757664777 +0200 @@ -214,6 +214,8 @@ GDBusConnection *system_bus_connection; guint name_owner_changed_signal_id; + + guint64 agent_serial; } PolkitBackendInteractiveAuthorityPrivate; /* ---------------------------------------------------------------------------------------------------- */ @@ -224,6 +226,14 @@ #define POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), POLKIT_BACKEND_TYPE_INTERACTIVE_AUTHORITY, PolkitBackendInteractiveAuthorityPrivate)) +static gboolean +identity_is_root_user (PolkitIdentity *user) +{ + if (!POLKIT_IS_UNIX_USER (user)) + return FALSE; + return polkit_unix_user_get_uid (POLKIT_UNIX_USER (user)) == 0; +} + /* ---------------------------------------------------------------------------------------------------- */ static void @@ -278,10 +288,9 @@ PolkitBackendInteractiveAuthorityPrivate *priv; GFile *directory; GError *error; - static volatile GQuark domain = 0; /* Force registering error domain */ - domain = POLKIT_ERROR; domain; + (void)POLKIT_ERROR; priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (authority); @@ -432,11 +441,15 @@ volatile gint ref_count; PolkitSubject *scope; + guint64 serial; gchar *locale; GVariant *registration_options; gchar *object_path; gchar *unique_system_bus_name; + GRand *cookie_pool; + gchar *cookie_prefix; + guint64 cookie_serial; GDBusProxy *proxy; @@ -559,7 +572,11 @@ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); subject_str = polkit_subject_to_string (subject); - user_of_subject_str = polkit_identity_to_string (user_of_subject); + + if (user_of_subject != NULL) + user_of_subject_str = polkit_identity_to_string (user_of_subject); + else + user_of_subject_str = g_strdup (""); caller_str = polkit_subject_to_string (caller); subject_cmdline = _polkit_subject_get_cmdline (subject); @@ -764,7 +781,7 @@ guint n; /* uid 0 may check anything */ - if (POLKIT_IS_UNIX_USER (identity) && polkit_unix_user_get_uid (POLKIT_UNIX_USER (identity)) == 0) + if (identity_is_root_user (identity)) { ret = TRUE; goto out; @@ -1092,7 +1109,7 @@ goto out; /* special case: uid 0, root, is _always_ authorized for anything */ - if (POLKIT_IS_UNIX_USER (user_of_subject) && polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_subject)) == 0) + if (identity_is_root_user (user_of_subject)) { result = polkit_authorization_result_new (TRUE, FALSE, NULL); goto out; @@ -1416,9 +1433,54 @@ authentication_session_cancel (session); } +/* We're not calling this a UUID, but it's basically + * the same thing, just not formatted that way because: + * + * - I'm too lazy to do it + * - If we did, people might think it was actually + * generated from /dev/random, which we're not doing + * because this value doesn't actually need to be + * globally unique. + */ +static void +append_rand_u128_str (GString *buf, + GRand *pool) +{ + g_string_append_printf (buf, "%08x%08x%08x%08x", + g_rand_int (pool), + g_rand_int (pool), + g_rand_int (pool), + g_rand_int (pool)); +} + +/* A value that should be unique to the (AuthenticationAgent, AuthenticationSession) + * pair, and not guessable by other agents. + * + * - - - + * + * See http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html + * + */ +static gchar * +authentication_agent_generate_cookie (AuthenticationAgent *agent) +{ + GString *buf = g_string_new (""); + + g_string_append (buf, agent->cookie_prefix); + + g_string_append_c (buf, '-'); + agent->cookie_serial++; + g_string_append_printf (buf, "%" G_GUINT64_FORMAT, + agent->cookie_serial); + g_string_append_c (buf, '-'); + append_rand_u128_str (buf, agent->cookie_pool); + + return g_string_free (buf, FALSE); +} + + static AuthenticationSession * authentication_session_new (AuthenticationAgent *agent, - const gchar *cookie, PolkitSubject *subject, PolkitIdentity *user_of_subject, PolkitSubject *caller, @@ -1436,7 +1498,7 @@ session = g_new0 (AuthenticationSession, 1); session->agent = authentication_agent_ref (agent); - session->cookie = g_strdup (cookie); + session->cookie = authentication_agent_generate_cookie (agent); session->subject = g_object_ref (subject); session->user_of_subject = g_object_ref (user_of_subject); session->caller = g_object_ref (caller); @@ -1485,16 +1547,6 @@ g_free (session); } -static gchar * -authentication_agent_new_cookie (AuthenticationAgent *agent) -{ - static gint counter = 0; - - /* TODO: use a more random-looking cookie */ - - return g_strdup_printf ("cookie%d", counter++); -} - static PolkitSubject * authentication_agent_get_scope (AuthenticationAgent *agent) { @@ -1542,45 +1594,74 @@ g_free (agent->unique_system_bus_name); if (agent->registration_options != NULL) g_variant_unref (agent->registration_options); + g_rand_free (agent->cookie_pool); + g_free (agent->cookie_prefix); g_free (agent); } } static AuthenticationAgent * -authentication_agent_new (PolkitSubject *scope, +authentication_agent_new (guint64 serial, + PolkitSubject *scope, const gchar *unique_system_bus_name, const gchar *locale, const gchar *object_path, - GVariant *registration_options) + GVariant *registration_options, + GError **error) { AuthenticationAgent *agent; - GError *error; + GDBusProxy *proxy; - agent = g_new0 (AuthenticationAgent, 1); + if (!g_variant_is_object_path (object_path)) + { + g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED, + "Invalid object path '%s'", object_path); + return NULL; + } + + proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM, + G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES | + G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS, + NULL, /* GDBusInterfaceInfo* */ + unique_system_bus_name, + object_path, + "org.freedesktop.PolicyKit1.AuthenticationAgent", + NULL, /* GCancellable* */ + error); + if (proxy == NULL) + { + g_prefix_error (error, "Failed to construct proxy for agent: " ); + return NULL; + } + agent = g_new0 (AuthenticationAgent, 1); agent->ref_count = 1; + agent->serial = serial; agent->scope = g_object_ref (scope); agent->object_path = g_strdup (object_path); agent->unique_system_bus_name = g_strdup (unique_system_bus_name); agent->locale = g_strdup (locale); agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL; + agent->proxy = proxy; - error = NULL; - agent->proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM, - G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES | - G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS, - NULL, /* GDBusInterfaceInfo* */ - agent->unique_system_bus_name, - agent->object_path, - "org.freedesktop.PolicyKit1.AuthenticationAgent", - NULL, /* GCancellable* */ - &error); - if (agent->proxy == NULL) - { - g_warning ("Error constructing proxy for agent: %s", error->message); - g_error_free (error); - /* TODO: Make authentication_agent_new() return NULL and set a GError */ - } + { + GString *cookie_prefix = g_string_new (""); + GRand *agent_private_rand = g_rand_new (); + + g_string_append_printf (cookie_prefix, "%" G_GUINT64_FORMAT "-", agent->serial); + + /* Use a uniquely seeded PRNG to get a prefix cookie for this agent, + * whose sequence will not correlate with the per-authentication session + * cookies. + */ + append_rand_u128_str (cookie_prefix, agent_private_rand); + g_rand_free (agent_private_rand); + + agent->cookie_prefix = g_string_free (cookie_prefix, FALSE); + + /* And a newly seeded pool for per-session cookies */ + agent->cookie_pool = g_rand_new (); + } return agent; } @@ -2113,11 +2194,15 @@ ret = NULL; name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group)); +#ifdef HAVE_SETNETGRENT_RETURN if (setnetgrent (name) == 0) { g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno)); goto out; } +#else + setnetgrent (name); +#endif for (;;) { @@ -2172,7 +2257,6 @@ { PolkitBackendInteractiveAuthorityPrivate *priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (authority); AuthenticationSession *session; - gchar *cookie; GList *l; GList *identities; gchar *localized_message; @@ -2194,8 +2278,6 @@ &localized_icon_name, &localized_details); - cookie = authentication_agent_new_cookie (agent); - identities = NULL; /* select admin user if required by the implicit authorization */ @@ -2258,7 +2340,6 @@ user_identities = g_list_prepend (NULL, polkit_unix_user_new (0)); session = authentication_session_new (agent, - cookie, subject, user_of_subject, caller, @@ -2314,7 +2395,6 @@ g_list_free_full (user_identities, g_object_unref); g_list_foreach (identities, (GFunc) g_object_unref, NULL); g_list_free (identities); - g_free (cookie); g_free (localized_message); g_free (localized_icon_name); @@ -2379,8 +2459,6 @@ caller_cmdline = NULL; agent = NULL; - /* TODO: validate that object path is well-formed */ - interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority); priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (interactive_authority); @@ -2439,7 +2517,7 @@ } if (!polkit_identity_equal (user_of_caller, user_of_subject)) { - if (POLKIT_IS_UNIX_USER (user_of_caller) && polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_caller)) == 0) + if (identity_is_root_user (user_of_caller)) { /* explicitly allow uid 0 to register for other users */ } @@ -2463,11 +2541,16 @@ goto out; } - agent = authentication_agent_new (subject, + priv->agent_serial++; + agent = authentication_agent_new (priv->agent_serial, + subject, polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)), locale, object_path, - options); + options, + error); + if (!agent) + goto out; g_hash_table_insert (priv->hash_scope_to_authentication_agent, g_object_ref (subject), @@ -2592,7 +2675,7 @@ } if (!polkit_identity_equal (user_of_caller, user_of_subject)) { - if (POLKIT_IS_UNIX_USER (user_of_caller) && polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_caller)) == 0) + if (identity_is_root_user (user_of_caller)) { /* explicitly allow uid 0 to register for other users */ } @@ -2705,7 +2788,7 @@ goto out; /* only uid 0 is allowed to invoke this method */ - if (!POLKIT_IS_UNIX_USER (user_of_caller) || polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_caller)) != 0) + if (!identity_is_root_user (user_of_caller)) { g_set_error (error, POLKIT_ERROR, --- a/src/polkitbackend/polkitbackendjsauthority.c 2015-06-25 15:14:04.841560096 +0200 +++ b/src/polkitbackend/polkitbackendjsauthority.c 2015-06-25 15:11:45.757664777 +0200 @@ -35,9 +35,9 @@ #include -#ifdef HAVE_LIBSYSTEMD_LOGIN +#ifdef HAVE_LIBSYSTEMD #include -#endif /* HAVE_LIBSYSTEMD_LOGIN */ +#endif /* HAVE_LIBSYSTEMD */ #include @@ -740,7 +740,7 @@ __FILE__, __LINE__, &ret_jsval)) { - g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Evaluting '%s' failed", src); + g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Evaluating '%s' failed", src); goto out; } @@ -764,7 +764,7 @@ g_assert_not_reached (); } -#ifdef HAVE_LIBSYSTEMD_LOGIN +#ifdef HAVE_LIBSYSTEMD if (sd_pid_get_session (pid, &session_str) == 0) { if (sd_session_get_seat (session_str, &seat_str) == 0) @@ -772,7 +772,7 @@ /* do nothing */ } } -#endif /* HAVE_LIBSYSTEMD_LOGIN */ +#endif /* HAVE_LIBSYSTEMD */ g_assert (POLKIT_IS_UNIX_USER (user_for_subject)); uid = polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_for_subject)); @@ -866,7 +866,7 @@ __FILE__, __LINE__, &ret_jsval)) { - g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Evaluting '%s' failed", src); + g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Evaluating '%s' failed", src); goto out; } @@ -1286,7 +1286,9 @@ _HANDLE_SIG (SIGTTIN); _HANDLE_SIG (SIGTTOU); _HANDLE_SIG (SIGBUS); +#ifdef SIGPOLL _HANDLE_SIG (SIGPOLL); +#endif _HANDLE_SIG (SIGPROF); _HANDLE_SIG (SIGSYS); _HANDLE_SIG (SIGTRAP); @@ -1363,7 +1365,6 @@ goto out; } s = JS_EncodeString (cx, JSVAL_TO_STRING (elem_val)); - s = JS_EncodeString (cx, JSVAL_TO_STRING (elem_val)); argv[n] = g_strdup (s); JS_free (cx, s); } --- a/src/polkitbackend/polkitbackendsessionmonitor.c 2015-06-25 15:14:04.841560096 +0200 +++ b/src/polkitbackend/polkitbackendsessionmonitor.c 2015-06-25 15:11:45.758664799 +0200 @@ -306,25 +306,7 @@ } else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) { - GVariant *result; - - result = g_dbus_connection_call_sync (monitor->system_bus, - "org.freedesktop.DBus", - "/org/freedesktop/DBus", - "org.freedesktop.DBus", - "GetConnectionUnixUser", - g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))), - G_VARIANT_TYPE ("(u)"), - G_DBUS_CALL_FLAGS_NONE, - -1, /* timeout_msec */ - NULL, /* GCancellable */ - error); - if (result == NULL) - goto out; - g_variant_get (result, "(u)", &uid); - g_variant_unref (result); - - ret = polkit_unix_user_new (uid); + ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); } else if (POLKIT_IS_UNIX_SESSION (subject)) { --- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 2015-06-25 15:14:04.842560117 +0200 +++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 2015-06-25 15:11:45.758664799 +0200 @@ -277,25 +277,7 @@ } else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) { - GVariant *result; - - result = g_dbus_connection_call_sync (monitor->system_bus, - "org.freedesktop.DBus", - "/org/freedesktop/DBus", - "org.freedesktop.DBus", - "GetConnectionUnixUser", - g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))), - G_VARIANT_TYPE ("(u)"), - G_DBUS_CALL_FLAGS_NONE, - -1, /* timeout_msec */ - NULL, /* GCancellable */ - error); - if (result == NULL) - goto out; - g_variant_get (result, "(u)", &uid); - g_variant_unref (result); - - ret = polkit_unix_user_new (uid); + ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); } else if (POLKIT_IS_UNIX_SESSION (subject)) { @@ -331,61 +313,59 @@ PolkitSubject *subject, GError **error) { - PolkitSubject *session; - - session = NULL; + PolkitUnixProcess *tmp_process = NULL; + PolkitUnixProcess *process = NULL; + PolkitSubject *session = NULL; + char *session_id = NULL; + pid_t pid; +#if HAVE_SD_UID_GET_DISPLAY + uid_t uid; +#endif if (POLKIT_IS_UNIX_PROCESS (subject)) - { - gchar *session_id; - pid_t pid; - - pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject)); - if (sd_pid_get_session (pid, &session_id) < 0) - goto out; - - session = polkit_unix_session_new (session_id); - free (session_id); - } + process = POLKIT_UNIX_PROCESS (subject); /* We already have a process */ else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) { - guint32 pid; - gchar *session_id; - GVariant *result; - - result = g_dbus_connection_call_sync (monitor->system_bus, - "org.freedesktop.DBus", - "/org/freedesktop/DBus", - "org.freedesktop.DBus", - "GetConnectionUnixProcessID", - g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))), - G_VARIANT_TYPE ("(u)"), - G_DBUS_CALL_FLAGS_NONE, - -1, /* timeout_msec */ - NULL, /* GCancellable */ - error); - if (result == NULL) - goto out; - g_variant_get (result, "(u)", &pid); - g_variant_unref (result); - - if (sd_pid_get_session (pid, &session_id) < 0) - goto out; - - session = polkit_unix_session_new (session_id); - free (session_id); + /* Convert bus name to process */ + tmp_process = (PolkitUnixProcess*)polkit_system_bus_name_get_process_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); + if (!tmp_process) + goto out; + process = tmp_process; } else { g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_NOT_SUPPORTED, - "Cannot get user for subject of type %s", + "Cannot get session for subject of type %s", g_type_name (G_TYPE_FROM_INSTANCE (subject))); } - out: + /* Now do process -> pid -> same session */ + g_assert (process != NULL); + pid = polkit_unix_process_get_pid (process); + + if (sd_pid_get_session (pid, &session_id) >= 0) + { + session = polkit_unix_session_new (session_id); + goto out; + } + +#if HAVE_SD_UID_GET_DISPLAY + /* Now do process -> uid -> graphical session (systemd version 213)*/ + if (sd_pid_get_owner_uid (pid, &uid) < 0) + goto out; + + if (sd_uid_get_display (uid, &session_id) >= 0) + { + session = polkit_unix_session_new (session_id); + goto out; + } +#endif + out: + free (session_id); + if (tmp_process) g_object_unref (tmp_process); return session; } @@ -409,6 +389,37 @@ polkit_backend_session_monitor_is_session_active (PolkitBackendSessionMonitor *monitor, PolkitSubject *session) { - return sd_session_is_active (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session))); + const char *session_id; + char *state; + uid_t uid; + gboolean is_active = FALSE; + + session_id = polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session)); + + g_debug ("Checking whether session %s is active.", session_id); + + /* Check whether *any* of the user's current sessions are active. */ + if (sd_session_get_uid (session_id, &uid) < 0) + goto fallback; + + g_debug ("Session %s has UID %u.", session_id, uid); + + if (sd_uid_get_state (uid, &state) < 0) + goto fallback; + + g_debug ("UID %u has state %s.", uid, state); + + is_active = (g_strcmp0 (state, "active") == 0); + free (state); + + return is_active; + +fallback: + /* Fall back to checking the session. This is not ideal, since the user + * might have multiple sessions, and we cannot guarantee to have chosen + * the active one. + * + * See: https://bugs.freedesktop.org/show_bug.cgi?id=76358. */ + return sd_session_is_active (session_id); } --- a/src/polkitbackend/polkitd.c 2015-06-25 15:14:04.842560117 +0200 +++ b/src/polkitbackend/polkitd.c 2015-06-25 15:11:45.758664799 +0200 @@ -92,7 +92,7 @@ { g_print ("Handling SIGINT\n"); g_main_loop_quit (loop); - return FALSE; + return TRUE; } static gboolean --- a/src/programs/Makefile.am 2015-06-25 15:14:04.842560117 +0200 +++ b/src/programs/Makefile.am 2015-06-25 15:11:45.758664799 +0200 @@ -1,7 +1,7 @@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -DPACKAGE_LIBEXEC_DIR=\""$(libexecdir)"\" \ --- a/src/programs/Makefile.in 2015-06-25 15:14:04.843560137 +0200 +++ b/src/programs/Makefile.in 2015-06-25 15:11:45.759664820 +0200 @@ -269,6 +269,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -383,7 +385,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -DPACKAGE_LIBEXEC_DIR=\""$(libexecdir)"\" \ --- a/src/programs/pkcheck.c 2015-06-25 15:14:04.843560137 +0200 +++ b/src/programs/pkcheck.c 2015-06-25 15:11:45.759664820 +0200 @@ -399,11 +399,15 @@ } else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) { + G_GNUC_BEGIN_IGNORE_DEPRECATIONS subject = polkit_unix_process_new_full (pid, pid_start_time); + G_GNUC_END_IGNORE_DEPRECATIONS } else if (sscanf (argv[n], "%i", &pid) == 1) { + G_GNUC_BEGIN_IGNORE_DEPRECATIONS subject = polkit_unix_process_new (pid); + G_GNUC_END_IGNORE_DEPRECATIONS } else { --- a/src/programs/pkexec.c 2015-06-25 15:14:04.844560158 +0200 +++ b/src/programs/pkexec.c 2015-06-25 15:11:45.759664820 +0200 @@ -75,7 +75,7 @@ g_printerr ("pkexec --version |\n" " --help |\n" " --disable-internal-agent |\n" - " [--user username] PROGRAM [ARGUMENTS...]\n" + " [--user username] [PROGRAM] [ARGUMENTS...]\n" "\n" "See the pkexec manual page for more details.\n" "\n" @@ -143,8 +143,22 @@ return PAM_CONV_ERR; } +/* A work around for: + * https://bugzilla.redhat.com/show_bug.cgi?id=753882 + */ static gboolean -open_session (const gchar *user_to_auth) +xdg_runtime_dir_is_owned_by (const char *path, + uid_t target_uid) +{ + struct stat stbuf; + + return stat (path, &stbuf) == 0 && + stbuf.st_uid == target_uid; +} + +static gboolean +open_session (const gchar *user_to_auth, + uid_t target_uid) { gboolean ret; gint rc; @@ -186,7 +200,19 @@ { guint n; for (n = 0; envlist[n]; n++) - putenv (envlist[n]); + { + const char *envitem = envlist[n]; + + if (g_str_has_prefix (envitem, "XDG_RUNTIME_DIR=")) + { + const char *eq = strchr (envitem, '='); + g_assert (eq); + if (!xdg_runtime_dir_is_owned_by (eq + 1, target_uid)) + continue; + } + + putenv (envlist[n]); + } free (envlist); } @@ -472,6 +498,7 @@ action_id = NULL; saved_env = NULL; path = NULL; + exec_argv = NULL; command_line = NULL; opt_user = NULL; local_agent_handle = NULL; @@ -522,6 +549,11 @@ goto out; } + if (opt_user != NULL) + { + g_printerr ("--user specified twice\n"); + goto out; + } opt_user = g_strdup (argv[n]); } else if (strcmp (argv[n], "--disable-internal-agent") == 0) @@ -550,6 +582,21 @@ if (opt_user == NULL) opt_user = g_strdup ("root"); + /* Look up information about the user we care about - yes, the return + * value of this function is a bit funky + */ + rc = getpwnam_r (opt_user, &pwstruct, pwbuf, sizeof pwbuf, &pw); + if (rc == 0 && pw == NULL) + { + g_printerr ("User `%s' does not exist.\n", opt_user); + goto out; + } + else if (pw == NULL) + { + g_printerr ("Error getting information for user `%s': %s\n", opt_user, g_strerror (rc)); + goto out; + } + /* Now figure out the command-line to run - argv is guaranteed to be NULL-terminated, see * * http://lkml.indiana.edu/hypermail/linux/kernel/0409.2/0287.html @@ -562,8 +609,21 @@ path = g_strdup (argv[n]); if (path == NULL) { - usage (argc, argv); - goto out; + GPtrArray *shell_argv; + + path = g_strdup (pwstruct.pw_shell); + if (!path) + { + g_printerr ("No shell configured or error retrieving pw_shell\n"); + goto out; + } + /* If you change this, be sure to change the if (!command_line) + case below too */ + command_line = g_strdup (path); + shell_argv = g_ptr_array_new (); + g_ptr_array_add (shell_argv, path); + g_ptr_array_add (shell_argv, NULL); + exec_argv = (char**)g_ptr_array_free (shell_argv, FALSE); } if (path[0] != '/') { @@ -582,22 +642,13 @@ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); goto out; } - command_line = g_strjoinv (" ", argv + n); - exec_argv = argv + n; - /* Look up information about the user we care about - yes, the return - * value of this function is a bit funky - */ - rc = getpwnam_r (opt_user, &pwstruct, pwbuf, sizeof pwbuf, &pw); - if (rc == 0 && pw == NULL) - { - g_printerr ("User `%s' does not exist.\n", opt_user); - goto out; - } - else if (pw == NULL) + if (!command_line) { - g_printerr ("Error getting information for user `%s': %s\n", opt_user, g_strerror (rc)); - goto out; + /* If you change this, be sure to change the path == NULL case + above too */ + command_line = g_strjoinv (" ", argv + n); + exec_argv = argv + n; } /* now save the environment variables we care about */ @@ -711,6 +762,8 @@ goto out; } + g_assert (path != NULL); + g_assert (exec_argv != NULL); action_id = find_action_for_path (authority, path, exec_argv[1], @@ -913,7 +966,8 @@ * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this. */ #ifdef POLKIT_AUTHFW_PAM - if (!open_session (pw->pw_name)) + if (!open_session (pw->pw_name, + pw->pw_uid)) { goto out; } --- a/src/programs/pkttyagent.c 2015-06-25 15:14:04.844560158 +0200 +++ b/src/programs/pkttyagent.c 2015-06-25 15:11:45.759664820 +0200 @@ -111,9 +111,17 @@ if (sscanf (opt_process, "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) - subject = polkit_unix_process_new_full (pid, pid_start_time); + { + G_GNUC_BEGIN_IGNORE_DEPRECATIONS + subject = polkit_unix_process_new_full (pid, pid_start_time); + G_GNUC_END_IGNORE_DEPRECATIONS + } else if (sscanf (opt_process, "%i", &pid) == 1) - subject = polkit_unix_process_new (pid); + { + G_GNUC_BEGIN_IGNORE_DEPRECATIONS + subject = polkit_unix_process_new (pid); + G_GNUC_END_IGNORE_DEPRECATIONS + } else { g_printerr (_("%s: Invalid process specifier `%s'\n"), --- a/test/Makefile.in 2015-06-25 15:14:04.846560199 +0200 +++ b/test/Makefile.in 2015-06-25 15:11:45.760664841 +0200 @@ -275,6 +275,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ --- a/test/polkit/Makefile.am 2015-06-25 15:14:04.867560631 +0200 +++ b/test/polkit/Makefile.am 2015-06-25 15:11:56.378888542 +0200 @@ -1,7 +1,7 @@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_srcdir)/test \ --- a/test/polkit/Makefile.in 2015-06-25 15:14:04.868560652 +0200 +++ b/test/polkit/Makefile.in 2015-06-25 15:11:56.378888542 +0200 @@ -465,6 +465,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -579,7 +581,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_srcdir)/test \ --- a/test/polkitbackend/Makefile.am 2015-06-25 15:14:04.868560652 +0200 +++ b/test/polkitbackend/Makefile.am 2015-06-25 15:11:56.379888563 +0200 @@ -1,7 +1,7 @@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_srcdir)/test \ --- a/test/polkitbackend/Makefile.in 2015-06-25 15:14:04.869560672 +0200 +++ b/test/polkitbackend/Makefile.in 2015-06-25 15:11:56.379888563 +0200 @@ -447,6 +447,8 @@ LIBJS_LIBS = @LIBJS_LIBS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ LIBSYSTEMD_LOGIN_CFLAGS = @LIBSYSTEMD_LOGIN_CFLAGS@ LIBSYSTEMD_LOGIN_LIBS = @LIBSYSTEMD_LOGIN_LIBS@ LIBTOOL = @LIBTOOL@ @@ -561,7 +563,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ NULL = -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_srcdir)/test \ --- a/test/polkitbackend/test-polkitbackendjsauthority.c 2015-06-25 15:14:04.869560672 +0200 +++ b/test/polkitbackend/test-polkitbackendjsauthority.c 2015-06-25 15:11:56.379888563 +0200 @@ -74,8 +74,8 @@ authority = get_authority (); - caller = polkit_unix_process_new (getpid ()); - subject = polkit_unix_process_new (getpid ()); + caller = polkit_unix_process_new_for_owner (getpid (), 0, getuid ()); + subject = polkit_unix_process_new_for_owner (getpid (), 0, getuid ()); user_for_subject = polkit_identity_from_string ("unix-user:root", &error); g_assert_no_error (error); @@ -340,8 +340,8 @@ authority = get_authority (); - caller = polkit_unix_process_new (getpid ()); - subject = polkit_unix_process_new (getpid ()); + caller = polkit_unix_process_new_for_owner (getpid (), 0, getuid ()); + subject = polkit_unix_process_new_for_owner (getpid (), 0, getuid ()); user_for_subject = polkit_identity_from_string (tc->identity, &error); g_assert_no_error (error);