diff options
| -rw-r--r-- | configure.ac | 30 | ||||
| -rw-r--r-- | data/Makefile.am | 2 | ||||
| -rw-r--r-- | src/Makefile.am | 7 | ||||
| -rw-r--r-- | src/ck-manager.c | 71 | ||||
| -rwxr-xr-x | tools/solaris/ck-system-restart | 11 | ||||
| -rwxr-xr-x | tools/solaris/ck-system-stop | 11 |
6 files changed, 110 insertions, 22 deletions
diff --git a/configure.ac b/configure.ac index 5bc018d..b814569 100644 --- a/configure.ac +++ b/configure.ac @@ -53,8 +53,18 @@ PKG_CHECK_MODULES(CONSOLE_KIT, dbus-glib-1 >= $DBUS_REQUIRED_VERSION gobject-2.0 >= $GLIB_REQUIRED_VERSION gthread-2.0 >= $GLIB_REQUIRED_VERSION - polkit >= $POLKIT_REQUIRED_VERSION ) + +PKG_CHECK_MODULES(POLKIT, + polkit >= $POLKIT_REQUIRED_VERSION, + have_polkit=yes, + have_polkit=no) +if test "x$have_polkit" = "xyes" ; then + AC_DEFINE(HAVE_POLKIT, [], [Define if we have polkit]) +fi +AM_CONDITIONAL(HAVE_POLKIT, test x$have_polkit = xyes) +AC_SUBST(HAVE_POLKIT) + PKG_CHECK_MODULES(LIBDBUS, dbus-1 >= $DBUS_REQUIRED_VERSION ) @@ -282,6 +292,23 @@ if test "x$enable_inotify" = "xyes" ; then fi dnl --------------------------------------------------------------------------- +dnl check for RBAC +dnl --------------------------------------------------------------------------- + +msg_rbac_shutdown=no +AC_ARG_ENABLE(rbac-shutdown, + [AC_HELP_STRING([--enable-rbac-shutdown=<key>], + [Build with RBAC support specifying shutdown/reboot RBAC authentication key])], + enable_rbac_shutdown=$enableval,enable_rbac_shutdown=no) +if test "x$enable_rbac_shutdown" != "xno"; then + RBAC_LIBS="-lsecdb -lsocket -lnsl" + AC_DEFINE(ENABLE_RBAC_SHUTDOWN, [], [Set if we build with RBAC support]) + AC_DEFINE_UNQUOTED(RBAC_SHUTDOWN_KEY, "$enable_rbac_shutdown", [Set if we build with RBAC support]) + msg_rbac_shutdown="yes, using key $enable_rbac_shutdown" +fi +AC_SUBST(RBAC_LIBS) + +dnl --------------------------------------------------------------------------- dnl Finish dnl --------------------------------------------------------------------------- @@ -398,4 +425,5 @@ echo " PAM module dir: ${PAM_MODULE_DIR} Build PAM module: ${msg_pam_module} Build docs: ${enable_docbook_docs} + Build with RBAC: ${msg_rbac_shutdown} " diff --git a/data/Makefile.am b/data/Makefile.am index dc1bf1a..ef13d8c 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -6,10 +6,12 @@ dbusconf_DATA = ConsoleKit.conf seatdir = $(sysconfdir)/ConsoleKit/seats.d seat_DATA = 00-primary.seat +if HAVE_POLKIT polkit_policydir = $(datadir)/PolicyKit/policy dist_polkit_policy_DATA = \ ConsoleKit.policy \ $(NULL) +endif servicedir = $(datadir)/dbus-1/system-services service_in_files = org.freedesktop.ConsoleKit.service.in diff --git a/src/Makefile.am b/src/Makefile.am index 2f0d42d..2f77c4f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -10,6 +10,7 @@ INCLUDES = \ -I. \ -I$(srcdir) \ $(CONSOLE_KIT_CFLAGS) \ + $(POLKIT_CFLAGS) \ $(DISABLE_DEPRECATED_CFLAGS) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ @@ -129,6 +130,8 @@ EXTRA_console_kit_daemon_SOURCES = \ console_kit_daemon_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ + $(RBAC_LIBS) \ libck.la \ libck-event-log.la \ $(NULL) @@ -147,6 +150,8 @@ test_event_logger_SOURCES = \ test_event_logger_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ + $(RBAC_LIBS) \ libck-event-log.la \ $(NULL) @@ -158,6 +163,7 @@ test_vt_monitor_SOURCES = \ test_vt_monitor_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ libck.la \ $(NULL) @@ -171,6 +177,7 @@ test_tty_idle_monitor_SOURCES = \ test_tty_idle_monitor_LDADD = \ $(CONSOLE_KIT_LIBS) \ + $(POLKIT_LIBS) \ libck.la \ $(NULL) diff --git a/src/ck-manager.c b/src/ck-manager.c index 5eac98f..c7c045b 100644 --- a/src/ck-manager.c +++ b/src/ck-manager.c @@ -39,7 +39,14 @@ #include <dbus/dbus-glib.h> #include <dbus/dbus-glib-lowlevel.h> +#ifdef HAVE_POLKIT #include <polkit/polkit.h> +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN +#include <auth_attr.h> +#include <secdb.h> +#endif #include "ck-manager.h" #include "ck-manager-glue.h" @@ -61,7 +68,9 @@ struct CkManagerPrivate { +#ifdef HAVE_POLKIT PolKitContext *pol_ctx; +#endif GHashTable *seats; GHashTable *sessions; @@ -703,6 +712,7 @@ get_session_for_unix_process (CkManager *manager, return session; } +#ifdef HAVE_POLKIT static PolKitSession * new_polkit_session_from_session (CkManager *manager, CkSession *ck_session) @@ -1064,6 +1074,7 @@ _check_polkit_for_action (CkManager *manager, return TRUE; } +#endif /* adapted from PolicyKit */ static gboolean @@ -1201,6 +1212,47 @@ get_system_num_users (CkManager *manager) return num_users; } +#ifdef ENABLE_RBAC_SHUTDOWN +static gboolean +check_rbac_permissions (CkManager *manager, + DBusGMethodInvocation *context) +{ + const char *sender; + char *username; + gboolean res; + uid_t uid; + pid_t pid; + + username = NULL; + sender = dbus_g_method_get_sender (context); + res = get_caller_info (manager, + sender, + &uid, + &pid); + if (!res) { + goto out; + } + + username = get_user_name (uid); + + if (username == NULL || + !chkauthattr (RBAC_SHUTDOWN_KEY, username)) { + res = FALSE; + goto out; + } + +out: + + if (res == TRUE) + g_debug ("User %s has RBAC permission to stop/restart", username); + else + g_debug ("User %s does not have RBAC permission to stop/restart", username); + + g_free (username); + return res; +} +#endif + /* Example: dbus-send --system --dest=org.freedesktop.ConsoleKit \ @@ -1227,11 +1279,17 @@ ck_manager_restart (CkManager *manager, g_debug ("ConsoleKit Restart: %s", action); +#ifdef HAVE_POLKIT res = _check_polkit_for_action (manager, context, action); - if (! res) { goto out; } +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN + if (!check_rbac_permissions (manager, context)) + goto out; +#endif g_debug ("ConsoleKit preforming Restart: %s", action); @@ -1277,10 +1335,17 @@ ck_manager_stop (CkManager *manager, action = "org.freedesktop.consolekit.system.stop"; } +#ifdef HAVE_POLKIT res = _check_polkit_for_action (manager, context, action); if (! res) { goto out; } +#endif + +#ifdef ENABLE_RBAC_SHUTDOWN + if (!check_rbac_permissions (manager, context)) + goto out; +#endif g_debug ("Stopping system"); error = NULL; @@ -2296,6 +2361,7 @@ bus_name_owner_changed (DBusGProxy *bus_proxy, service_name, old_service_name, new_service_name); } +#ifdef HAVE_POLKIT static gboolean pk_io_watch_have_data (GIOChannel *channel, GIOCondition condition, @@ -2338,18 +2404,21 @@ pk_io_remove_watch (PolKitContext *pk_context, { g_source_remove (watch_id); } +#endif static gboolean register_manager (CkManager *manager) { GError *error = NULL; +#ifdef HAVE_POLKIT manager->priv->pol_ctx = polkit_context_new (); polkit_context_set_io_watch_functions (manager->priv->pol_ctx, pk_io_add_watch, pk_io_remove_watch); if (! polkit_context_init (manager->priv->pol_ctx, NULL)) { g_critical ("cannot initialize libpolkit"); return FALSE; } +#endif error = NULL; manager->priv->connection = dbus_g_bus_get (DBUS_BUS_SYSTEM, &error); diff --git a/tools/solaris/ck-system-restart b/tools/solaris/ck-system-restart index 8e0664e..c61799f 100755 --- a/tools/solaris/ck-system-restart +++ b/tools/solaris/ck-system-restart @@ -1,12 +1,3 @@ #!/bin/sh -#Try for common tools -if [ -x "/sbin/shutdown" ] ; then - /sbin/shutdown -r now - exit $? -elif [ -x "/usr/sbin/shutdown" ] ; then - /usr/sbin/shutdown -r now - exit $? -else - exit 1 -fi +/sbin/init 6 diff --git a/tools/solaris/ck-system-stop b/tools/solaris/ck-system-stop index e26bca3..d5b2fde 100755 --- a/tools/solaris/ck-system-stop +++ b/tools/solaris/ck-system-stop @@ -1,12 +1,3 @@ #!/bin/sh -#Try for common tools -if [ -x "/sbin/shutdown" ] ; then - /sbin/shutdown -h now - exit $? -elif [ -x "/usr/sbin/shutdown" ] ; then - /usr/sbin/shutdown -h now - exit $? -else - exit 1 -fi +/sbin/init 5 |