diff options
author | Brian Cameron <brian.cameron@sun.com> | 2008-01-28 17:43:05 -0500 |
---|---|---|
committer | William Jon McCann <mccann@jhu.edu> | 2008-01-28 17:43:05 -0500 |
commit | 5895396bc583ae08c5041f5b81f5f9d0a2888e22 (patch) | |
tree | cd7ab3be029f2b0fd6921a4a66c3937e3cb048aa | |
parent | 96d613ee9a4850753e8f93113ab28ed3045f73f3 (diff) |
make polkit optional and use RBAC on Solaris
This patch makes polkit an optional dependency. If present
it builds with it. If not, polkit support is disabled.
This patch also adds a --enable-rbac-shutdown=<key> option.
If set, then ConsoleKit will allow shutdown/reboot if the
user has the RBAC key authorization defined. For example,
since the GDM GUI program runs as the "gdm" user, setting
the key for the "gdm" user allows the login program to
shutdown and reboot via ConsoleKit.
Also this patch modifies the tools/solaris/ck-system-restart
and tools/solaris/ck-system-stop scripts to call "/sbin/init 6"
and "/sbin/init 5", which are the right commands for Solaris.
-rw-r--r-- | configure.ac | 30 | ||||
-rw-r--r-- | data/Makefile.am | 2 | ||||
-rw-r--r-- | src/Makefile.am | 7 | ||||
-rw-r--r-- | src/ck-manager.c | 71 | ||||
-rwxr-xr-x | tools/solaris/ck-system-restart | 11 | ||||
-rwxr-xr-x | tools/solaris/ck-system-stop | 11 |
6 files changed, 110 insertions, 22 deletions
diff --git a/configure.ac b/configure.ac index 5bc018d..b814569 100644 --- a/configure.ac +++ b/configure.ac @@ -53,8 +53,18 @@ PKG_CHECK_MODULES(CONSOLE_KIT, dbus-glib-1 >= $DBUS_REQUIRED_VERSION gobject-2.0 >= $GLIB_REQUIRED_VERSION gthread-2.0 >= $GLIB_REQUIRED_VERSION - polkit >= $POLKIT_REQUIRED_VERSION ) + +PKG_CHECK_MODULES(POLKIT, + polkit >= $POLKIT_REQUIRED_VERSION, + have_polkit=yes, + have_polkit=no) +if test "x$have_polkit" = "xyes" ; then + AC_DEFINE(HAVE_POLKIT, [], [Define if we have polkit]) +fi +AM_CONDITIONAL(HAVE_POLKIT, test x$have_polkit = xyes) +AC_SUBST(HAVE_POLKIT) + PKG_CHECK_MODULES(LIBDBUS, dbus-1 >= $DBUS_REQUIRED_VERSION ) @@ -282,6 +292,23 @@ if test "x$enable_inotify" = "xyes" ; then fi dnl --------------------------------------------------------------------------- +dnl check for RBAC +dnl --------------------------------------------------------------------------- + +msg_rbac_shutdown=no +AC_ARG_ENABLE(rbac-shutdown, + [AC_HELP_STRING([--enable-rbac-shutdown=<key>], + [Build with RBAC support specifying shutdown/reboot RBAC authentication key])], + enable_rbac_shutdown=$enableval,enable_rbac_shutdown=no) +if test "x$enable_rbac_shutdown" != "xno"; then + RBAC_LIBS="-lsecdb -lsocket -lnsl" + AC_DEFINE(ENABLE_RBAC_SHUTDOWN, [], [Set if we build with RBAC support]) + AC_DEFINE_UNQUOTED(RBAC_SHUTDOWN_KEY, "$enable_rbac_shutdown", [Set if we build with RBAC support]) + msg_rbac_shutdown="yes, using key $enable_rbac_shutdown" +fi +AC_SUBST(RBAC_LIBS) + +dnl --------------------------------------------------------------------------- dnl Finish dnl --------------------------------------------------------------------------- @@ -398,4 +425,5 @@ echo " PAM module dir: ${PAM_MODULE_DIR} Build PAM module: ${msg_pam_module} Build docs: ${enable_docbook_docs} + Build with RBAC: ${msg_rbac_shutdown} " diff --git a/data/Makefile.am b/data/Makefile.am index dc1bf1a..ef13d8c 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -6,10 +6,12 @@ dbusconf_DATA = ConsoleKit.conf seatdir = $(sysconfdir)/ConsoleKit/seats.d seat_DATA = 00-primary.seat +if HAVE_POLKIT polkit_policydir = $(datadir)/PolicyKit/policy dist_polkit_policy_DATA = \ ConsoleKit.policy \ $(NULL) +endif servicedir = $(datadir)/dbus-1/system-services service_in_files = org.freedesktop.ConsoleKit.service.in diff --git a/src/Makefile.am b/src/Makefile.am index 2f0d42d..2f77c4f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -10,6 +10,7 @@ INCLUDES = \ -I. \ -I$(srcdir) \ $(CONSOLE_KIT_CFLAGS) \ + $(POLKIT_CFLAGS) \ $(DISABLE_DEPRECATED_CFLAGS) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ @@ -129,6 +130,8 @@ EXTRA_console_kit_daemon_SOURCES = \ console_kit_daemon_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ + $(RBAC_LIBS) \ libck.la \ libck-event-log.la \ $(NULL) @@ -147,6 +150,8 @@ test_event_logger_SOURCES = \ test_event_logger_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ + $(RBAC_LIBS) \ libck-event-log.la \ $(NULL) @@ -158,6 +163,7 @@ test_vt_monitor_SOURCES = \ test_vt_monitor_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ libck.la \ $(NULL) @@ -171,6 +177,7 @@ test_tty_idle_monitor_SOURCES = \ test_tty_idle_monitor_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ libck.la \ $(NULL) diff --git a/src/ck-manager.c b/src/ck-manager.c index 5eac98f..c7c045b 100644 --- a/src/ck-manager.c +++ b/src/ck-manager.c @@ -39,7 +39,14 @@ #include <dbus/dbus-glib.h> #include <dbus/dbus-glib-lowlevel.h> +#ifdef HAVE_POLKIT #include <polkit/polkit.h> +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN +#include <auth_attr.h> +#include <secdb.h> +#endif #include "ck-manager.h" #include "ck-manager-glue.h" @@ -61,7 +68,9 @@ struct CkManagerPrivate { +#ifdef HAVE_POLKIT PolKitContext *pol_ctx; +#endif GHashTable *seats; GHashTable *sessions; @@ -703,6 +712,7 @@ get_session_for_unix_process (CkManager *manager, return session; } +#ifdef HAVE_POLKIT static PolKitSession * new_polkit_session_from_session (CkManager *manager, CkSession *ck_session) @@ -1064,6 +1074,7 @@ _check_polkit_for_action (CkManager *manager, return TRUE; } +#endif /* adapted from PolicyKit */ static gboolean @@ -1201,6 +1212,47 @@ get_system_num_users (CkManager *manager) return num_users; } +#ifdef ENABLE_RBAC_SHUTDOWN +static gboolean +check_rbac_permissions (CkManager *manager, + DBusGMethodInvocation *context) +{ + const char *sender; + char *username; + gboolean res; + uid_t uid; + pid_t pid; + + username = NULL; + sender = dbus_g_method_get_sender (context); + res = get_caller_info (manager, + sender, + &uid, + &pid); + if (!res) { + goto out; + } + + username = get_user_name (uid); + + if (username == NULL || + !chkauthattr (RBAC_SHUTDOWN_KEY, username)) { + res = FALSE; + goto out; + } + +out: + + if (res == TRUE) + g_debug ("User %s has RBAC permission to stop/restart", username); + else + g_debug ("User %s does not have RBAC permission to stop/restart", username); + + g_free (username); + return res; +} +#endif + /* Example: dbus-send --system --dest=org.freedesktop.ConsoleKit \ @@ -1227,11 +1279,17 @@ ck_manager_restart (CkManager *manager, g_debug ("ConsoleKit Restart: %s", action); +#ifdef HAVE_POLKIT res = _check_polkit_for_action (manager, context, action); - if (! res) { goto out; } +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN + if (!check_rbac_permissions (manager, context)) + goto out; +#endif g_debug ("ConsoleKit preforming Restart: %s", action); @@ -1277,10 +1335,17 @@ ck_manager_stop (CkManager *manager, action = "org.freedesktop.consolekit.system.stop"; } +#ifdef HAVE_POLKIT res = _check_polkit_for_action (manager, context, action); if (! res) { goto out; } +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN + if (!check_rbac_permissions (manager, context)) + goto out; +#endif g_debug ("Stopping system"); error = NULL; @@ -2296,6 +2361,7 @@ bus_name_owner_changed (DBusGProxy *bus_proxy, service_name, old_service_name, new_service_name); } +#ifdef HAVE_POLKIT static gboolean pk_io_watch_have_data (GIOChannel *channel, GIOCondition condition, @@ -2338,18 +2404,21 @@ pk_io_remove_watch (PolKitContext *pk_context, { g_source_remove (watch_id); } +#endif static gboolean register_manager (CkManager *manager) { GError *error = NULL; +#ifdef HAVE_POLKIT manager->priv->pol_ctx = polkit_context_new (); polkit_context_set_io_watch_functions (manager->priv->pol_ctx, pk_io_add_watch, pk_io_remove_watch); if (! polkit_context_init (manager->priv->pol_ctx, NULL)) { g_critical ("cannot initialize libpolkit"); return FALSE; } +#endif error = NULL; manager->priv->connection = dbus_g_bus_get (DBUS_BUS_SYSTEM, &error); diff --git a/tools/solaris/ck-system-restart b/tools/solaris/ck-system-restart index 8e0664e..c61799f 100755 --- a/tools/solaris/ck-system-restart +++ b/tools/solaris/ck-system-restart @@ -1,12 +1,3 @@ #!/bin/sh -#Try for common tools -if [ -x "/sbin/shutdown" ] ; then - /sbin/shutdown -r now - exit $? -elif [ -x "/usr/sbin/shutdown" ] ; then - /usr/sbin/shutdown -r now - exit $? -else - exit 1 -fi +/sbin/init 6 diff --git a/tools/solaris/ck-system-stop b/tools/solaris/ck-system-stop index e26bca3..d5b2fde 100755 --- a/tools/solaris/ck-system-stop +++ b/tools/solaris/ck-system-stop @@ -1,12 +1,3 @@ #!/bin/sh -#Try for common tools -if [ -x "/sbin/shutdown" ] ; then - /sbin/shutdown -h now - exit $? -elif [ -x "/usr/sbin/shutdown" ] ; then - /usr/sbin/shutdown -h now - exit $? -else - exit 1 -fi +/sbin/init 5 |