From 456065f3f8d9ba785b0d2d9dc247fc9fb4fe9ba0 Mon Sep 17 00:00:00 2001
From: William Jon McCann <jmccann@redhat.com>
Date: Wed, 30 Jul 2008 18:06:31 -0400
Subject: don't allow reboot if PolicyKit and RBAC are disabled

---
 configure.ac     | 11 ++++++++++-
 src/ck-manager.c | 27 ++++++++++++++-------------
 2 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/configure.ac b/configure.ac
index e0b7e98..b540f24 100644
--- a/configure.ac
+++ b/configure.ac
@@ -431,5 +431,14 @@ echo "
         PAM module dir:           ${PAM_MODULE_DIR}
         Build PAM module:         ${msg_pam_module}
         Build docs:               ${enable_docbook_docs}
-        Build with RBAC:          ${msg_rbac_shutdown}
+
+        PolicyKit support         ${have_polkit}
+        RBAC (Solaris) support:   ${msg_rbac_shutdown}
 "
+if test x${have_polkit} = xno -a x${msg_rbac_shutdown} = xno; then
+   echo "WARNING: PolicyKit and RBAC are disabled. You need to manually edit the ConsoleKit.conf"
+   echo "         file to lock down the service. Failure to do so may be"
+   echo "         a huge SECURITY HOLE. I repeat: YOU NEED TO EDIT THE FILE"
+   echo "         ConsoleKit.conf to match your distro/site to avoid NASTY SECURITY HOLES."
+   echo ""
+fi
\ No newline at end of file
diff --git a/src/ck-manager.c b/src/ck-manager.c
index a9fa6bd..bcb9350 100644
--- a/src/ck-manager.c
+++ b/src/ck-manager.c
@@ -39,11 +39,9 @@
 #include <dbus/dbus-glib.h>
 #include <dbus/dbus-glib-lowlevel.h>
 
-#ifdef HAVE_POLKIT
+#if defined HAVE_POLKIT
 #include <polkit/polkit.h>
-#endif
-
-#ifdef ENABLE_RBAC_SHUTDOWN
+#elif defined ENABLE_RBAC_SHUTDOWN
 #include <auth_attr.h>
 #include <secdb.h>
 #endif
@@ -1340,17 +1338,18 @@ ck_manager_restart (CkManager             *manager,
 
         g_debug ("ConsoleKit Restart: %s", action);
 
-#ifdef HAVE_POLKIT
+#if defined HAVE_POLKIT
         res = _check_polkit_for_action (manager, context, action);
         if (! res) {
                 goto out;
         }
-#endif
-
-#ifdef ENABLE_RBAC_SHUTDOWN
+#elif defined ENABLE_RBAC_SHUTDOWN
         if (! check_rbac_permissions (manager, context)) {
                 goto out;
         }
+#else
+        g_warning ("Compiled without PolicyKit or RBAC support!");
+        goto out;
 #endif
 
         g_debug ("ConsoleKit preforming Restart: %s", action);
@@ -1399,16 +1398,18 @@ ck_manager_stop (CkManager             *manager,
                 action = "org.freedesktop.consolekit.system.stop";
         }
 
-#ifdef HAVE_POLKIT
+#if defined HAVE_POLKIT
         res = _check_polkit_for_action (manager, context, action);
         if (! res) {
                 goto out;
         }
-#endif
-
-#ifdef ENABLE_RBAC_SHUTDOWN
-        if (!check_rbac_permissions (manager, context))
+#elif defined  ENABLE_RBAC_SHUTDOWN
+        if (!check_rbac_permissions (manager, context)) {
                 goto out;
+        }
+#else
+        g_warning ("Compiled without PolicyKit or RBAC support!");
+        goto out;
 #endif
 
         g_debug ("Stopping system");
-- 
cgit