Accepting request 1112287 from home:lnussel:branches:Base:System

- change /usr/share/polkit-1/rules.d to 555,root:root. /usr content
  isn't secret anyway so this avoids non-root owned files in /usr
  (boo#1215482)
- update 50-default.rules to allow adding more admin rules
  (jsc#PED-260, drop polkit-no-wheel-group.patch)

OBS-URL: https://build.opensuse.org/request/show/1112287
OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=186

50-default.rules

@@ -0,0 +1,14 @@
+/* make sure that users that are in an admin group always authenticate with
+ * their own password and don't get a choice. Users not in an admin group get
+ * the full choice and may also authenticate as root */
+polkit._suse_admin_groups = [];
+polkit.addAdminRule(function(action, subject) {
+	var rules = ["unix-user:0"];
+	for (var i in polkit._suse_admin_groups) {
+		var g = polkit._suse_admin_groups[i];
+		if (subject.isInGroup(g))
+			return ["unix-user:"+subject.user];
+		rules.push("unix-group:"+g);
+	}
+	return rules;
+});

polkit-no-wheel-group.patch

@@ -1,9 +0,0 @@
---- a/src/polkitbackend/50-default.rules
-+++ b/src/polkitbackend/50-default.rules
-@@ -8,5 +8,5 @@
- // about configuring polkit.
- 
- polkit.addAdminRule(function(action, subject) {
--    return ["unix-group:wheel"];
-+    return ["unix-user:0"];
- });

polkit.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Sep 19 12:24:38 UTC 2023 - Ludwig Nussel <lnussel@suse.com>
+
+- change /usr/share/polkit-1/rules.d to 555,root:root. /usr content
+  isn't secret anyway so this avoids non-root owned files in /usr
+  (boo#1215482)
+- update 50-default.rules to allow adding more admin rules
+  (jsc#PED-260, drop polkit-no-wheel-group.patch)
+
 -------------------------------------------------------------------
 Wed Mar 29 13:37:25 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
 

polkit.spec

@@ -31,6 +31,7 @@ Source0:        https://www.freedesktop.org/software/polkit/releases/%{name}-%{v
 Source1:        https://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign
 Source2:        %{name}.keyring
 Source3:        system-user-polkitd.conf
+Source4:        50-default.rules
 Source99:       baselibs.conf
 
 # Upstream First - Policy:
@@ -38,8 +39,6 @@ Source99:       baselibs.conf
 # in the patch. Any patches added here without a very good reason to make
 # an exception will be silently removed with the next version update.
 
-# PATCH-FIX-OPENSUSE polkit-no-wheel-group.patch vuntz@opensuse.org -- In openSUSE, there's no special meaning for the wheel group, so we shouldn't allow it to be admin
-Patch0:         polkit-no-wheel-group.patch
 # PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations
 # polkit-use-gettext-as-fallback.patch
 Patch1:         polkit-gettext.patch
@@ -198,9 +197,8 @@ This package provides the GObject Introspection bindings for PolicyKit.
 # create $HOME for polkit user
 install -d %{buildroot}%{_localstatedir}/lib/polkit
 
-# We use /usr/share as prefix for the rules.d directory
-mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules \
-   %{buildroot}%{_polkit_rulesdir}/50-default.rules
+rm %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules
+install -m0644 %{SOURCE4} %{buildroot}%{_polkit_rulesdir}/50-default.rules
 
 # Install the polkitd user creation file:
 mkdir -p %{buildroot}%{_sysusersdir}
@@ -264,8 +262,8 @@ mkdir %{buildroot}/%{_sysconfdir}/polkit-1/actions
 %{_datadir}/polkit-1/policyconfig-1.dtd
 %dir %{_datadir}/polkit-1/actions
 %{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
-%attr(0750,root,polkitd) %dir %{_polkit_rulesdir}
-%attr(0640,root,polkitd) %{_polkit_rulesdir}/50-default.rules
+%attr(0555,root,root) %dir %{_polkit_rulesdir}
+ %{_polkit_rulesdir}/50-default.rules
 %{_pam_vendordir}/polkit-1
 %dir %{_sysconfdir}/polkit-1
 %attr(0750,root,polkitd) %dir %{_sysconfdir}/polkit-1/rules.d