From 5895396bc583ae08c5041f5b81f5f9d0a2888e22 Mon Sep 17 00:00:00 2001
From: Brian Cameron <brian.cameron@sun.com>
Date: Mon, 28 Jan 2008 17:43:05 -0500
Subject: make polkit optional and use RBAC on Solaris

This patch makes polkit an optional dependency.  If present
it builds with it.  If not, polkit support is disabled.

This patch also adds a --enable-rbac-shutdown=<key> option.
If set, then ConsoleKit will allow shutdown/reboot if the
user has the RBAC key authorization defined.  For example,
since the GDM GUI program runs as the "gdm" user, setting
the key for the "gdm" user allows the login program to
shutdown and reboot via ConsoleKit.

Also this patch modifies the tools/solaris/ck-system-restart
and tools/solaris/ck-system-stop scripts to call "/sbin/init 6"
and "/sbin/init 5", which are the right commands for Solaris.
---
 configure.ac                    | 30 ++++++++++++++++-
 data/Makefile.am                |  2 ++
 src/Makefile.am                 |  7 ++++
 src/ck-manager.c                | 71 ++++++++++++++++++++++++++++++++++++++++-
 tools/solaris/ck-system-restart | 11 +------
 tools/solaris/ck-system-stop    | 11 +------
 6 files changed, 110 insertions(+), 22 deletions(-)

diff --git a/configure.ac b/configure.ac
index 5bc018d..b814569 100644
--- a/configure.ac
+++ b/configure.ac
@@ -53,8 +53,18 @@ PKG_CHECK_MODULES(CONSOLE_KIT,
   dbus-glib-1 >= $DBUS_REQUIRED_VERSION
   gobject-2.0 >= $GLIB_REQUIRED_VERSION
   gthread-2.0 >= $GLIB_REQUIRED_VERSION
-  polkit >= $POLKIT_REQUIRED_VERSION
 )
+
+PKG_CHECK_MODULES(POLKIT,
+  polkit >= $POLKIT_REQUIRED_VERSION,
+  have_polkit=yes,
+  have_polkit=no)
+if test "x$have_polkit" = "xyes" ; then
+       AC_DEFINE(HAVE_POLKIT, [], [Define if we have polkit])
+fi
+AM_CONDITIONAL(HAVE_POLKIT, test x$have_polkit = xyes)
+AC_SUBST(HAVE_POLKIT)
+
 PKG_CHECK_MODULES(LIBDBUS,
   dbus-1 >= $DBUS_REQUIRED_VERSION
 )
@@ -281,6 +291,23 @@ if test "x$enable_inotify" = "xyes" ; then
 	AC_DEFINE(ENABLE_INOTIFY, [], [Define if we have inotify])
 fi
 
+dnl ---------------------------------------------------------------------------
+dnl check for RBAC
+dnl ---------------------------------------------------------------------------
+
+msg_rbac_shutdown=no
+AC_ARG_ENABLE(rbac-shutdown,
+	[AC_HELP_STRING([--enable-rbac-shutdown=<key>],
+	[Build with RBAC support specifying shutdown/reboot RBAC authentication key])],
+	enable_rbac_shutdown=$enableval,enable_rbac_shutdown=no)
+if test "x$enable_rbac_shutdown" != "xno"; then
+	RBAC_LIBS="-lsecdb -lsocket -lnsl"
+	AC_DEFINE(ENABLE_RBAC_SHUTDOWN, [], [Set if we build with RBAC support])
+	AC_DEFINE_UNQUOTED(RBAC_SHUTDOWN_KEY, "$enable_rbac_shutdown", [Set if we build with RBAC support])
+	msg_rbac_shutdown="yes, using key $enable_rbac_shutdown"
+fi
+AC_SUBST(RBAC_LIBS)
+
 dnl ---------------------------------------------------------------------------
 dnl Finish
 dnl ---------------------------------------------------------------------------
@@ -398,4 +425,5 @@ echo "
         PAM module dir:           ${PAM_MODULE_DIR}
         Build PAM module:         ${msg_pam_module}
         Build docs:               ${enable_docbook_docs}
+        Build with RBAC:          ${msg_rbac_shutdown}
 "
diff --git a/data/Makefile.am b/data/Makefile.am
index dc1bf1a..ef13d8c 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -6,10 +6,12 @@ dbusconf_DATA = ConsoleKit.conf
 seatdir = $(sysconfdir)/ConsoleKit/seats.d
 seat_DATA = 00-primary.seat
 
+if HAVE_POLKIT
 polkit_policydir = $(datadir)/PolicyKit/policy
 dist_polkit_policy_DATA =	\
 	ConsoleKit.policy	\
 	$(NULL)
+endif
 
 servicedir = $(datadir)/dbus-1/system-services
 service_in_files = org.freedesktop.ConsoleKit.service.in
diff --git a/src/Makefile.am b/src/Makefile.am
index 2f0d42d..2f77c4f 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -10,6 +10,7 @@ INCLUDES =							\
 	-I.							\
 	-I$(srcdir)						\
 	$(CONSOLE_KIT_CFLAGS)					\
+	$(POLKIT_CFLAGS)					\
 	$(DISABLE_DEPRECATED_CFLAGS)				\
 	-DPREFIX=\""$(prefix)"\" 				\
 	-DBINDIR=\""$(bindir)"\"				\
@@ -129,6 +130,8 @@ EXTRA_console_kit_daemon_SOURCES = 	\
 
 console_kit_daemon_LDADD =	\
 	$(CONSOLE_KIT_LIBS)	\
+	$(POLKIT_LIBS)		\
+	$(RBAC_LIBS)		\
 	libck.la		\
 	libck-event-log.la	\
 	$(NULL)
@@ -147,6 +150,8 @@ test_event_logger_SOURCES = 		\
 
 test_event_logger_LDADD =		\
 	$(CONSOLE_KIT_LIBS)		\
+	$(POLKIT_LIBS)			\
+	$(RBAC_LIBS)			\
 	libck-event-log.la		\
 	$(NULL)
 
@@ -158,6 +163,7 @@ test_vt_monitor_SOURCES = 		\
 
 test_vt_monitor_LDADD =			\
 	$(CONSOLE_KIT_LIBS)		\
+	$(POLKIT_LIBS)			\
 	libck.la			\
 	$(NULL)
 
@@ -171,6 +177,7 @@ test_tty_idle_monitor_SOURCES = 	\
 
 test_tty_idle_monitor_LDADD =		\
 	$(CONSOLE_KIT_LIBS)		\
+	$(POLKIT_LIBS)			\
 	libck.la			\
 	$(NULL)
 
diff --git a/src/ck-manager.c b/src/ck-manager.c
index 5eac98f..c7c045b 100644
--- a/src/ck-manager.c
+++ b/src/ck-manager.c
@@ -39,7 +39,14 @@
 #include <dbus/dbus-glib.h>
 #include <dbus/dbus-glib-lowlevel.h>
 
+#ifdef HAVE_POLKIT
 #include <polkit/polkit.h>
+#endif
+
+#ifdef ENABLE_RBAC_SHUTDOWN
+#include <auth_attr.h>
+#include <secdb.h>
+#endif
 
 #include "ck-manager.h"
 #include "ck-manager-glue.h"
@@ -61,7 +68,9 @@
 
 struct CkManagerPrivate
 {
+#ifdef HAVE_POLKIT
         PolKitContext   *pol_ctx;
+#endif
 
         GHashTable      *seats;
         GHashTable      *sessions;
@@ -703,6 +712,7 @@ get_session_for_unix_process (CkManager *manager,
         return session;
 }
 
+#ifdef HAVE_POLKIT
 static PolKitSession *
 new_polkit_session_from_session (CkManager *manager,
                                  CkSession *ck_session)
@@ -1064,6 +1074,7 @@ _check_polkit_for_action (CkManager             *manager,
 
         return TRUE;
 }
+#endif
 
 /* adapted from PolicyKit */
 static gboolean
@@ -1201,6 +1212,47 @@ get_system_num_users (CkManager *manager)
         return num_users;
 }
 
+#ifdef ENABLE_RBAC_SHUTDOWN
+static gboolean
+check_rbac_permissions (CkManager *manager,
+                        DBusGMethodInvocation *context)
+{
+        const char *sender;
+        char       *username;
+        gboolean    res;
+        uid_t       uid;
+        pid_t       pid;
+
+        username = NULL;
+        sender   = dbus_g_method_get_sender (context);
+        res      = get_caller_info (manager,
+                                    sender,
+                                    &uid,
+                                    &pid);
+        if (!res) {
+                goto out;
+        }
+
+        username = get_user_name (uid);
+
+        if (username == NULL ||
+            !chkauthattr (RBAC_SHUTDOWN_KEY, username)) {
+                res = FALSE;
+                goto out;
+        }
+
+out:
+
+        if (res == TRUE)
+                g_debug ("User %s has RBAC permission to stop/restart", username);
+        else
+                g_debug ("User %s does not have RBAC permission to stop/restart", username);
+
+        g_free (username);
+        return res;
+}
+#endif
+
 /*
   Example:
   dbus-send --system --dest=org.freedesktop.ConsoleKit \
@@ -1227,11 +1279,17 @@ ck_manager_restart (CkManager             *manager,
 
         g_debug ("ConsoleKit Restart: %s", action);
 
+#ifdef HAVE_POLKIT
         res = _check_polkit_for_action (manager, context, action);
-
         if (! res) {
                 goto out;
         }
+#endif
+
+#ifdef ENABLE_RBAC_SHUTDOWN
+        if (!check_rbac_permissions (manager, context))
+                goto out;
+#endif
 
         g_debug ("ConsoleKit preforming Restart: %s", action);
 
@@ -1277,10 +1335,17 @@ ck_manager_stop (CkManager             *manager,
                 action = "org.freedesktop.consolekit.system.stop";
         }
 
+#ifdef HAVE_POLKIT
         res = _check_polkit_for_action (manager, context, action);
         if (! res) {
                 goto out;
         }
+#endif
+
+#ifdef ENABLE_RBAC_SHUTDOWN
+        if (!check_rbac_permissions (manager, context))
+                goto out;
+#endif
 
         g_debug ("Stopping system");
         error = NULL;
@@ -2296,6 +2361,7 @@ bus_name_owner_changed (DBusGProxy  *bus_proxy,
                    service_name, old_service_name, new_service_name);
 }
 
+#ifdef HAVE_POLKIT
 static gboolean
 pk_io_watch_have_data (GIOChannel  *channel,
                        GIOCondition condition,
@@ -2338,18 +2404,21 @@ pk_io_remove_watch (PolKitContext *pk_context,
 {
         g_source_remove (watch_id);
 }
+#endif
 
 static gboolean
 register_manager (CkManager *manager)
 {
         GError *error = NULL;
 
+#ifdef HAVE_POLKIT
         manager->priv->pol_ctx = polkit_context_new ();
         polkit_context_set_io_watch_functions (manager->priv->pol_ctx, pk_io_add_watch, pk_io_remove_watch);
         if (! polkit_context_init (manager->priv->pol_ctx, NULL)) {
                 g_critical ("cannot initialize libpolkit");
                 return FALSE;
         }
+#endif
 
         error = NULL;
         manager->priv->connection = dbus_g_bus_get (DBUS_BUS_SYSTEM, &error);
diff --git a/tools/solaris/ck-system-restart b/tools/solaris/ck-system-restart
index 8e0664e..c61799f 100755
--- a/tools/solaris/ck-system-restart
+++ b/tools/solaris/ck-system-restart
@@ -1,12 +1,3 @@
 #!/bin/sh
 
-#Try for common tools
-if [ -x "/sbin/shutdown" ] ; then
-	/sbin/shutdown -r now
-	exit $?
-elif [ -x "/usr/sbin/shutdown" ] ; then
-	/usr/sbin/shutdown -r now
-	exit $?
-else
-	exit 1
-fi
+/sbin/init 6
diff --git a/tools/solaris/ck-system-stop b/tools/solaris/ck-system-stop
index e26bca3..d5b2fde 100755
--- a/tools/solaris/ck-system-stop
+++ b/tools/solaris/ck-system-stop
@@ -1,12 +1,3 @@
 #!/bin/sh
 
-#Try for common tools
-if [ -x "/sbin/shutdown" ] ; then
-	/sbin/shutdown -h now
-	exit $?
-elif [ -x "/usr/sbin/shutdown" ] ; then
-	/usr/sbin/shutdown -h now
-	exit $?
-else
-	exit 1
-fi
+/sbin/init 5
-- 
cgit