pool/polkit
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- BuildRequire gettext-devel instead of gettext: Allows OBS to

Browse Source 
shortcut throught gettext-runtime-mini.

OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=195
This commit is contained in:
Bjørn Lie 2024-08-14 12:50:59 +00:00 committed by Git OBS Bridge
commit 600cfd932c
12 changed files with 1543 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

14
50-default.rules Normal file
View File

@ -0,0 +1,14 @@
/* make sure that users that are in an admin group always authenticate with
* their own password and don't get a choice. Users not in an admin group get
* the full choice and may also authenticate as root */
polkit._suse_admin_groups = [];
polkit.addAdminRule(function(action, subject) {
var rules = ["unix-user:0"];
for (var i in polkit._suse_admin_groups) {
var g = polkit._suse_admin_groups[i];
if (subject.isInGroup(g))
return ["unix-user:"+subject.user];
rules.push("unix-group:"+g);
}
return rules;
});

4
baselibs.conf Normal file
View File

@ -0,0 +1,4 @@
libpolkit-agent-1-0
obsoletes "libpolkit0-<targettype> < <version>"
libpolkit-gobject-1-0
obsoletes "libpolkit0-<targettype> < <version>"

BIN
polkit-123.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

227
polkit-actions-in-etc.patch Normal file
View File

@ -0,0 +1,227 @@
diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml
index 90715a5..10dd217 100644
--- a/docs/man/polkit.xml
+++ b/docs/man/polkit.xml
@@ -104,6 +104,7 @@ System Context | |
+------------------+ |
^ |
| +--------------------------------------+
+ | | /etc/polkit-1/actions/*.policy |
| | /usr/share/polkit-1/actions/*.policy |
| +--------------------------------------+
|
diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
index 3894fe9..17652e6 100644
--- a/src/polkitbackend/polkitbackendactionpool.c
+++ b/src/polkitbackend/polkitbackendactionpool.c
@@ -91,8 +91,10 @@ typedef struct
{
/* directory with .policy files, e.g. /usr/share/polkit-1/actions */
GFile *directory;
+ GFile *directory_alt;
GFileMonitor *dir_monitor;
+ GFileMonitor *dir_monitor_alt;
/* maps from action_id to a ParsedAction struct */
GHashTable *parsed_actions;
@@ -109,6 +111,8 @@ enum
{
PROP_0,
PROP_DIRECTORY,
+ /* TODO combine into PROP_DIRECTORIES? */
+ PROP_DIRECTORY_ALT,
};
#define POLKIT_BACKEND_ACTION_POOL_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), POLKIT_BACKEND_TYPE_ACTION_POOL, PolkitBackendActionPoolPrivate))
@@ -153,9 +157,15 @@ polkit_backend_action_pool_finalize (GObject *object)
if (priv->directory != NULL)
g_object_unref (priv->directory);
+ if (priv->directory_alt != NULL)
+ g_object_unref (priv->directory_alt);
+
if (priv->dir_monitor != NULL)
g_object_unref (priv->dir_monitor);
+ if (priv->dir_monitor_alt != NULL)
+ g_object_unref (priv->dir_monitor_alt);
+
if (priv->parsed_actions != NULL)
g_hash_table_unref (priv->parsed_actions);
@@ -183,6 +193,10 @@ polkit_backend_action_pool_get_property (GObject *object,
g_value_set_object (value, priv->directory);
break;
+ case PROP_DIRECTORY_ALT:
+ g_value_set_object (value, priv->directory_alt);
+ break;
+
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@@ -274,6 +288,28 @@ polkit_backend_action_pool_set_property (GObject *object,
}
break;
+ case PROP_DIRECTORY_ALT:
+ priv->directory_alt = g_value_dup_object (value);
+
+ error = NULL;
+ priv->dir_monitor_alt = g_file_monitor_directory (priv->directory_alt,
+ G_FILE_MONITOR_NONE,
+ NULL,
+ &error);
+ if (priv->dir_monitor_alt == NULL)
+ {
+ g_warning ("Error monitoring actions alt directory: %s", error->message);
+ g_error_free (error);
+ }
+ else
+ {
+ g_signal_connect (priv->dir_monitor_alt,
+ "changed",
+ (GCallback) dir_monitor_changed,
+ pool);
+ }
+ break;
+
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
@@ -308,6 +344,18 @@ polkit_backend_action_pool_class_init (PolkitBackendActionPoolClass *klass)
G_PARAM_STATIC_NICK |
G_PARAM_STATIC_BLURB));
+ g_object_class_install_property (gobject_class,
+ PROP_DIRECTORY_ALT,
+ g_param_spec_object ("directoryalt",
+ "DirectoryAlt",
+ "Alternative directory to load action description files from",
+ G_TYPE_FILE,
+ G_PARAM_READWRITE |
+ G_PARAM_CONSTRUCT_ONLY |
+ G_PARAM_STATIC_NAME |
+ G_PARAM_STATIC_NICK |
+ G_PARAM_STATIC_BLURB));
+
/**
* PolkitBackendActionPool::changed:
* @action_pool: A #PolkitBackendActionPool.
@@ -334,12 +382,13 @@ polkit_backend_action_pool_class_init (PolkitBackendActionPoolClass *klass)
* Returns: A #PolkitBackendActionPool. Free with g_object_unref().
**/
PolkitBackendActionPool *
-polkit_backend_action_pool_new (GFile *directory)
+polkit_backend_action_pool_new (GFile *directory, GFile *directory_alt)
{
PolkitBackendActionPool *pool;
pool = POLKIT_BACKEND_ACTION_POOL (g_object_new (POLKIT_BACKEND_TYPE_ACTION_POOL,
"directory", directory,
+ "directoryalt", directory_alt,
NULL));
return pool;
@@ -505,12 +554,14 @@ ensure_all_files (PolkitBackendActionPool *pool)
{
PolkitBackendActionPoolPrivate *priv;
GFileEnumerator *e;
+ GFileEnumerator *e_alt;
GFileInfo *file_info;
GError *error;
priv = POLKIT_BACKEND_ACTION_POOL_GET_PRIVATE (pool);
e = NULL;
+ e_alt = NULL;
if (priv->has_loaded_all_files)
goto out;
@@ -548,12 +599,48 @@ ensure_all_files (PolkitBackendActionPool *pool)
} /* for all files */
+ /* TODO priority for files in /etc */
+
+ e_alt = g_file_enumerate_children (priv->directory_alt,
+ "standard::name",
+ G_FILE_QUERY_INFO_NONE,
+ NULL,
+ &error);
+ if (error != NULL)
+ {
+ g_warning ("Error enumerating files: %s", error->message);
+ goto out;
+ }
+
+ while ((file_info = g_file_enumerator_next_file (e_alt, NULL, &error)) != NULL)
+ {
+ const gchar *name;
+
+ name = g_file_info_get_name (file_info);
+ /* only consider files with the right suffix */
+ if (g_str_has_suffix (name, ".policy"))
+ {
+ GFile *file;
+
+ file = g_file_get_child (priv->directory_alt, name);
+
+ ensure_file (pool, file);
+
+ g_object_unref (file);
+ }
+
+ g_object_unref (file_info);
+
+ } /* for all files */
+
priv->has_loaded_all_files = TRUE;
out:
if (e != NULL)
g_object_unref (e);
+ if (e_alt != NULL)
+ g_object_unref (e_alt);
}
/* ---------------------------------------------------------------------------------------------------- */
diff --git a/src/polkitbackend/polkitbackendactionpool.h b/src/polkitbackend/polkitbackendactionpool.h
index e992eea..9ccb526 100644
--- a/src/polkitbackend/polkitbackendactionpool.h
+++ b/src/polkitbackend/polkitbackendactionpool.h
@@ -64,7 +64,7 @@ struct _PolkitBackendActionPoolClass
};
GType polkit_backend_action_pool_get_type (void) G_GNUC_CONST;
-PolkitBackendActionPool *polkit_backend_action_pool_new (GFile *directory);
+PolkitBackendActionPool *polkit_backend_action_pool_new (GFile *directory, GFile *directory_alt);
GList *polkit_backend_action_pool_get_all_actions (PolkitBackendActionPool *pool,
const gchar *locale);
diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
index 1cfc88e..a975cac 100644
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
@@ -292,6 +292,7 @@ polkit_backend_interactive_authority_init (PolkitBackendInteractiveAuthority *au
{
PolkitBackendInteractiveAuthorityPrivate *priv;
GFile *directory;
+ GFile *directory_alt;
GError *error;
/* Force registering error domain */
@@ -300,8 +301,10 @@ polkit_backend_interactive_authority_init (PolkitBackendInteractiveAuthority *au
priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (authority);
directory = g_file_new_for_path (PACKAGE_DATA_DIR "/polkit-1/actions");
- priv->action_pool = polkit_backend_action_pool_new (directory);
+ directory_alt = g_file_new_for_path (PACKAGE_SYSCONF_DIR "/polkit-1/actions");
+ priv->action_pool = polkit_backend_action_pool_new (directory, directory_alt);
g_object_unref (directory);
+ g_object_unref (directory_alt);
g_signal_connect (priv->action_pool,
"changed",
(GCallback) action_pool_changed,

22
polkit-adjust-libexec-path.patch Normal file
View File

@ -0,0 +1,22 @@
--- a/src/polkitagent/polkitagentsession.c
+++ b/src/polkitagent/polkitagentsession.c
@@ -596,7 +596,7 @@ polkit_agent_session_initiate (PolkitAge
goto error;
}
- helper_argv[0] = PACKAGE_PREFIX "/lib/polkit-1/polkit-agent-helper-1";
+ helper_argv[0] = PACKAGE_PREFIX "/libexec/polkit-1/polkit-agent-helper-1";
helper_argv[1] = passwd->pw_name;
helper_argv[2] = NULL;
--- a/meson.build
+++ b/meson.build
@@ -28,7 +28,7 @@ pk_sysconfdir = get_option('sysconfdir')
pk_pkgdatadir = pk_datadir / pk_api_name
pk_pkgincludedir = pk_includedir / pk_api_name
# note that this is always 'lib', not lib64 or lib/x86_64-linux-gnu
-pk_libprivdir = 'lib' / pk_api_name
+pk_libprivdir = 'libexec' / pk_api_name
pk_pkgsysconfdir = pk_sysconfdir / pk_api_name
pk_actiondir = pk_api_name / 'actions'

57
polkit-gettext.patch Normal file
View File

@ -0,0 +1,57 @@
From fea7159b7cc50deb7298b2858e125fb623012549 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Tue, 13 Jun 2017 18:28:28 +0200
Subject: [PATCH] Use gettext as fallback for translations
Upstream polkit action files do not necessarily contain translations for
all languages a distribution supports. And even if all translations are
contained in the head branch, distributions sometimes need to ship older
versions of packages. In order to allow retrofitting translations and
shipping language packs for polkit actions without having to patch and
rebuild packages gettext could be used as fallback. That way only
additional .mo files have to be installed.
So this patch makes polkit call into gettext with the domain
'polkit-action-distro-translations' if an xml doesn't contain
translations for the requested language.
---
src/polkitbackend/polkitbackendactionpool.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
index 3894fe9..9252788 100644
--- a/src/polkitbackend/polkitbackendactionpool.c
+++ b/src/polkitbackend/polkitbackendactionpool.c
@@ -24,6 +24,7 @@
#include <pwd.h>
#include <string.h>
#include <expat.h>
+#include <locale.h>
#include <polkit/polkit.h>
#include <polkit/polkitprivate.h>
@@ -1132,8 +1133,20 @@ _localize (GHashTable *translations,
if (result != NULL)
goto out;
- /* fall back to untranslated */
- result = untranslated;
+ /* try distro provided language bundle via gettext */
+
+ /* Set LANG and locale so g_dgettext() + friends work below */
+ if (setlocale (LC_ALL, lang) == NULL)
+ {
+ g_printerr ("Invalid locale '%s'\n", lang);
+ }
+ g_setenv ("LANG", lang, TRUE);
+
+ result = g_dgettext ("polkit-action-distro-translations", untranslated);
+
+ /* Back to C! */
+ setlocale (LC_ALL, "C");
+ g_setenv ("LANG", "C", TRUE);
out:
return result;
--
2.12.2

9
polkit-keyinit.patch Normal file
View File

@ -0,0 +1,9 @@
Index: polkit-0.116/data/polkit-1.in
===================================================================
--- polkit-0.116.orig/data/polkit-1.in
+++ polkit-0.116/data/polkit-1.in
@@ -4,3 +4,4 @@ auth include @PAM_FILE_INCLUD
account include @PAM_FILE_INCLUDE_ACCOUNT@
password include @PAM_FILE_INCLUDE_PASSWORD@
session include @PAM_FILE_INCLUDE_SESSION@
+session optional pam_keyinit.so revoke [force]

880
polkit.changes Normal file
View File

@ -0,0 +1,880 @@
-------------------------------------------------------------------
Wed Aug 14 12:33:37 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- BuildRequire gettext-devel instead of gettext: Allows OBS to
shortcut throught gettext-runtime-mini.
-------------------------------------------------------------------
Fri Jul 12 12:53:13 UTC 2024 - Martin Jambor <mjambor@suse.com>
- Add -Wno-error=implicit-function-declaration to %optflags to
work-around an issue in mocklibc (which has been meanwhile removed
by upstream) with exactly this kind of issue.
-------------------------------------------------------------------
Fri Dec 8 22:20:51 UTC 2023 - Tobias Klausmann <tobias.klausmann@freenet.de>
- Add 'dbus-service' as Requires instead of /usr/bin/dbus-daemon
This allow to use other dbus implementations such as dbus-broker with this
package again. (bsc#1217863)
-------------------------------------------------------------------
Fri Sep 29 09:56:41 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 123:
+ Highlights:
- better safety with deeper restriction of the configuration
files
- better safety with restricting the daemon's owner under
systemd
- better safety with the systemd unit sandboxing
- less thread races during upload of the configuration
- Changes from version 122:
+ Highlights:
- new Georgian translation
- port to mozjs-102
- daemon-less build (support for e.g. flatpak deps)
- re-enable of (API) documentation build
- See more detailed changes in the included NEWS.md file.
- Change URL and Source to new home, and drop polkit.keyring and
tar.gz.sign tarball signature, no longer available.
- Drop polkit-fix-pam-prefix.patch: Fixed upstream.
- Add /usr/bin/dbus-daemon BuildRequires, needed for tests. Replace
the dbus-1 with /usr/bin/dbus-daemon Requires.
-------------------------------------------------------------------
Tue Sep 19 12:24:38 UTC 2023 - Ludwig Nussel <lnussel@suse.com>
- change /usr/share/polkit-1/rules.d to 555,root:root. /usr content
isn't secret anyway so this avoids non-root owned files in /usr
(boo#1215482)
- update 50-default.rules to allow adding more admin rules
(jsc#PED-260, drop polkit-no-wheel-group.patch)
-------------------------------------------------------------------
Wed Mar 29 13:37:25 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Change permissions for rules folders (bsc#1209282)
-------------------------------------------------------------------
Wed Nov 09 07:39:53 CET 2022 - aschnell@suse.com
- read actions also from /etc/polkit-1/actions (jsc#PED-1405)
added polkit-actions-in-etc.patch
-------------------------------------------------------------------
Thu Sep 15 13:26:34 UTC 2022 - Marcus Meissner <meissner@suse.com>
- obsolete libpolkit0 also from baselibs.
-------------------------------------------------------------------
Tue Aug 9 06:11:08 UTC 2022 - Luciano Santos <luc14n0@opensuse.org>
- Update to version 121:
+ Addition of duktape as a JS engine backend.
+ Other small fixes and improvements. For more details, visit:
gitlab.freedesktop.org/polkit/polkit/-/blob/121/NEWS.md
+ Updated translations.
- Drop merged-upstream patches:
+ CVE-2021-4034-pkexec-fix.patch;
+ 0001-CVE-2021-4115-GHSL-2021-077-fix.patch;
+ duktape-support.patch;
+ pkexec.patch.
- Replace Intltool with Gettext as a build requirement following
the migration from last release (0.120).
- Add Meson as a build requirement while dropping Libtool and
replace all Autotools macros with Meson ones. And pass the
following options to Meson: session_tracking=libsystemd-login;
systemdsystemunitdir=%{_unitdir}; os_type=suse;
pam_module_dir=%{_pam_moduledir}; pam_prefix=%{_pam_vendordir};
examples=true; tests=true; gtk_doc=true; man=true and
js_engine=duktape.
- Drop no longer needed Libtool as a build requirement, following
Autotools replacement.
- Add explicit pkgconfig module build requirements for glib-2.0 and
gobject-2.0 that are searched by the build scripts. They were
already being pulled by their siblings [pkgconfig(gio-2.0) and
pkgconfig(gio-unix-2.0)].
- Drop conditional macro, which was wrapping "BuildArch: noarch"
for the doc subpackage, based on long gone EOLed (open)SUSE
release (11.2).
- Add missing 'Requires(post): permissions' for the pkexec
subpackage.
- Add python3-dbus-python and python3-python-dbusmock as build
requirements in order to run test in the check section.
- Add polkit-fix-pam-prefix.patch to use the value of pam_prefix
Meson option, like it was designed to, rather than hard-coded
path for pam configuration files.
- Remove unneeded executable bit from 50-default.rules file.
-------------------------------------------------------------------
Mon Aug 8 07:28:25 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- Use %_pam_vendordir
-------------------------------------------------------------------
Wed Aug 3 12:03:30 UTC 2022 - Marcus Meissner <meissner@suse.com>
- add split-provides for polkit:/usr/bin/pkexec. (bsc#1202070)
-------------------------------------------------------------------
Mon Jul 18 09:38:28 UTC 2022 - Marcus Meissner <meissner@suse.com>
- split out pkexec into seperate package to make system hardening
easier (to avoid installing it jsc#PED-132 jsc#PED-148).
-------------------------------------------------------------------
Tue Feb 22 10:48:15 UTC 2022 - Marcus Meissner <meissner@suse.com>
- Fixed denial of service via file descriptor leak (bsc#1195542 CVE-2021-4115)
0001-CVE-2021-4115-GHSL-2021-077-fix.patch
-------------------------------------------------------------------
Wed Jan 26 11:44:35 UTC 2022 - Fabian Vogt <fvogt@suse.com>
- Switch from mozjs to duktape:
* Add duktape-support.patch
-------------------------------------------------------------------
Tue Jan 25 18:15:16 UTC 2022 - Marcus Meissner <meissner@suse.com>
- Fixed pkexec Local Privilege Escalation aka pwnkit (CVE-2021-4034 bsc#1194568)
CVE-2021-4034-pkexec-fix.patch
-------------------------------------------------------------------
Mon Dec 6 10:27:20 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 0.120:
* transition from Intltool to gettext
* several tarball, meson and pipeline fixups
* Portuguese translation
* Romanian translation
* meson build system added
* CVE-2021-3560 mitigation
* properties in text listener
* typos fixups
* Update Hungarian translation
- drop CVE-2021-3560.patch (upstream)
-------------------------------------------------------------------
Wed Oct 20 15:12:07 UTC 2021 - Marcus Meissner <meissner@suse.com>
- fork libpolkit0 package into libpolkit-agent-1-0 and libpolkit-gobject-1-0
as mandated. bsc#1191781
-------------------------------------------------------------------
Sun Jul 18 12:16:13 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Change to using systemd-sysusers
- Remove unneeded shadow dependency, no longer required due to
systemd-sysusers
- Fix 50-default.rules file-parent-ownership-mismatch warning
- Remove --with-pic, no effect with --disable-static
-------------------------------------------------------------------
Wed Jul 7 08:15:04 UTC 2021 - Stefan Schubert <schubi@suse.com
- Move /etc/polkit-1/rules.d/50-default.rules to
/usr/share/polkit-1/rules.d/50-default.rules. The first location
is only for admin changes.
-------------------------------------------------------------------
Wed Jun 9 07:09:16 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
- Fix verifyscript: the path to the binary was wrongly defined as
%{_libexecdir}/lib.
-------------------------------------------------------------------
Thu May 27 11:52:44 UTC 2021 - Marcus Meissner <meissner@suse.com>
- CVE-2021-3560: fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync()
(bsc#1186497)
CVE-2021-3560.patch
-------------------------------------------------------------------
Thu Mar 11 22:21:07 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
- Move /etc/dbus-1/system.d to /usr/share/dbus-1/system.d, the
first location is only for admin changes
- Move pam configuration to /usr/etc/pam.d
-------------------------------------------------------------------
Mon Jan 4 09:51:04 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
move to libexec dir is still not complete:
- add polkit-adjust-libexec-path.patch: There is another hard coded reference
of lib/ in the code that this patch addresses.
- also adjust invocation of %set_permissions and %verify_permissions to new
libexec dir location.
-------------------------------------------------------------------
Tue Dec 29 08:39:01 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- also set libprivdir during build, otherwhise systemd and D-Bus service files
contain the wrong path and we'll get runtime errors.
-------------------------------------------------------------------
Mon Dec 28 12:26:34 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- Install private binaries into libexec instead of into lib. For this an
override of the custom libprivdir variable is necessary, because upstream
explicitly moved away from libexecdir via upstram commit
6fbcc6cd839680fcefd81c4a43676e7c031c9859.
-------------------------------------------------------------------
Fri Oct 23 08:19:06 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 0.118:
+ Updated dependency to mozjs78.
+ Tarball fixes.
- Replace pkgconfig(mozjs-68) for pkgconfig(mozjs-78)
BuildRequires following upstreams port.
-------------------------------------------------------------------
Fri Jul 31 11:39:38 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 0.117:
+ Activated Gitlab CI.
+ Updated dependency to mozjs68.
+ Memory management fixes.
+ Updated translations.
- Replace pkgconfig(mozjs-60) for pkgconfig(mozjs-68)
BuildRequires following upstreams port.
-------------------------------------------------------------------
Fri Nov 29 10:36:53 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
- Fix usage of libexecdir instead of prefix/lib where applicable.
-------------------------------------------------------------------
Tue Oct 8 12:41:44 UTC 2019 - Marcus Meissner <meissner@suse.com>
- polkit-keyinit.patch: add pam_keyinit to the polkit configuration (bsc#1144053)
-------------------------------------------------------------------
Wed May 29 07:57:26 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 0.116:
+ Leaking zombie child processes.
+ Possible resource leak found by static analyzer.
+ Output messages tuneup.
+ Sanity fixes.
+ pkttyagent tty echo disabled on SIGINT.
+ HACKING: add link to Code of Conduct.
+ polkitbackend: comment typos fix.
+ configure.ac: fix detection of systemd with cgroups v2.
+ CVE-2018-19788 High UIDs overflow fix.
+ CVE-2019-6133 Slowfork vulnerability fix.
+ Allow unset process-uid.
+ Port the JS authority to mozjs-60.
+ Use JS_EncodeStringToUTF8.
+ Updated translations.
- Replace pkgconfig(mozjs-52) with pkgconfig(mozjs-60)
BuildRequires following upstreams changes.
- Drop patches fixed upstream:
+ polkit-fix-possible-resource-leak.patch
+ polkit-fix-leaking-zombie-child-processes.patch
+ polkit-CVE-2018-19788.patch
- Refresh patches with quilt.
-------------------------------------------------------------------
Fri May 10 14:44:20 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
- Use systemd_ordering instead of systemd_requires: strictly
speaking, polkit does not require systemd to be present. Just
that when we install on a system with systemd (e.g outside
containers) we would want systemd to be present before
installing polkit. Help also reduce a cycle without special hacks
in systemd.spec.
-------------------------------------------------------------------
Fri Apr 26 11:06:05 UTC 2019 - mvetter@suse.com
- bsc#1130588: Require shadow instead of old pwdutils
- User proper Requires(pre)/Requires(post) for permissions and
shadow
-------------------------------------------------------------------
Thu Dec 20 17:29:58 UTC 2018 - meissner@suse.com
- polkit-CVE-2018-19788.patch: Fixed handling of UIDs over MAX_UINT
(bsc#1118277 CVE-2018-19788)
-------------------------------------------------------------------
Fri Aug 17 07:56:08 UTC 2018 - bjorn.lie@gmail.com
- Add polkit-fix-possible-resource-leak.patch: Fix possible
resource leak found by static analyzer.
- Add polkit-fix-leaking-zombie-child-processes.patch: polkitd: fix
zombie not reaped when js spawned process timed out (fdo#106021).
-------------------------------------------------------------------
Wed Jul 11 10:48:37 UTC 2018 - meissner@suse.com
- Update to version 0.115:
- Fix CVE-2018-1116: Trusting client-supplied UID (bsc#1099031)
- jsauthority: pass "%s" format string to remaining report function
(obsoletes polkit-jsauthority-pass-format-string.patch)
-------------------------------------------------------------------
Mon Apr 9 22:38:39 UTC 2018 - bjorn.lie@gmail.com
- Update to version 0.114:
+ Port to mozjs 52, the latest version of the firefox JavaScript
engine.
+ Add gettext support for policy files.
+ Fixes for various memory leaks.
+ Updated translations.
- Update keyring with Ray Strode <halfline@gmail.com> public key.
- Drop with_systemd define and all conditionals and
polkit-no-systemd.patch and ConsoleKit BuildRequires, we only
support systemd now.
- Drop upstream fixed polkit-itstools.patch.
- Rebase pkexec.patch with quilt.
- Add gcc-c++ and pkgconfig(mozjs-52) BuildRequires: New
dependencies.
- Drop conditional pkgconfig(mozjs-17.0) and pkgconfig(mozjs185):
no longer supported.
- Drop autoconf and automake BuildRequires: They are implicit via
libtool BuildRequires.
- Replace glib2-devel and gobject-introspection-devel with their
pkgconfig counterparts: pkgconfig(gio-unix-2.0),
pkgconfig(gmodule-2.0) and pkgconfig(gobject-introspection-1.0).
- Add polkit-jsauthority-pass-format-string.patch: jsauthority:
pass "%s" format string to remaining report function, patch from
upstream git, adding missed commit (bgo#105865).
- Drop polkit-revert-session-magic.patch: Upstream systemd bug is
since a long time fixed (gh#systemd#58) (boo#954139).
-------------------------------------------------------------------
Thu Mar 1 11:23:00 UTC 2018 - schwab@suse.de
- pkexec.patch: pkexec: allow --version and --help even if not setuid
-------------------------------------------------------------------
Wed Feb 28 16:38:33 UTC 2018 - dimstar@opensuse.org
- Modernize spec-file by calling spec-cleaner
-------------------------------------------------------------------
Tue Aug 15 12:20:52 UTC 2017 - dimstar@opensuse.org
- Add polkit-itstools.patch: Add gettext support for .policy files.
-------------------------------------------------------------------
Tue Jun 13 15:25:58 UTC 2017 - lnussel@suse.de
- Use gettext as fallback to get potential distro translations for
polkit actions. Similar mechnism as used for desktop file
translations. That way it's possible to use weblate to add
additional translations that are not provided by upstream
(polkit-gettext.patch).
-------------------------------------------------------------------
Wed Jun 8 11:13:43 UTC 2016 - fbui@suse.com
- Use pkgconfig() instead of requiring systemd package names directly.
-------------------------------------------------------------------
Tue Jun 7 15:25:00 UTC 2016 - fbui@suse.com
- systemd.pc is shipped by systemd main package (bsc#983167)
Strangely polkit wants systemd.pc to detect that the target system
is running systemd even if its configured to build systemd support...
-------------------------------------------------------------------
Thu Nov 26 16:26:09 UTC 2015 - meissner@suse.com
- polkit-revert-session-magic.patch: revert a session detection change
that could lead to sessions not being detected as active due to
a systemd bug. bsc#954139
-------------------------------------------------------------------
Thu Aug 6 21:26:18 UTC 2015 - antoine.belvire@laposte.net
- Update to 0.113:
* Fix CVE-2015-4625
* Fix CVE-2015-3256
* Fix CVE-2015-3255
* Fix CVE-2015-3218
* On systemd-213 and later, the “active” state is shared across
all sessions of an user, instead of being tracked separately
* pkexec: when not given a program to execute, runs the users
shell by default
- Remove polkit-no-kded-leak.patch (upstreamed)
-------------------------------------------------------------------
Mon Jan 12 13:21:20 UTC 2015 - tchvatal@suse.com
- Try to fix kded leaking due to powerdevil exposing this issue in
polkit: (bsc#912889)
* polkit-no-kded-leak.patch
-------------------------------------------------------------------
Tue Dec 9 16:23:50 UTC 2014 - meissner@suse.com
- Added gpg signature and keyring with David Zeuthen and Miloslav Trmac
ids.
-------------------------------------------------------------------
Fri Sep 27 08:16:34 UTC 2013 - toms@opensuse.org
- Fixed URL
-------------------------------------------------------------------
Thu Sep 19 01:13:08 UTC 2013 - hrvoje.senjan@gmail.com
- Update to 0.112
+ polkitunixprocess: Deprecate racy APIs
+ pkcheck: Support --process=pid,start-time,uid syntax too
(CVE-2013-4288)
+ Use GOnce for interface type registration
+ Add czech translation po file to distribution
+ Update the czech once more with newest pot file
-------------------------------------------------------------------
Fri Jul 5 11:50:44 UTC 2013 - dimstar@opensuse.org
- On openSUSE 13.1+, switch from mozjs185 to mozjs-17.0 by:
+ Conditionally BuildRequire pkgconfig(mozjs-17.0).
- Drop libmozjs185-1_0 Recommends: the library is actually required
and auto-detected as such by rpm (from 0.111 changes: "The
JavaScript interpreter is now mandatory").
-------------------------------------------------------------------
Fri Jun 14 20:34:39 UTC 2013 - hrvoje.senjan@gmail.com
- Update to 0.111
+ Both js185 and mozjs17 versions of SpiderMonkey are supported
+ The JavaScript interpreter is now mandatory
+ Fixed various memory leaks
+ Respect SUID_CFLAGS and SUID_LDFLAGS
+ Set process environment from pam_getenvlist()
+ Fix the build with automake 1.13
- Drop polkit-suid_flags.patch and automake-113.patch, those
patches are included in this release
-------------------------------------------------------------------
Thu Apr 11 01:17:21 UTC 2013 - hrvoje.senjan@gmail.com
- Add automake-113.patch, fixes build with automake-1.13
-------------------------------------------------------------------
Mon Feb 18 19:47:33 UTC 2013 - gber@opensuse.org
- Recommend libmozjs185-1_0 which is dlopen'ed and required for JS
rules
-------------------------------------------------------------------
Mon Jan 14 15:51:20 UTC 2013 - hrvoje.senjan@gmail.com
- Update to 0.110
+ Set XAUTHORITY environment variable if is unset
+ Use mutex and condition variables properly
+ Build fixes.
- Changes from version 0.109:
+ Include gmodule-2.0 to avoid linker errors
+ Don't require libmozjs185 devel packages for polkit rules
to work
- Drop polkit-link-gmodule.patch and polkit-libmozjs.patch, those
are merged upstream
-------------------------------------------------------------------
Wed Jan 9 14:08:57 UTC 2013 - saschpe@suse.de
- Only mark the following files as %config, not %config(noreplace):
+ %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
+ %{_sysconfdir}/pam.d/polkit-1
+ %{_sysconfdir}/polkit-1/rules.d/50-default.rules
PolicyKit's own config files should only be changed for good reason
and we want to prefer openSUSE's defaults (you still get an .rpmsafe
file)
-------------------------------------------------------------------
Mon Dec 10 07:45:47 UTC 2012 - dimstar@opensuse.org
- Add polkit-libmozjs.patch: dlopen libmozjs185.so.1.0 instead of
libmozjs185.so, which is packaged in the -devel package
(bnc#793562)
-------------------------------------------------------------------
Thu Nov 15 21:31:19 UTC 2012 - dimstar@opensuse.org
- Update to version 0.108:
+ PolkitAgent: Avoid crashing if initializing the server object
fails
+ Fall back to authenticating as uid 0 if the list of admin
identities is empty
+ Dynamically load libmozjs185.so and cope with it not being
available
+ docs: mention the audience for authorization rules
+ build: Fix .gir generation for parallel make
- Only conditionally Require ConsoleKit when with_systemd is 0:
systemd support obsoletes ConsoleKit.
- Add polkit-link-gmodule.patch: Link against gmodule-2.0.
- Change libpolkit0 to require polkit >= %version instead of the
exact version. This will ease upgrade problems should there ever
be a soname bump of libpolkit0.
-------------------------------------------------------------------
Wed Nov 14 09:26:14 UTC 2012 - dimstar@opensuse.org
- Enable systemd inetegration (change with_systemd to 1): As an
agreed target for 12.3, systemd integration will be enabled.
-------------------------------------------------------------------
Thu Nov 8 21:34:15 UTC 2012 - aj@suse.de
- Add pwdutils to prereq for groupadd and useradd.
-------------------------------------------------------------------
Thu Sep 27 07:55:23 UTC 2012 - vuntz@opensuse.org
- Add polkit-no-systemd.patch: this patch, only applied when not
building systemd support, removes the systemd service reference
from the dbus .service file. This is needed as the systemd
.service file does not get installed in that case and dbus gets
confused because it expects it.
- Make %{_datadir}/polkit-1/rules.d and
%{_sysconfdir}/polkit-1/rules.d owned by user polkitd, as those
directories have 0700 as permissions.
- Those two changes should fix polkit so it can start.
Fix bnc#782395.
-------------------------------------------------------------------
Tue Sep 25 09:05:02 UTC 2012 - vuntz@opensuse.org
- Use %{_localstatedir}/lib/polkit for $HOME of polkit user,
instead of %{_libexecdir}/polkit-1. The directory is manually
created in %install.
-------------------------------------------------------------------
Fri Sep 14 18:20:06 UTC 2012 - vuntz@opensuse.org
- Update to version 0.107:
+ Try harder to look up the right localization
+ Introduce a polkit.Result enumeration for authorization rules
+ pkexec: add support for argv1 annotation and mention
shebang-wrappers
+ doc: update guidance on situations where there is no polkit
authority
- Changes from version 0.106:
+ Major change: switch from .pkla files (keyfile-format) to
.rules files (JavaScript)
+ Nuke polkitbackend library, localauthority backend and
extension system
+ Run polkitd as an unprivileged user
+ Add a systemd .service file
+ Several other code changes.
+ Updated documentation.
- Changes from version 0.105:
+ Add pkttyagent(1) helper
+ Make it possible to influence agent registration with an a{sv}
parameter
+ Several other code changes.
- Add pkgconfig(mozjs185) BuildRequires: new dependency for the
authority backend.
- Rebase polkit-no-wheel-group.patch: the admin configuration is
now in a .rules file.
- Rebase polkit-suid_flags.patch.
- Explicitly pass --enable-libsystemd-login or
--disable-libsystemd-login, depending on whether we build systemd
support.
- Add a %pre script to create the polkitd group and user, as
polkitd now run as an unprivileged user.
-------------------------------------------------------------------
Wed Aug 22 15:52:30 UTC 2012 - meissner@suse.com
- also use -z now for binary hardening
-------------------------------------------------------------------
Wed Jun 13 20:54:29 CEST 2012 - vuntz@opensuse.org
- Package /etc/polkit-1/localauthority and its subdirectories. They
were forgotten because they were empty, but people might need
them to put .pkla files.
-------------------------------------------------------------------
Fri Feb 24 12:11:04 UTC 2012 - vuntz@opensuse.org
- Change the way we pass -fpie/-pie:
+ Drop polkit-pie.patch: this was not upstreamable.
+ Add polkit-suid_flags.patch: respect SUID_CFLAGS/SUID_LDFLAGS
when building the suid binaries (pkexec and
polkit-agent-helper-1).
+ Add autoconf, automake and libtool BuildRequires, and call
autoreconf, for the new patch.
+ Set SUID_CFLAGS to -fPIE and SUID_LDFLAGS to -pie in %build.
+ Pass --with-pic to configure instead of changing CFLAGS to
contain -fPIC.
-------------------------------------------------------------------
Tue Feb 7 14:39:43 UTC 2012 - dlovasko@suse.com
- fixed bnc#743145 - added -fpie/-pie flags to compilation and linking of polkit-agent-helper and pkexec
-------------------------------------------------------------------
Mon Jan 9 09:33:30 UTC 2012 - vuntz@opensuse.org
- Split typelib file into typelib-1_0-Polkit-1_0 subpackage.
- Add typelib-1_0-Polkit-1_0 Requires to devel subpackage.
- Add explicit libpolkit0 Requires to devel subpackage: it was
missing before.
- Remove explicit glib2-devel Requires from devel subpackage: it
will automatically be added the pkgconfig() way.
- Improve summary of libpolkit0 subpackage.
-------------------------------------------------------------------
Wed Jan 4 22:03:54 UTC 2012 - crrodriguez@opensuse.org
- A quick test reveals that the systemd backend does not
integrate very well with packages yet, revert.
-------------------------------------------------------------------
Wed Jan 4 21:02:38 UTC 2012 - crrodriguez@opensuse.org
- Previous update missed systemd-devel in buildrequires
without it no systemd support is built
-------------------------------------------------------------------
Wed Jan 4 13:52:09 UTC 2012 - vuntz@opensuse.org
- Update to version 0.104:
+ Add optional systemd support
+ Add netgroup support (fdo#43610)
+ Add unit tests (fdo#43608)
- Changes from version 0.103:
+ Mistype in DBus object: PoliycKit1 -> PolicyKit1
+ Add support for the org.freedesktop.policykit.imply annotation
+ Add --no-debug option and use this for D-Bus activation
+ Add org.freedesktop.policykit.owner annotation (fdo#41025)
+ Default to AdminIdentities=unix-group:wheel for local authority
- Drop patches that were taken from upstream:
+ 0001-Add-support-for-the-org.freedesktop.policykit.imply-a.diff
+ 0002-Add-no-debug-option-and-use-this-for-D-Bus-activation.diff
+ 0003-Bug-41025-Add-org.freedesktop.policykit.owner-annotat.diff
- Add polkit-no-wheel-group.patch: do not allow the wheel group as
admin identity, and revert to only accept the root user for this.
-------------------------------------------------------------------
Wed Nov 2 10:30:03 UTC 2011 - lnussel@suse.de
- pick some patches from git to add support for
org.freedesktop.policykit.imply, disable debug spam and allow
unprivileged users to query authorizations (bnc#698250)
-------------------------------------------------------------------
Fri Sep 2 10:42:54 UTC 2011 - vuntz@opensuse.org
- Update to version 0.102:
+ pkexec:
- fdo#38769: Support running X11 apps
- Avoid time-of-check-to-time-of-use problems with parent
process
+ Fix backend crash if a .policy file does not specify <message>
+ Fix multi-line pam prompt handling
+ Don't show diagnostic messages intended for the administrator
to the end user
+ PolkitUnixProcess:
- Clarify that the real uid is returned, not the effective one
- Record the uid of the process
+ Backend: Use polkit_unix_process_get_uid() to get the owner of
a process
+ Introspection fixes:
- Add --c-include to the gir files
- Specify exported pkg-config files in GIRs
+ Build fix.
- Drop polkit-CVE-2011-1485-1.patch, polkit-CVE-2011-1485-2.patch,
polkit-CVE-2011-1485-3.patch, polkit-CVE-2011-1485-4.patch: fixed
upstream.
- Remove service usage, following the new consensus on Factory
packaging.
-------------------------------------------------------------------
Wed Aug 10 12:20:39 UTC 2011 - dimstar@opensuse.org
- BuildIgnore ruby, which is being dragged in via indirect
dependencies by gtk-doc for one of the helpers, which we do not
need during the build of polkit. Not dragging ruby in resolves a
build-cycle.
-------------------------------------------------------------------
Thu May 5 19:35:05 CEST 2011 - vuntz@opensuse.org
- Use %set_permissions instead of deprecated %run_permissions in
%post.
- Add permissions PreReq, which was missing before.
-------------------------------------------------------------------
Tue Apr 26 21:19:32 CEST 2011 - kay.sievers@novell.com
- use LGPLv2.1+ in spec file
-------------------------------------------------------------------
Tue Apr 26 18:24:01 CEST 2011 - kay.sievers@novell.com
- stat race condition (CVE-2011-1485) (bnc#688788)
-------------------------------------------------------------------
Wed Apr 6 15:40:51 UTC 2011 - fcrozat@novell.com
- Remove PolkitAgent-1.0.typelib from main package, it is in
library package.
-------------------------------------------------------------------
Wed Mar 9 13:54:11 UTC 2011 - coolo@novell.com
- update to 0.101:
* tons of bug fixes, see NEWS
-------------------------------------------------------------------
Wed Nov 10 15:04:36 UTC 2010 - coolo@novell.com
- fix file list
-------------------------------------------------------------------
Thu Sep 16 09:34:50 CEST 2010 - vuntz@opensuse.org
- Update to version 0.99:
+ Remove duplicate definitions of enumeration types
+ Fix (correct) GCC warning about possibly-uninitialized variable
+ Fix another GCC uninitialized variable warning
+ fdo#29816: Install polkitagentenumtypes.h
- Drop polkit-install-missing-header.patch: fixed upstream.
-------------------------------------------------------------------
Thu Aug 26 10:04:44 CEST 2010 - vuntz@opensuse.org
- Update to version 0.98:
+ Fix scanning of unix-process subjects
+ Add textual authentication agent and use it in pkexec(1)
+ Fix ConsoleKit interaction bug
+ pkexec: add --disable-internal-agent option
+ pkcheck: add --enable-internal-agent option
+ Fix wording in pkexec(1) man page
+ Various doc cleanups
- Changes from version 0.97:
+ Port to GDBus
+ Add shadow authentication support
+ Remove Lock Down functionality
+ fdo#26982: pkexec information disclosure vulnerability
+ Make polkitd accept --replace and gracefully handle SIGINT
+ Implement polkit_temporary_authorization_new_for_gvariant()
+ Make NameOwnerChanged a private impl detail of the interactive
authority
+ Add a GPermission implementation
+ PolkitAuthority: Implement failable initialization
+ PolkitAuthority: Add g_return_if_fail() checks
+ Add g_return_if_fail() to all public API entry points
+ Use polkit_authority_get_sync() instead of deprecated
polkit_authority_get
+ PolkitBackend: Don't export unneeded convenience API
+ Update GI annotations
+ Don't dist org.freedesktop.ConsoleKit.xml.
+ Properly reference headers
+ fdo#29051: Configuration reload on every query
- Drop pkexec-information-disclosure.patch: fixed upstream.
- Add polkit-install-missing-header.patch to install a header that
should get installed.
- Remove eggdbus-devel BuildRequires.
- Build with introspection support: add gobject-introspection
BuildRequires and pass --enable-introspection to configure.
- Fix groups of all packages to be valid groups.
-------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
- use %_smp_mflags
-------------------------------------------------------------------
Fri Apr 9 19:14:09 CEST 2010 - kay.sievers@novell.com
- fix pkexec information disclosure
(fdo#26982, CVE-2010-0750, bnc#593959)
-------------------------------------------------------------------
Mon Jan 18 14:20:11 CET 2010 - dmueller@suse.de
- add baselibs.conf
-------------------------------------------------------------------
Mon Jan 18 12:56:02 CET 2010 - kay.sievers@novell.com
- new upstream release 0.96
- Bug 25367 — Also read local authority configuration data from /etc
- Run the open_session part of the PAM stack in pkexec(1)
- Bug 25594 System logging
- Properly handle return value from getpwnam_r()
- Fix error message when no authentication agent is available
- Make pkexec(1) validate environment variables
- Make pkexec(1) use the syslogging facilities
- Save original cwd in pkexec(1) since it will change during the life-time
- Complain on stderr, not stdout
- Don't log authorization checks
-------------------------------------------------------------------
Wed Jan 6 18:22:23 CET 2010 - dmueller@suse.de
- update to 0.95:
The major change this release is that the lockdown feature has
been cleaned up in a way so it isn't specific to the local
authority. See the NEWS files for more details.
-------------------------------------------------------------------
Wed Dec 16 10:44:34 CET 2009 - jengelh@medozas.de
- Package documentation as noarch
-------------------------------------------------------------------
Wed Aug 19 23:22:44 CEST 2009 - vuntz@novell.com
- Add Requires on polkit to libpolkit0: all applications using
libpolkit0 will really need polkit to be installed to work
properly.
-------------------------------------------------------------------
Thu Aug 13 04:31:38 CEST 2009 - kay.sievers@novell.com
- new upstream release 0.94
- Allow unprivileged callers to check authorizations
- Don't spawn man(1) from a setuid program
- Add polkit.retains_authorization_after_challenge to authz result
- Ensure all fds except stdin/stdout/stderr are closed after exec(2)
- Be more careful when determining process start time
- Remove temporary authorization when the subject it applies to vanishes
- Generate GI gir and typelibs for libpolkit-gobject-1
- drop patches which are in the release now
- disable introspection
-------------------------------------------------------------------
Tue Aug 11 21:23:49 CEST 2009 - kay.sievers@novell.com
- add upstream patches:
polkit-close-stdfds.patch
polkit-no-man-spawn.patch
polkit-proc-stat-parse-fix.patch
- drop rpmlint patch
-------------------------------------------------------------------
Thu Aug 6 17:36:16 CEST 2009 - meissner@suse.de
- check for the right binary in verify_permisisons
-------------------------------------------------------------------
Thu Jul 30 17:32:41 CEST 2009 - coolo@novell.com
- disable suid bit for now to get software build on top
- split out libraries to follow shared library policy
-------------------------------------------------------------------
Tue Jul 21 03:20:55 CEST 2009 - kay.sievers@novell.com
- update to version 0.93
-------------------------------------------------------------------
Sun Jul 19 15:31:44 CEST 2009 - kay.sievers@novell.com
- initial import of polkit 0.92

301
polkit.spec Normal file
View File

@ -0,0 +1,301 @@
#
# spec file for package polkit
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define _polkit_rulesdir %{_datadir}/polkit-1/rules.d
%define glib_br_version 2.30.0
%define run_tests 1
Name: polkit
Version: 123
Release: 0
Summary: PolicyKit Authorization Framework
License: LGPL-2.1-or-later
Group: System/Libraries
URL: https://gitlab.freedesktop.org/polkit/polkit/
Source0: %{url}/-/archive/%{version}/%{name}-%{version}.tar.bz2
Source3: system-user-polkitd.conf
Source4: 50-default.rules
Source99: baselibs.conf
# Upstream First - Policy:
# Never add any patches to this package without the upstream commit id
# in the patch. Any patches added here without a very good reason to make
# an exception will be silently removed with the next version update.
# PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations
# polkit-use-gettext-as-fallback.patch
Patch1: polkit-gettext.patch
# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file
Patch3: polkit-keyinit.patch
# PATCH-FIX-OPENSUSE polkit-adjust-libexec-path.patch -- Adjust path to polkit-agent-helper-1 (bsc#1180474)
Patch4: polkit-adjust-libexec-path.patch
# Read actions also from /etc/polkit-1/actions
Patch6: polkit-actions-in-etc.patch
BuildRequires: gcc-c++
BuildRequires: gettext-devel
BuildRequires: gtk-doc
BuildRequires: libexpat-devel
BuildRequires: meson >= 0.50
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: pkgconfig(duktape) >= 2.2.0
BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(glib-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(gmodule-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(systemd)
%if 0%{?run_tests}
#################################################################
# python3-dbus-python and python3-python-dbusmock are needed for
# test-polkitbackendjsauthority test:
BuildRequires: /usr/bin/dbus-daemon
BuildRequires: python3-dbus-python
BuildRequires: python3-python-dbusmock
#################################################################
%endif
# gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle.
#!BuildIgnore: ruby
Requires: dbus-service
Requires: libpolkit-agent-1-0 = %{version}-%{release}
Requires: libpolkit-gobject-1-0 = %{version}-%{release}
Requires(post): permissions
%sysusers_requires
%systemd_ordering
%description
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
%package devel
Summary: Development files for PolicyKit
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}-%{release}
Requires: libpolkit-agent-1-0 = %{version}
Requires: libpolkit-gobject-1-0 = %{version}
Requires: pkgconfig
Requires: typelib-1_0-Polkit-1_0 = %{version}
%description devel
Development files for PolicyKit Authorization Framework.
%package -n pkexec
Summary: Pkexec component of polkit
Group: System/Libraries
Requires: %{name} = %{version}-%{release}
Requires(post): permissions
Provides: polkit:/usr/bin/pkexec
%description -n pkexec
This package contains the pkexec setuid root binary part of polkit.
%package doc
Summary: Development documentation for PolicyKit
Group: Development/Libraries/C and C++
BuildArch: noarch
%description doc
Development documentation for PolicyKit Authorization Framework.
%package -n libpolkit-agent-1-0
Summary: PolicyKit Authorization Framework -- Agent Library
Group: System/Libraries
Requires: %{name} >= %{version}
Obsoletes: libpolkit0 < %{version}-%{release}
%description -n libpolkit-agent-1-0
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
This package contains the agent library only.
%package -n libpolkit-gobject-1-0
Summary: PolicyKit Authorization Framework -- GObject Library
Group: System/Libraries
Requires: %{name} >= %{version}
Obsoletes: libpolkit0 < %{version}-%{release}
%description -n libpolkit-gobject-1-0
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
This package contains the gobject library only.
%package -n typelib-1_0-Polkit-1_0
Summary: PolicyKit Authorization Framework -- Introspection bindings
Group: System/Libraries
%description -n typelib-1_0-Polkit-1_0
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
This package provides the GObject Introspection bindings for PolicyKit.
%prep
%autosetup -p1
%build
# Disabling of this error can hopefully be removed when syncing with
# upstream which has removed mocklibc:
%global optflags %{optflags} -Wno-error=implicit-function-declaration
%meson \
-D session_tracking=libsystemd-login \
-D systemdsystemunitdir="%{_unitdir}" \
-D os_type=suse \
-D pam_module_dir="%{_pam_moduledir}" \
-D pam_prefix="%{_pam_vendordir}" \
-D examples=true \
-D tests=true \
-D gtk_doc=true \
-D man=true \
-D js_engine=duktape \
%{nil}
%meson_build
%sysusers_generate_pre %{SOURCE3} polkit system-user-polkitd.conf
%if 0%{?run_tests}
%check
%meson_test
%endif
%install
# install explicitly into libexec. upstream has some unflexible logic for
# this executable at the moment, but there is a PR# open to fix this:
# https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/63
# once this has been resolved upstream and we update to a new release we can
# remove this and also patch4 above.
#
# Additional note: Upstream turned down the MR above, preferring to stick to
# using ${prefix}/lib/polkit-1 and non-distro-configurable.
%meson_install
%find_lang polkit-1
# create $HOME for polkit user
install -d %{buildroot}%{_localstatedir}/lib/polkit
rm -v %{buildroot}%{_polkit_rulesdir}/50-default.rules
install -m0644 %{SOURCE4} %{buildroot}%{_polkit_rulesdir}/50-default.rules
# Install the polkitd user creation file:
mkdir -p %{buildroot}%{_sysusersdir}
install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
# create actions dir in /etc
mkdir %{buildroot}/%{_sysconfdir}/polkit-1/actions
%pre -f polkit.pre
%service_add_pre polkit.service
%preun
%service_del_preun polkit.service
%postun
%service_del_postun polkit.service
%post -n pkexec
%set_permissions %{_bindir}/pkexec
%post
%set_permissions %{_libexecdir}/polkit-1/polkit-agent-helper-1
%service_add_post polkit.service
%verifyscript -n pkexec
%verify_permissions -e %{_bindir}/pkexec
%verifyscript
%verify_permissions -e %{_libexecdir}/polkit-1/polkit-agent-helper-1
%post -n libpolkit-agent-1-0 -p /sbin/ldconfig
%postun -n libpolkit-agent-1-0 -p /sbin/ldconfig
%post -n libpolkit-gobject-1-0 -p /sbin/ldconfig
%postun -n libpolkit-gobject-1-0 -p /sbin/ldconfig
%files -n libpolkit-agent-1-0
%{_libdir}/libpolkit-agent-1.so.*
%files -n libpolkit-gobject-1-0
%{_libdir}/libpolkit-gobject-1.so.*
%files -n typelib-1_0-Polkit-1_0
%{_libdir}/girepository-1.0/Polkit-1.0.typelib
%{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib
%files -f polkit-1.lang
%doc NEWS.md README.md
%license COPYING
%{_mandir}/man1/pkaction.1%{?ext_man}
%{_mandir}/man1/pkcheck.1%{?ext_man}
%{_mandir}/man1/pkttyagent.1%{?ext_man}
%{_mandir}/man8/polkitd.8%{?ext_man}
%{_mandir}/man8/polkit.8%{?ext_man}
%dir %{_datadir}/dbus-1
%dir %{_datadir}/dbus-1/system-services
%{_datadir}/dbus-1/system-services/org.freedesktop.PolicyKit1.service
%dir %{_datadir}/dbus-1/system.d
%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
%dir %{_datadir}/polkit-1
%{_datadir}/polkit-1/policyconfig-1.dtd
%dir %{_datadir}/polkit-1/actions
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
%attr(0555,root,root) %dir %{_polkit_rulesdir}
%{_polkit_rulesdir}/50-default.rules
%{_pam_vendordir}/polkit-1
%dir %{_sysconfdir}/polkit-1
%attr(0750,root,polkitd) %dir %{_sysconfdir}/polkit-1/rules.d
%dir %{_sysconfdir}/polkit-1/actions
%{_bindir}/pkaction
%{_bindir}/pkcheck
%{_bindir}/pkttyagent
%dir %{_libexecdir}/polkit-1
%{_libexecdir}/polkit-1/polkitd
%verify(not mode) %attr(4755,root,root) %{_libexecdir}/polkit-1/polkit-agent-helper-1
# $HOME for polkit user
%dir %{_localstatedir}/lib/polkit
%{_sysusersdir}/system-user-polkitd.conf
%{_unitdir}/polkit.service
%files devel
%{_libdir}/libpolkit-agent-1.so
%{_libdir}/libpolkit-gobject-1.so
%{_libdir}/pkgconfig/polkit-agent-1.pc
%{_libdir}/pkgconfig/polkit-gobject-1.pc
%{_includedir}/polkit-1/
%{_bindir}/pk-example-frobnicate
%{_datadir}/gir-1.0/*.gir
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
%{_datadir}/gettext/its/polkit.its
%{_datadir}/gettext/its/polkit.loc
%files -n pkexec
%{_mandir}/man1/pkexec.1%{?ext_man}
%verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec
%files doc
%doc %{_datadir}/gtk-doc/html/polkit-1/
%changelog

2
system-user-polkitd.conf Normal file
View File

@ -0,0 +1,2 @@
#Type Name ID GECOS Home directory Shell
u polkitd - "User for polkitd" /var/lib/polkit -