From 600cfd932c46f395efd8dcfe48eac2699d1df3df52b0f7511d2849f02c28379f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Lie?= Date: Wed, 14 Aug 2024 12:50:59 +0000 Subject: [PATCH] - BuildRequire gettext-devel instead of gettext: Allows OBS to shortcut throught gettext-runtime-mini. OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=195 --- .gitattributes | 23 + .gitignore | 1 + 50-default.rules | 14 + baselibs.conf | 4 + polkit-123.tar.bz2 | 3 + polkit-actions-in-etc.patch | 227 ++++++++ polkit-adjust-libexec-path.patch | 22 + polkit-gettext.patch | 57 ++ polkit-keyinit.patch | 9 + polkit.changes | 880 +++++++++++++++++++++++++++++++ polkit.spec | 301 +++++++++++ system-user-polkitd.conf | 2 + 12 files changed, 1543 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 50-default.rules create mode 100644 baselibs.conf create mode 100644 polkit-123.tar.bz2 create mode 100644 polkit-actions-in-etc.patch create mode 100644 polkit-adjust-libexec-path.patch create mode 100644 polkit-gettext.patch create mode 100644 polkit-keyinit.patch create mode 100644 polkit.changes create mode 100644 polkit.spec create mode 100644 system-user-polkitd.conf diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/50-default.rules b/50-default.rules new file mode 100644 index 0000000..f0db815 --- /dev/null +++ b/50-default.rules @@ -0,0 +1,14 @@ +/* make sure that users that are in an admin group always authenticate with + * their own password and don't get a choice. Users not in an admin group get + * the full choice and may also authenticate as root */ +polkit._suse_admin_groups = []; +polkit.addAdminRule(function(action, subject) { + var rules = ["unix-user:0"]; + for (var i in polkit._suse_admin_groups) { + var g = polkit._suse_admin_groups[i]; + if (subject.isInGroup(g)) + return ["unix-user:"+subject.user]; + rules.push("unix-group:"+g); + } + return rules; +}); diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..2cbef96 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,4 @@ +libpolkit-agent-1-0 + obsoletes "libpolkit0- < " +libpolkit-gobject-1-0 + obsoletes "libpolkit0- < " diff --git a/polkit-123.tar.bz2 b/polkit-123.tar.bz2 new file mode 100644 index 0000000..dc6b6ed --- /dev/null +++ b/polkit-123.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72d9119b0aa35da871fd0660601d812c7a3d6af7e4e53e237840b71bb43d0c63 +size 707480 diff --git a/polkit-actions-in-etc.patch b/polkit-actions-in-etc.patch new file mode 100644 index 0000000..eee5d3a --- /dev/null +++ b/polkit-actions-in-etc.patch @@ -0,0 +1,227 @@ +diff --git a/docs/man/polkit.xml b/docs/man/polkit.xml +index 90715a5..10dd217 100644 +--- a/docs/man/polkit.xml ++++ b/docs/man/polkit.xml +@@ -104,6 +104,7 @@ System Context | | + +------------------+ | + ^ | + | +--------------------------------------+ ++ | | /etc/polkit-1/actions/*.policy | + | | /usr/share/polkit-1/actions/*.policy | + | +--------------------------------------+ + | +diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c +index 3894fe9..17652e6 100644 +--- a/src/polkitbackend/polkitbackendactionpool.c ++++ b/src/polkitbackend/polkitbackendactionpool.c +@@ -91,8 +91,10 @@ typedef struct + { + /* directory with .policy files, e.g. /usr/share/polkit-1/actions */ + GFile *directory; ++ GFile *directory_alt; + + GFileMonitor *dir_monitor; ++ GFileMonitor *dir_monitor_alt; + + /* maps from action_id to a ParsedAction struct */ + GHashTable *parsed_actions; +@@ -109,6 +111,8 @@ enum + { + PROP_0, + PROP_DIRECTORY, ++ /* TODO combine into PROP_DIRECTORIES? */ ++ PROP_DIRECTORY_ALT, + }; + + #define POLKIT_BACKEND_ACTION_POOL_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), POLKIT_BACKEND_TYPE_ACTION_POOL, PolkitBackendActionPoolPrivate)) +@@ -153,9 +157,15 @@ polkit_backend_action_pool_finalize (GObject *object) + if (priv->directory != NULL) + g_object_unref (priv->directory); + ++ if (priv->directory_alt != NULL) ++ g_object_unref (priv->directory_alt); ++ + if (priv->dir_monitor != NULL) + g_object_unref (priv->dir_monitor); + ++ if (priv->dir_monitor_alt != NULL) ++ g_object_unref (priv->dir_monitor_alt); ++ + if (priv->parsed_actions != NULL) + g_hash_table_unref (priv->parsed_actions); + +@@ -183,6 +193,10 @@ polkit_backend_action_pool_get_property (GObject *object, + g_value_set_object (value, priv->directory); + break; + ++ case PROP_DIRECTORY_ALT: ++ g_value_set_object (value, priv->directory_alt); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -274,6 +288,28 @@ polkit_backend_action_pool_set_property (GObject *object, + } + break; + ++ case PROP_DIRECTORY_ALT: ++ priv->directory_alt = g_value_dup_object (value); ++ ++ error = NULL; ++ priv->dir_monitor_alt = g_file_monitor_directory (priv->directory_alt, ++ G_FILE_MONITOR_NONE, ++ NULL, ++ &error); ++ if (priv->dir_monitor_alt == NULL) ++ { ++ g_warning ("Error monitoring actions alt directory: %s", error->message); ++ g_error_free (error); ++ } ++ else ++ { ++ g_signal_connect (priv->dir_monitor_alt, ++ "changed", ++ (GCallback) dir_monitor_changed, ++ pool); ++ } ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -308,6 +344,18 @@ polkit_backend_action_pool_class_init (PolkitBackendActionPoolClass *klass) + G_PARAM_STATIC_NICK | + G_PARAM_STATIC_BLURB)); + ++ g_object_class_install_property (gobject_class, ++ PROP_DIRECTORY_ALT, ++ g_param_spec_object ("directoryalt", ++ "DirectoryAlt", ++ "Alternative directory to load action description files from", ++ G_TYPE_FILE, ++ G_PARAM_READWRITE | ++ G_PARAM_CONSTRUCT_ONLY | ++ G_PARAM_STATIC_NAME | ++ G_PARAM_STATIC_NICK | ++ G_PARAM_STATIC_BLURB)); ++ + /** + * PolkitBackendActionPool::changed: + * @action_pool: A #PolkitBackendActionPool. +@@ -334,12 +382,13 @@ polkit_backend_action_pool_class_init (PolkitBackendActionPoolClass *klass) + * Returns: A #PolkitBackendActionPool. Free with g_object_unref(). + **/ + PolkitBackendActionPool * +-polkit_backend_action_pool_new (GFile *directory) ++polkit_backend_action_pool_new (GFile *directory, GFile *directory_alt) + { + PolkitBackendActionPool *pool; + + pool = POLKIT_BACKEND_ACTION_POOL (g_object_new (POLKIT_BACKEND_TYPE_ACTION_POOL, + "directory", directory, ++ "directoryalt", directory_alt, + NULL)); + + return pool; +@@ -505,12 +554,14 @@ ensure_all_files (PolkitBackendActionPool *pool) + { + PolkitBackendActionPoolPrivate *priv; + GFileEnumerator *e; ++ GFileEnumerator *e_alt; + GFileInfo *file_info; + GError *error; + + priv = POLKIT_BACKEND_ACTION_POOL_GET_PRIVATE (pool); + + e = NULL; ++ e_alt = NULL; + + if (priv->has_loaded_all_files) + goto out; +@@ -548,12 +599,48 @@ ensure_all_files (PolkitBackendActionPool *pool) + + } /* for all files */ + ++ /* TODO priority for files in /etc */ ++ ++ e_alt = g_file_enumerate_children (priv->directory_alt, ++ "standard::name", ++ G_FILE_QUERY_INFO_NONE, ++ NULL, ++ &error); ++ if (error != NULL) ++ { ++ g_warning ("Error enumerating files: %s", error->message); ++ goto out; ++ } ++ ++ while ((file_info = g_file_enumerator_next_file (e_alt, NULL, &error)) != NULL) ++ { ++ const gchar *name; ++ ++ name = g_file_info_get_name (file_info); ++ /* only consider files with the right suffix */ ++ if (g_str_has_suffix (name, ".policy")) ++ { ++ GFile *file; ++ ++ file = g_file_get_child (priv->directory_alt, name); ++ ++ ensure_file (pool, file); ++ ++ g_object_unref (file); ++ } ++ ++ g_object_unref (file_info); ++ ++ } /* for all files */ ++ + priv->has_loaded_all_files = TRUE; + + out: + + if (e != NULL) + g_object_unref (e); ++ if (e_alt != NULL) ++ g_object_unref (e_alt); + } + + /* ---------------------------------------------------------------------------------------------------- */ +diff --git a/src/polkitbackend/polkitbackendactionpool.h b/src/polkitbackend/polkitbackendactionpool.h +index e992eea..9ccb526 100644 +--- a/src/polkitbackend/polkitbackendactionpool.h ++++ b/src/polkitbackend/polkitbackendactionpool.h +@@ -64,7 +64,7 @@ struct _PolkitBackendActionPoolClass + }; + + GType polkit_backend_action_pool_get_type (void) G_GNUC_CONST; +-PolkitBackendActionPool *polkit_backend_action_pool_new (GFile *directory); ++PolkitBackendActionPool *polkit_backend_action_pool_new (GFile *directory, GFile *directory_alt); + GList *polkit_backend_action_pool_get_all_actions (PolkitBackendActionPool *pool, + const gchar *locale); + +diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c +index 1cfc88e..a975cac 100644 +--- a/src/polkitbackend/polkitbackendinteractiveauthority.c ++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c +@@ -292,6 +292,7 @@ polkit_backend_interactive_authority_init (PolkitBackendInteractiveAuthority *au + { + PolkitBackendInteractiveAuthorityPrivate *priv; + GFile *directory; ++ GFile *directory_alt; + GError *error; + + /* Force registering error domain */ +@@ -300,8 +301,10 @@ polkit_backend_interactive_authority_init (PolkitBackendInteractiveAuthority *au + priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (authority); + + directory = g_file_new_for_path (PACKAGE_DATA_DIR "/polkit-1/actions"); +- priv->action_pool = polkit_backend_action_pool_new (directory); ++ directory_alt = g_file_new_for_path (PACKAGE_SYSCONF_DIR "/polkit-1/actions"); ++ priv->action_pool = polkit_backend_action_pool_new (directory, directory_alt); + g_object_unref (directory); ++ g_object_unref (directory_alt); + g_signal_connect (priv->action_pool, + "changed", + (GCallback) action_pool_changed, diff --git a/polkit-adjust-libexec-path.patch b/polkit-adjust-libexec-path.patch new file mode 100644 index 0000000..038432f --- /dev/null +++ b/polkit-adjust-libexec-path.patch @@ -0,0 +1,22 @@ +--- a/src/polkitagent/polkitagentsession.c ++++ b/src/polkitagent/polkitagentsession.c +@@ -596,7 +596,7 @@ polkit_agent_session_initiate (PolkitAge + goto error; + } + +- helper_argv[0] = PACKAGE_PREFIX "/lib/polkit-1/polkit-agent-helper-1"; ++ helper_argv[0] = PACKAGE_PREFIX "/libexec/polkit-1/polkit-agent-helper-1"; + helper_argv[1] = passwd->pw_name; + helper_argv[2] = NULL; + +--- a/meson.build ++++ b/meson.build +@@ -28,7 +28,7 @@ pk_sysconfdir = get_option('sysconfdir') + pk_pkgdatadir = pk_datadir / pk_api_name + pk_pkgincludedir = pk_includedir / pk_api_name + # note that this is always 'lib', not lib64 or lib/x86_64-linux-gnu +-pk_libprivdir = 'lib' / pk_api_name ++pk_libprivdir = 'libexec' / pk_api_name + pk_pkgsysconfdir = pk_sysconfdir / pk_api_name + + pk_actiondir = pk_api_name / 'actions' diff --git a/polkit-gettext.patch b/polkit-gettext.patch new file mode 100644 index 0000000..e9d00de --- /dev/null +++ b/polkit-gettext.patch @@ -0,0 +1,57 @@ +From fea7159b7cc50deb7298b2858e125fb623012549 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 13 Jun 2017 18:28:28 +0200 +Subject: [PATCH] Use gettext as fallback for translations + +Upstream polkit action files do not necessarily contain translations for +all languages a distribution supports. And even if all translations are +contained in the head branch, distributions sometimes need to ship older +versions of packages. In order to allow retrofitting translations and +shipping language packs for polkit actions without having to patch and +rebuild packages gettext could be used as fallback. That way only +additional .mo files have to be installed. +So this patch makes polkit call into gettext with the domain +'polkit-action-distro-translations' if an xml doesn't contain +translations for the requested language. +--- + src/polkitbackend/polkitbackendactionpool.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c +index 3894fe9..9252788 100644 +--- a/src/polkitbackend/polkitbackendactionpool.c ++++ b/src/polkitbackend/polkitbackendactionpool.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1132,8 +1133,20 @@ _localize (GHashTable *translations, + if (result != NULL) + goto out; + +- /* fall back to untranslated */ +- result = untranslated; ++ /* try distro provided language bundle via gettext */ ++ ++ /* Set LANG and locale so g_dgettext() + friends work below */ ++ if (setlocale (LC_ALL, lang) == NULL) ++ { ++ g_printerr ("Invalid locale '%s'\n", lang); ++ } ++ g_setenv ("LANG", lang, TRUE); ++ ++ result = g_dgettext ("polkit-action-distro-translations", untranslated); ++ ++ /* Back to C! */ ++ setlocale (LC_ALL, "C"); ++ g_setenv ("LANG", "C", TRUE); + + out: + return result; +-- +2.12.2 + diff --git a/polkit-keyinit.patch b/polkit-keyinit.patch new file mode 100644 index 0000000..db00553 --- /dev/null +++ b/polkit-keyinit.patch @@ -0,0 +1,9 @@ +Index: polkit-0.116/data/polkit-1.in +=================================================================== +--- polkit-0.116.orig/data/polkit-1.in ++++ polkit-0.116/data/polkit-1.in +@@ -4,3 +4,4 @@ auth include @PAM_FILE_INCLUD + account include @PAM_FILE_INCLUDE_ACCOUNT@ + password include @PAM_FILE_INCLUDE_PASSWORD@ + session include @PAM_FILE_INCLUDE_SESSION@ ++session optional pam_keyinit.so revoke [force] diff --git a/polkit.changes b/polkit.changes new file mode 100644 index 0000000..73cfe17 --- /dev/null +++ b/polkit.changes @@ -0,0 +1,880 @@ +------------------------------------------------------------------- +Wed Aug 14 12:33:37 UTC 2024 - Dominique Leuenberger + +- BuildRequire gettext-devel instead of gettext: Allows OBS to + shortcut throught gettext-runtime-mini. + +------------------------------------------------------------------- +Fri Jul 12 12:53:13 UTC 2024 - Martin Jambor + +- Add -Wno-error=implicit-function-declaration to %optflags to + work-around an issue in mocklibc (which has been meanwhile removed + by upstream) with exactly this kind of issue. + +------------------------------------------------------------------- +Fri Dec 8 22:20:51 UTC 2023 - Tobias Klausmann + +- Add 'dbus-service' as Requires instead of /usr/bin/dbus-daemon + This allow to use other dbus implementations such as dbus-broker with this + package again. (bsc#1217863) + +------------------------------------------------------------------- +Fri Sep 29 09:56:41 UTC 2023 - Bjørn Lie + +- Update to version 123: + + Highlights: + - better safety with deeper restriction of the configuration + files + - better safety with restricting the daemon's owner under + systemd + - better safety with the systemd unit sandboxing + - less thread races during upload of the configuration +- Changes from version 122: + + Highlights: + - new Georgian translation + - port to mozjs-102 + - daemon-less build (support for e.g. flatpak deps) + - re-enable of (API) documentation build +- See more detailed changes in the included NEWS.md file. +- Change URL and Source to new home, and drop polkit.keyring and + tar.gz.sign tarball signature, no longer available. +- Drop polkit-fix-pam-prefix.patch: Fixed upstream. +- Add /usr/bin/dbus-daemon BuildRequires, needed for tests. Replace + the dbus-1 with /usr/bin/dbus-daemon Requires. + +------------------------------------------------------------------- +Tue Sep 19 12:24:38 UTC 2023 - Ludwig Nussel + +- change /usr/share/polkit-1/rules.d to 555,root:root. /usr content + isn't secret anyway so this avoids non-root owned files in /usr + (boo#1215482) +- update 50-default.rules to allow adding more admin rules + (jsc#PED-260, drop polkit-no-wheel-group.patch) + +------------------------------------------------------------------- +Wed Mar 29 13:37:25 UTC 2023 - Johannes Segitz + +- Change permissions for rules folders (bsc#1209282) + +------------------------------------------------------------------- +Wed Nov 09 07:39:53 CET 2022 - aschnell@suse.com + +- read actions also from /etc/polkit-1/actions (jsc#PED-1405) + added polkit-actions-in-etc.patch + +------------------------------------------------------------------- +Thu Sep 15 13:26:34 UTC 2022 - Marcus Meissner + +- obsolete libpolkit0 also from baselibs. + +------------------------------------------------------------------- +Tue Aug 9 06:11:08 UTC 2022 - Luciano Santos + +- Update to version 121: + + Addition of duktape as a JS engine backend. + + Other small fixes and improvements. For more details, visit: + gitlab.freedesktop.org/polkit/polkit/-/blob/121/NEWS.md + + Updated translations. +- Drop merged-upstream patches: + + CVE-2021-4034-pkexec-fix.patch; + + 0001-CVE-2021-4115-GHSL-2021-077-fix.patch; + + duktape-support.patch; + + pkexec.patch. +- Replace Intltool with Gettext as a build requirement following + the migration from last release (0.120). +- Add Meson as a build requirement while dropping Libtool and + replace all Autotools macros with Meson ones. And pass the + following options to Meson: session_tracking=libsystemd-login; + systemdsystemunitdir=%{_unitdir}; os_type=suse; + pam_module_dir=%{_pam_moduledir}; pam_prefix=%{_pam_vendordir}; + examples=true; tests=true; gtk_doc=true; man=true and + js_engine=duktape. +- Drop no longer needed Libtool as a build requirement, following + Autotools replacement. +- Add explicit pkgconfig module build requirements for glib-2.0 and + gobject-2.0 that are searched by the build scripts. They were + already being pulled by their siblings [pkgconfig(gio-2.0) and + pkgconfig(gio-unix-2.0)]. +- Drop conditional macro, which was wrapping "BuildArch: noarch" + for the doc subpackage, based on long gone EOLed (open)SUSE + release (11.2). +- Add missing 'Requires(post): permissions' for the pkexec + subpackage. +- Add python3-dbus-python and python3-python-dbusmock as build + requirements in order to run test in the check section. +- Add polkit-fix-pam-prefix.patch to use the value of pam_prefix + Meson option, like it was designed to, rather than hard-coded + path for pam configuration files. +- Remove unneeded executable bit from 50-default.rules file. + +------------------------------------------------------------------- +Mon Aug 8 07:28:25 UTC 2022 - Thorsten Kukuk + +- Use %_pam_vendordir + +------------------------------------------------------------------- +Wed Aug 3 12:03:30 UTC 2022 - Marcus Meissner + +- add split-provides for polkit:/usr/bin/pkexec. (bsc#1202070) + +------------------------------------------------------------------- +Mon Jul 18 09:38:28 UTC 2022 - Marcus Meissner + +- split out pkexec into seperate package to make system hardening + easier (to avoid installing it jsc#PED-132 jsc#PED-148). + +------------------------------------------------------------------- +Tue Feb 22 10:48:15 UTC 2022 - Marcus Meissner + +- Fixed denial of service via file descriptor leak (bsc#1195542 CVE-2021-4115) + 0001-CVE-2021-4115-GHSL-2021-077-fix.patch + +------------------------------------------------------------------- +Wed Jan 26 11:44:35 UTC 2022 - Fabian Vogt + +- Switch from mozjs to duktape: + * Add duktape-support.patch + +------------------------------------------------------------------- +Tue Jan 25 18:15:16 UTC 2022 - Marcus Meissner + +- Fixed pkexec Local Privilege Escalation aka pwnkit (CVE-2021-4034 bsc#1194568) + CVE-2021-4034-pkexec-fix.patch + +------------------------------------------------------------------- +Mon Dec 6 10:27:20 UTC 2021 - Dirk Müller + +- update to 0.120: + * transition from Intltool to gettext + * several tarball, meson and pipeline fixups + * Portuguese translation + * Romanian translation + * meson build system added + * CVE-2021-3560 mitigation + * properties in text listener + * typos fixups + * Update Hungarian translation +- drop CVE-2021-3560.patch (upstream) + +------------------------------------------------------------------- +Wed Oct 20 15:12:07 UTC 2021 - Marcus Meissner + +- fork libpolkit0 package into libpolkit-agent-1-0 and libpolkit-gobject-1-0 + as mandated. bsc#1191781 + +------------------------------------------------------------------- +Sun Jul 18 12:16:13 UTC 2021 - Callum Farmer + +- Change to using systemd-sysusers +- Remove unneeded shadow dependency, no longer required due to + systemd-sysusers +- Fix 50-default.rules file-parent-ownership-mismatch warning +- Remove --with-pic, no effect with --disable-static + +------------------------------------------------------------------- +Wed Jul 7 08:15:04 UTC 2021 - Stefan Schubert + +- Fix verifyscript: the path to the binary was wrongly defined as + %{_libexecdir}/lib. + +------------------------------------------------------------------- +Thu May 27 11:52:44 UTC 2021 - Marcus Meissner + +- CVE-2021-3560: fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() + (bsc#1186497) + CVE-2021-3560.patch + +------------------------------------------------------------------- +Thu Mar 11 22:21:07 UTC 2021 - Thorsten Kukuk + +- Move /etc/dbus-1/system.d to /usr/share/dbus-1/system.d, the + first location is only for admin changes +- Move pam configuration to /usr/etc/pam.d + +------------------------------------------------------------------- +Mon Jan 4 09:51:04 UTC 2021 - Matthias Gerstner + +move to libexec dir is still not complete: + +- add polkit-adjust-libexec-path.patch: There is another hard coded reference + of lib/ in the code that this patch addresses. +- also adjust invocation of %set_permissions and %verify_permissions to new + libexec dir location. + +------------------------------------------------------------------- +Tue Dec 29 08:39:01 UTC 2020 - Matthias Gerstner + +- also set libprivdir during build, otherwhise systemd and D-Bus service files + contain the wrong path and we'll get runtime errors. + +------------------------------------------------------------------- +Mon Dec 28 12:26:34 UTC 2020 - Matthias Gerstner + +- Install private binaries into libexec instead of into lib. For this an + override of the custom libprivdir variable is necessary, because upstream + explicitly moved away from libexecdir via upstram commit + 6fbcc6cd839680fcefd81c4a43676e7c031c9859. + +------------------------------------------------------------------- +Fri Oct 23 08:19:06 UTC 2020 - Bjørn Lie + +- Update to version 0.118: + + Updated dependency to mozjs78. + + Tarball fixes. +- Replace pkgconfig(mozjs-68) for pkgconfig(mozjs-78) + BuildRequires following upstreams port. + +------------------------------------------------------------------- +Fri Jul 31 11:39:38 UTC 2020 - Bjørn Lie + +- Update to version 0.117: + + Activated Gitlab CI. + + Updated dependency to mozjs68. + + Memory management fixes. + + Updated translations. +- Replace pkgconfig(mozjs-60) for pkgconfig(mozjs-68) + BuildRequires following upstreams port. + +------------------------------------------------------------------- +Fri Nov 29 10:36:53 UTC 2019 - Bjørn Lie + +- Fix usage of libexecdir instead of prefix/lib where applicable. + +------------------------------------------------------------------- +Tue Oct 8 12:41:44 UTC 2019 - Marcus Meissner + +- polkit-keyinit.patch: add pam_keyinit to the polkit configuration (bsc#1144053) + +------------------------------------------------------------------- +Wed May 29 07:57:26 UTC 2019 - Bjørn Lie + +- Update to version 0.116: + + Leaking zombie child processes. + + Possible resource leak found by static analyzer. + + Output messages tuneup. + + Sanity fixes. + + pkttyagent tty echo disabled on SIGINT. + + HACKING: add link to Code of Conduct. + + polkitbackend: comment typos fix. + + configure.ac: fix detection of systemd with cgroups v2. + + CVE-2018-19788 High UIDs overflow fix. + + CVE-2019-6133 Slowfork vulnerability fix. + + Allow unset process-uid. + + Port the JS authority to mozjs-60. + + Use JS_EncodeStringToUTF8. + + Updated translations. +- Replace pkgconfig(mozjs-52) with pkgconfig(mozjs-60) + BuildRequires following upstreams changes. +- Drop patches fixed upstream: + + polkit-fix-possible-resource-leak.patch + + polkit-fix-leaking-zombie-child-processes.patch + + polkit-CVE-2018-19788.patch +- Refresh patches with quilt. + +------------------------------------------------------------------- +Fri May 10 14:44:20 UTC 2019 - Dominique Leuenberger + +- Use systemd_ordering instead of systemd_requires: strictly + speaking, polkit does not require systemd to be present. Just + that when we install on a system with systemd (e.g outside + containers) we would want systemd to be present before + installing polkit. Help also reduce a cycle without special hacks + in systemd.spec. + +------------------------------------------------------------------- +Fri Apr 26 11:06:05 UTC 2019 - mvetter@suse.com + +- bsc#1130588: Require shadow instead of old pwdutils +- User proper Requires(pre)/Requires(post) for permissions and + shadow + +------------------------------------------------------------------- +Thu Dec 20 17:29:58 UTC 2018 - meissner@suse.com + +- polkit-CVE-2018-19788.patch: Fixed handling of UIDs over MAX_UINT + (bsc#1118277 CVE-2018-19788) + +------------------------------------------------------------------- +Fri Aug 17 07:56:08 UTC 2018 - bjorn.lie@gmail.com + +- Add polkit-fix-possible-resource-leak.patch: Fix possible + resource leak found by static analyzer. +- Add polkit-fix-leaking-zombie-child-processes.patch: polkitd: fix + zombie not reaped when js spawned process timed out (fdo#106021). + +------------------------------------------------------------------- +Wed Jul 11 10:48:37 UTC 2018 - meissner@suse.com + +- Update to version 0.115: + - Fix CVE-2018-1116: Trusting client-supplied UID (bsc#1099031) + - jsauthority: pass "%s" format string to remaining report function + (obsoletes polkit-jsauthority-pass-format-string.patch) + +------------------------------------------------------------------- +Mon Apr 9 22:38:39 UTC 2018 - bjorn.lie@gmail.com + +- Update to version 0.114: + + Port to mozjs 52, the latest version of the firefox JavaScript + engine. + + Add gettext support for policy files. + + Fixes for various memory leaks. + + Updated translations. +- Update keyring with Ray Strode public key. +- Drop with_systemd define and all conditionals and + polkit-no-systemd.patch and ConsoleKit BuildRequires, we only + support systemd now. +- Drop upstream fixed polkit-itstools.patch. +- Rebase pkexec.patch with quilt. +- Add gcc-c++ and pkgconfig(mozjs-52) BuildRequires: New + dependencies. +- Drop conditional pkgconfig(mozjs-17.0) and pkgconfig(mozjs185): + no longer supported. +- Drop autoconf and automake BuildRequires: They are implicit via + libtool BuildRequires. +- Replace glib2-devel and gobject-introspection-devel with their + pkgconfig counterparts: pkgconfig(gio-unix-2.0), + pkgconfig(gmodule-2.0) and pkgconfig(gobject-introspection-1.0). +- Add polkit-jsauthority-pass-format-string.patch: jsauthority: + pass "%s" format string to remaining report function, patch from + upstream git, adding missed commit (bgo#105865). +- Drop polkit-revert-session-magic.patch: Upstream systemd bug is + since a long time fixed (gh#systemd#58) (boo#954139). + +------------------------------------------------------------------- +Thu Mar 1 11:23:00 UTC 2018 - schwab@suse.de + +- pkexec.patch: pkexec: allow --version and --help even if not setuid + +------------------------------------------------------------------- +Wed Feb 28 16:38:33 UTC 2018 - dimstar@opensuse.org + +- Modernize spec-file by calling spec-cleaner + +------------------------------------------------------------------- +Tue Aug 15 12:20:52 UTC 2017 - dimstar@opensuse.org + +- Add polkit-itstools.patch: Add gettext support for .policy files. + +------------------------------------------------------------------- +Tue Jun 13 15:25:58 UTC 2017 - lnussel@suse.de + +- Use gettext as fallback to get potential distro translations for + polkit actions. Similar mechnism as used for desktop file + translations. That way it's possible to use weblate to add + additional translations that are not provided by upstream + (polkit-gettext.patch). + +------------------------------------------------------------------- +Wed Jun 8 11:13:43 UTC 2016 - fbui@suse.com + +- Use pkgconfig() instead of requiring systemd package names directly. + +------------------------------------------------------------------- +Tue Jun 7 15:25:00 UTC 2016 - fbui@suse.com + +- systemd.pc is shipped by systemd main package (bsc#983167) + Strangely polkit wants systemd.pc to detect that the target system + is running systemd even if its configured to build systemd support... + +------------------------------------------------------------------- +Thu Nov 26 16:26:09 UTC 2015 - meissner@suse.com + +- polkit-revert-session-magic.patch: revert a session detection change + that could lead to sessions not being detected as active due to + a systemd bug. bsc#954139 + +------------------------------------------------------------------- +Thu Aug 6 21:26:18 UTC 2015 - antoine.belvire@laposte.net + +- Update to 0.113: + * Fix CVE-2015-4625 + * Fix CVE-2015-3256 + * Fix CVE-2015-3255 + * Fix CVE-2015-3218 + * On systemd-213 and later, the “active” state is shared across + all sessions of an user, instead of being tracked separately + * pkexec: when not given a program to execute, runs the users’ + shell by default +- Remove polkit-no-kded-leak.patch (upstreamed) + +------------------------------------------------------------------- +Mon Jan 12 13:21:20 UTC 2015 - tchvatal@suse.com + +- Try to fix kded leaking due to powerdevil exposing this issue in + polkit: (bsc#912889) + * polkit-no-kded-leak.patch + +------------------------------------------------------------------- +Tue Dec 9 16:23:50 UTC 2014 - meissner@suse.com + +- Added gpg signature and keyring with David Zeuthen and Miloslav Trmac + ids. + +------------------------------------------------------------------- +Fri Sep 27 08:16:34 UTC 2013 - toms@opensuse.org + +- Fixed URL + +------------------------------------------------------------------- +Thu Sep 19 01:13:08 UTC 2013 - hrvoje.senjan@gmail.com + +- Update to 0.112 + + polkitunixprocess: Deprecate racy APIs + + pkcheck: Support --process=pid,start-time,uid syntax too + (CVE-2013-4288) + + Use GOnce for interface type registration + + Add czech translation po file to distribution + + Update the czech once more with newest pot file + +------------------------------------------------------------------- +Fri Jul 5 11:50:44 UTC 2013 - dimstar@opensuse.org + +- On openSUSE 13.1+, switch from mozjs185 to mozjs-17.0 by: + + Conditionally BuildRequire pkgconfig(mozjs-17.0). +- Drop libmozjs185-1_0 Recommends: the library is actually required + and auto-detected as such by rpm (from 0.111 changes: "The + JavaScript interpreter is now mandatory"). + +------------------------------------------------------------------- +Fri Jun 14 20:34:39 UTC 2013 - hrvoje.senjan@gmail.com + +- Update to 0.111 + + Both js185 and mozjs17 versions of SpiderMonkey are supported + + The JavaScript interpreter is now mandatory + + Fixed various memory leaks + + Respect SUID_CFLAGS and SUID_LDFLAGS + + Set process environment from pam_getenvlist() + + Fix the build with automake 1.13 +- Drop polkit-suid_flags.patch and automake-113.patch, those + patches are included in this release + +------------------------------------------------------------------- +Thu Apr 11 01:17:21 UTC 2013 - hrvoje.senjan@gmail.com + +- Add automake-113.patch, fixes build with automake-1.13 + +------------------------------------------------------------------- +Mon Feb 18 19:47:33 UTC 2013 - gber@opensuse.org + +- Recommend libmozjs185-1_0 which is dlopen'ed and required for JS + rules + +------------------------------------------------------------------- +Mon Jan 14 15:51:20 UTC 2013 - hrvoje.senjan@gmail.com + +- Update to 0.110 + + Set XAUTHORITY environment variable if is unset + + Use mutex and condition variables properly + + Build fixes. +- Changes from version 0.109: + + Include gmodule-2.0 to avoid linker errors + + Don't require libmozjs185 devel packages for polkit rules + to work +- Drop polkit-link-gmodule.patch and polkit-libmozjs.patch, those + are merged upstream + +------------------------------------------------------------------- +Wed Jan 9 14:08:57 UTC 2013 - saschpe@suse.de + +- Only mark the following files as %config, not %config(noreplace): + + %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf + + %{_sysconfdir}/pam.d/polkit-1 + + %{_sysconfdir}/polkit-1/rules.d/50-default.rules + PolicyKit's own config files should only be changed for good reason + and we want to prefer openSUSE's defaults (you still get an .rpmsafe + file) + +------------------------------------------------------------------- +Mon Dec 10 07:45:47 UTC 2012 - dimstar@opensuse.org + +- Add polkit-libmozjs.patch: dlopen libmozjs185.so.1.0 instead of + libmozjs185.so, which is packaged in the -devel package + (bnc#793562) + +------------------------------------------------------------------- +Thu Nov 15 21:31:19 UTC 2012 - dimstar@opensuse.org + +- Update to version 0.108: + + PolkitAgent: Avoid crashing if initializing the server object + fails + + Fall back to authenticating as uid 0 if the list of admin + identities is empty + + Dynamically load libmozjs185.so and cope with it not being + available + + docs: mention the audience for authorization rules + + build: Fix .gir generation for parallel make +- Only conditionally Require ConsoleKit when with_systemd is 0: + systemd support obsoletes ConsoleKit. +- Add polkit-link-gmodule.patch: Link against gmodule-2.0. +- Change libpolkit0 to require polkit >= %version instead of the + exact version. This will ease upgrade problems should there ever + be a soname bump of libpolkit0. + +------------------------------------------------------------------- +Wed Nov 14 09:26:14 UTC 2012 - dimstar@opensuse.org + +- Enable systemd inetegration (change with_systemd to 1): As an + agreed target for 12.3, systemd integration will be enabled. + +------------------------------------------------------------------- +Thu Nov 8 21:34:15 UTC 2012 - aj@suse.de + +- Add pwdutils to prereq for groupadd and useradd. + +------------------------------------------------------------------- +Thu Sep 27 07:55:23 UTC 2012 - vuntz@opensuse.org + +- Add polkit-no-systemd.patch: this patch, only applied when not + building systemd support, removes the systemd service reference + from the dbus .service file. This is needed as the systemd + .service file does not get installed in that case and dbus gets + confused because it expects it. +- Make %{_datadir}/polkit-1/rules.d and + %{_sysconfdir}/polkit-1/rules.d owned by user polkitd, as those + directories have 0700 as permissions. +- Those two changes should fix polkit so it can start. + Fix bnc#782395. + +------------------------------------------------------------------- +Tue Sep 25 09:05:02 UTC 2012 - vuntz@opensuse.org + +- Use %{_localstatedir}/lib/polkit for $HOME of polkit user, + instead of %{_libexecdir}/polkit-1. The directory is manually + created in %install. + +------------------------------------------------------------------- +Fri Sep 14 18:20:06 UTC 2012 - vuntz@opensuse.org + +- Update to version 0.107: + + Try harder to look up the right localization + + Introduce a polkit.Result enumeration for authorization rules + + pkexec: add support for argv1 annotation and mention + shebang-wrappers + + doc: update guidance on situations where there is no polkit + authority +- Changes from version 0.106: + + Major change: switch from .pkla files (keyfile-format) to + .rules files (JavaScript) + + Nuke polkitbackend library, localauthority backend and + extension system + + Run polkitd as an unprivileged user + + Add a systemd .service file + + Several other code changes. + + Updated documentation. +- Changes from version 0.105: + + Add pkttyagent(1) helper + + Make it possible to influence agent registration with an a{sv} + parameter + + Several other code changes. +- Add pkgconfig(mozjs185) BuildRequires: new dependency for the + authority backend. +- Rebase polkit-no-wheel-group.patch: the admin configuration is + now in a .rules file. +- Rebase polkit-suid_flags.patch. +- Explicitly pass --enable-libsystemd-login or + --disable-libsystemd-login, depending on whether we build systemd + support. +- Add a %pre script to create the polkitd group and user, as + polkitd now run as an unprivileged user. + +------------------------------------------------------------------- +Wed Aug 22 15:52:30 UTC 2012 - meissner@suse.com + +- also use -z now for binary hardening + +------------------------------------------------------------------- +Wed Jun 13 20:54:29 CEST 2012 - vuntz@opensuse.org + +- Package /etc/polkit-1/localauthority and its subdirectories. They + were forgotten because they were empty, but people might need + them to put .pkla files. + +------------------------------------------------------------------- +Fri Feb 24 12:11:04 UTC 2012 - vuntz@opensuse.org + +- Change the way we pass -fpie/-pie: + + Drop polkit-pie.patch: this was not upstreamable. + + Add polkit-suid_flags.patch: respect SUID_CFLAGS/SUID_LDFLAGS + when building the suid binaries (pkexec and + polkit-agent-helper-1). + + Add autoconf, automake and libtool BuildRequires, and call + autoreconf, for the new patch. + + Set SUID_CFLAGS to -fPIE and SUID_LDFLAGS to -pie in %build. + + Pass --with-pic to configure instead of changing CFLAGS to + contain -fPIC. + +------------------------------------------------------------------- +Tue Feb 7 14:39:43 UTC 2012 - dlovasko@suse.com + +- fixed bnc#743145 - added -fpie/-pie flags to compilation and linking of polkit-agent-helper and pkexec + +------------------------------------------------------------------- +Mon Jan 9 09:33:30 UTC 2012 - vuntz@opensuse.org + +- Split typelib file into typelib-1_0-Polkit-1_0 subpackage. +- Add typelib-1_0-Polkit-1_0 Requires to devel subpackage. +- Add explicit libpolkit0 Requires to devel subpackage: it was + missing before. +- Remove explicit glib2-devel Requires from devel subpackage: it + will automatically be added the pkgconfig() way. +- Improve summary of libpolkit0 subpackage. + +------------------------------------------------------------------- +Wed Jan 4 22:03:54 UTC 2012 - crrodriguez@opensuse.org + +- A quick test reveals that the systemd backend does not + integrate very well with packages yet, revert. + +------------------------------------------------------------------- +Wed Jan 4 21:02:38 UTC 2012 - crrodriguez@opensuse.org + +- Previous update missed systemd-devel in buildrequires + without it no systemd support is built + +------------------------------------------------------------------- +Wed Jan 4 13:52:09 UTC 2012 - vuntz@opensuse.org + +- Update to version 0.104: + + Add optional systemd support + + Add netgroup support (fdo#43610) + + Add unit tests (fdo#43608) +- Changes from version 0.103: + + Mistype in DBus object: PoliycKit1 -> PolicyKit1 + + Add support for the org.freedesktop.policykit.imply annotation + + Add --no-debug option and use this for D-Bus activation + + Add org.freedesktop.policykit.owner annotation (fdo#41025) + + Default to AdminIdentities=unix-group:wheel for local authority +- Drop patches that were taken from upstream: + + 0001-Add-support-for-the-org.freedesktop.policykit.imply-a.diff + + 0002-Add-no-debug-option-and-use-this-for-D-Bus-activation.diff + + 0003-Bug-41025-Add-org.freedesktop.policykit.owner-annotat.diff +- Add polkit-no-wheel-group.patch: do not allow the wheel group as + admin identity, and revert to only accept the root user for this. + +------------------------------------------------------------------- +Wed Nov 2 10:30:03 UTC 2011 - lnussel@suse.de + +- pick some patches from git to add support for + org.freedesktop.policykit.imply, disable debug spam and allow + unprivileged users to query authorizations (bnc#698250) + +------------------------------------------------------------------- +Fri Sep 2 10:42:54 UTC 2011 - vuntz@opensuse.org + +- Update to version 0.102: + + pkexec: + - fdo#38769: Support running X11 apps + - Avoid time-of-check-to-time-of-use problems with parent + process + + Fix backend crash if a .policy file does not specify + + Fix multi-line pam prompt handling + + Don't show diagnostic messages intended for the administrator + to the end user + + PolkitUnixProcess: + - Clarify that the real uid is returned, not the effective one + - Record the uid of the process + + Backend: Use polkit_unix_process_get_uid() to get the owner of + a process + + Introspection fixes: + - Add --c-include to the gir files + - Specify exported pkg-config files in GIRs + + Build fix. +- Drop polkit-CVE-2011-1485-1.patch, polkit-CVE-2011-1485-2.patch, + polkit-CVE-2011-1485-3.patch, polkit-CVE-2011-1485-4.patch: fixed + upstream. +- Remove service usage, following the new consensus on Factory + packaging. + +------------------------------------------------------------------- +Wed Aug 10 12:20:39 UTC 2011 - dimstar@opensuse.org + +- BuildIgnore ruby, which is being dragged in via indirect + dependencies by gtk-doc for one of the helpers, which we do not + need during the build of polkit. Not dragging ruby in resolves a + build-cycle. + +------------------------------------------------------------------- +Thu May 5 19:35:05 CEST 2011 - vuntz@opensuse.org + +- Use %set_permissions instead of deprecated %run_permissions in + %post. +- Add permissions PreReq, which was missing before. + +------------------------------------------------------------------- +Tue Apr 26 21:19:32 CEST 2011 - kay.sievers@novell.com + +- use LGPLv2.1+ in spec file + +------------------------------------------------------------------- +Tue Apr 26 18:24:01 CEST 2011 - kay.sievers@novell.com + +- stat race condition (CVE-2011-1485) (bnc#688788) + +------------------------------------------------------------------- +Wed Apr 6 15:40:51 UTC 2011 - fcrozat@novell.com + +- Remove PolkitAgent-1.0.typelib from main package, it is in + library package. + +------------------------------------------------------------------- +Wed Mar 9 13:54:11 UTC 2011 - coolo@novell.com + +- update to 0.101: + * tons of bug fixes, see NEWS + +------------------------------------------------------------------- +Wed Nov 10 15:04:36 UTC 2010 - coolo@novell.com + +- fix file list + +------------------------------------------------------------------- +Thu Sep 16 09:34:50 CEST 2010 - vuntz@opensuse.org + +- Update to version 0.99: + + Remove duplicate definitions of enumeration types + + Fix (correct) GCC warning about possibly-uninitialized variable + + Fix another GCC uninitialized variable warning + + fdo#29816: Install polkitagentenumtypes.h +- Drop polkit-install-missing-header.patch: fixed upstream. + +------------------------------------------------------------------- +Thu Aug 26 10:04:44 CEST 2010 - vuntz@opensuse.org + +- Update to version 0.98: + + Fix scanning of unix-process subjects + + Add textual authentication agent and use it in pkexec(1) + + Fix ConsoleKit interaction bug + + pkexec: add --disable-internal-agent option + + pkcheck: add --enable-internal-agent option + + Fix wording in pkexec(1) man page + + Various doc cleanups +- Changes from version 0.97: + + Port to GDBus + + Add shadow authentication support + + Remove Lock Down functionality + + fdo#26982: pkexec information disclosure vulnerability + + Make polkitd accept --replace and gracefully handle SIGINT + + Implement polkit_temporary_authorization_new_for_gvariant() + + Make NameOwnerChanged a private impl detail of the interactive + authority + + Add a GPermission implementation + + PolkitAuthority: Implement failable initialization + + PolkitAuthority: Add g_return_if_fail() checks + + Add g_return_if_fail() to all public API entry points + + Use polkit_authority_get_sync() instead of deprecated + polkit_authority_get + + PolkitBackend: Don't export unneeded convenience API + + Update GI annotations + + Don't dist org.freedesktop.ConsoleKit.xml. + + Properly reference headers + + fdo#29051: Configuration reload on every query +- Drop pkexec-information-disclosure.patch: fixed upstream. +- Add polkit-install-missing-header.patch to install a header that + should get installed. +- Remove eggdbus-devel BuildRequires. +- Build with introspection support: add gobject-introspection + BuildRequires and pass --enable-introspection to configure. +- Fix groups of all packages to be valid groups. + +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de + +- use %_smp_mflags + +------------------------------------------------------------------- +Fri Apr 9 19:14:09 CEST 2010 - kay.sievers@novell.com + +- fix pkexec information disclosure + (fdo#26982, CVE-2010-0750, bnc#593959) + +------------------------------------------------------------------- +Mon Jan 18 14:20:11 CET 2010 - dmueller@suse.de + +- add baselibs.conf + +------------------------------------------------------------------- +Mon Jan 18 12:56:02 CET 2010 - kay.sievers@novell.com + +- new upstream release 0.96 + - Bug 25367 — Also read local authority configuration data from /etc + - Run the open_session part of the PAM stack in pkexec(1) + - Bug 25594 – System logging + - Properly handle return value from getpwnam_r() + - Fix error message when no authentication agent is available + - Make pkexec(1) validate environment variables + - Make pkexec(1) use the syslogging facilities + - Save original cwd in pkexec(1) since it will change during the life-time + - Complain on stderr, not stdout + - Don't log authorization checks + +------------------------------------------------------------------- +Wed Jan 6 18:22:23 CET 2010 - dmueller@suse.de + +- update to 0.95: + The major change this release is that the lockdown feature has + been cleaned up in a way so it isn't specific to the local + authority. See the NEWS files for more details. + +------------------------------------------------------------------- +Wed Dec 16 10:44:34 CET 2009 - jengelh@medozas.de + +- Package documentation as noarch + +------------------------------------------------------------------- +Wed Aug 19 23:22:44 CEST 2009 - vuntz@novell.com + +- Add Requires on polkit to libpolkit0: all applications using + libpolkit0 will really need polkit to be installed to work + properly. + +------------------------------------------------------------------- +Thu Aug 13 04:31:38 CEST 2009 - kay.sievers@novell.com + +- new upstream release 0.94 + - Allow unprivileged callers to check authorizations + - Don't spawn man(1) from a setuid program + - Add polkit.retains_authorization_after_challenge to authz result + - Ensure all fds except stdin/stdout/stderr are closed after exec(2) + - Be more careful when determining process start time + - Remove temporary authorization when the subject it applies to vanishes + - Generate GI gir and typelibs for libpolkit-gobject-1 +- drop patches which are in the release now +- disable introspection + +------------------------------------------------------------------- +Tue Aug 11 21:23:49 CEST 2009 - kay.sievers@novell.com + +- add upstream patches: + polkit-close-stdfds.patch + polkit-no-man-spawn.patch + polkit-proc-stat-parse-fix.patch +- drop rpmlint patch + +------------------------------------------------------------------- +Thu Aug 6 17:36:16 CEST 2009 - meissner@suse.de + +- check for the right binary in verify_permisisons + +------------------------------------------------------------------- +Thu Jul 30 17:32:41 CEST 2009 - coolo@novell.com + +- disable suid bit for now to get software build on top +- split out libraries to follow shared library policy + +------------------------------------------------------------------- +Tue Jul 21 03:20:55 CEST 2009 - kay.sievers@novell.com + +- update to version 0.93 + +------------------------------------------------------------------- +Sun Jul 19 15:31:44 CEST 2009 - kay.sievers@novell.com + +- initial import of polkit 0.92 + diff --git a/polkit.spec b/polkit.spec new file mode 100644 index 0000000..1af27ad --- /dev/null +++ b/polkit.spec @@ -0,0 +1,301 @@ +# +# spec file for package polkit +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define _polkit_rulesdir %{_datadir}/polkit-1/rules.d +%define glib_br_version 2.30.0 +%define run_tests 1 + +Name: polkit +Version: 123 +Release: 0 +Summary: PolicyKit Authorization Framework +License: LGPL-2.1-or-later +Group: System/Libraries +URL: https://gitlab.freedesktop.org/polkit/polkit/ +Source0: %{url}/-/archive/%{version}/%{name}-%{version}.tar.bz2 +Source3: system-user-polkitd.conf +Source4: 50-default.rules +Source99: baselibs.conf + +# Upstream First - Policy: +# Never add any patches to this package without the upstream commit id +# in the patch. Any patches added here without a very good reason to make +# an exception will be silently removed with the next version update. + +# PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations +# polkit-use-gettext-as-fallback.patch +Patch1: polkit-gettext.patch +# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file +Patch3: polkit-keyinit.patch +# PATCH-FIX-OPENSUSE polkit-adjust-libexec-path.patch -- Adjust path to polkit-agent-helper-1 (bsc#1180474) +Patch4: polkit-adjust-libexec-path.patch +# Read actions also from /etc/polkit-1/actions +Patch6: polkit-actions-in-etc.patch + +BuildRequires: gcc-c++ +BuildRequires: gettext-devel +BuildRequires: gtk-doc +BuildRequires: libexpat-devel +BuildRequires: meson >= 0.50 +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools +BuildRequires: pkgconfig(duktape) >= 2.2.0 +BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_br_version} +BuildRequires: pkgconfig(glib-2.0) >= %{glib_br_version} +BuildRequires: pkgconfig(gmodule-2.0) >= %{glib_br_version} +BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2 +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(systemd) +%if 0%{?run_tests} +################################################################# +# python3-dbus-python and python3-python-dbusmock are needed for +# test-polkitbackendjsauthority test: +BuildRequires: /usr/bin/dbus-daemon +BuildRequires: python3-dbus-python +BuildRequires: python3-python-dbusmock +################################################################# +%endif +# gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle. +#!BuildIgnore: ruby + +Requires: dbus-service +Requires: libpolkit-agent-1-0 = %{version}-%{release} +Requires: libpolkit-gobject-1-0 = %{version}-%{release} +Requires(post): permissions +%sysusers_requires +%systemd_ordering + +%description +PolicyKit is a toolkit for defining and handling authorizations. +It is used for allowing unprivileged processes to speak to privileged +processes. + +%package devel +Summary: Development files for PolicyKit +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version}-%{release} +Requires: libpolkit-agent-1-0 = %{version} +Requires: libpolkit-gobject-1-0 = %{version} +Requires: pkgconfig +Requires: typelib-1_0-Polkit-1_0 = %{version} + +%description devel +Development files for PolicyKit Authorization Framework. + +%package -n pkexec +Summary: Pkexec component of polkit +Group: System/Libraries +Requires: %{name} = %{version}-%{release} +Requires(post): permissions +Provides: polkit:/usr/bin/pkexec + +%description -n pkexec +This package contains the pkexec setuid root binary part of polkit. + +%package doc +Summary: Development documentation for PolicyKit +Group: Development/Libraries/C and C++ +BuildArch: noarch + +%description doc +Development documentation for PolicyKit Authorization Framework. + +%package -n libpolkit-agent-1-0 +Summary: PolicyKit Authorization Framework -- Agent Library +Group: System/Libraries +Requires: %{name} >= %{version} +Obsoletes: libpolkit0 < %{version}-%{release} + +%description -n libpolkit-agent-1-0 +PolicyKit is a toolkit for defining and handling authorizations. +It is used for allowing unprivileged processes to speak to privileged +processes. + +This package contains the agent library only. + +%package -n libpolkit-gobject-1-0 +Summary: PolicyKit Authorization Framework -- GObject Library +Group: System/Libraries +Requires: %{name} >= %{version} +Obsoletes: libpolkit0 < %{version}-%{release} + +%description -n libpolkit-gobject-1-0 +PolicyKit is a toolkit for defining and handling authorizations. +It is used for allowing unprivileged processes to speak to privileged +processes. + +This package contains the gobject library only. + +%package -n typelib-1_0-Polkit-1_0 +Summary: PolicyKit Authorization Framework -- Introspection bindings +Group: System/Libraries + +%description -n typelib-1_0-Polkit-1_0 +PolicyKit is a toolkit for defining and handling authorizations. +It is used for allowing unprivileged processes to speak to privileged +processes. + +This package provides the GObject Introspection bindings for PolicyKit. + +%prep +%autosetup -p1 + +%build +# Disabling of this error can hopefully be removed when syncing with +# upstream which has removed mocklibc: +%global optflags %{optflags} -Wno-error=implicit-function-declaration + +%meson \ + -D session_tracking=libsystemd-login \ + -D systemdsystemunitdir="%{_unitdir}" \ + -D os_type=suse \ + -D pam_module_dir="%{_pam_moduledir}" \ + -D pam_prefix="%{_pam_vendordir}" \ + -D examples=true \ + -D tests=true \ + -D gtk_doc=true \ + -D man=true \ + -D js_engine=duktape \ + %{nil} +%meson_build +%sysusers_generate_pre %{SOURCE3} polkit system-user-polkitd.conf + +%if 0%{?run_tests} +%check +%meson_test +%endif + +%install +# install explicitly into libexec. upstream has some unflexible logic for +# this executable at the moment, but there is a PR# open to fix this: +# https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/63 +# once this has been resolved upstream and we update to a new release we can +# remove this and also patch4 above. +# +# Additional note: Upstream turned down the MR above, preferring to stick to +# using ${prefix}/lib/polkit-1 and non-distro-configurable. +%meson_install +%find_lang polkit-1 + +# create $HOME for polkit user +install -d %{buildroot}%{_localstatedir}/lib/polkit + +rm -v %{buildroot}%{_polkit_rulesdir}/50-default.rules +install -m0644 %{SOURCE4} %{buildroot}%{_polkit_rulesdir}/50-default.rules + +# Install the polkitd user creation file: +mkdir -p %{buildroot}%{_sysusersdir} +install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/ + +# create actions dir in /etc +mkdir %{buildroot}/%{_sysconfdir}/polkit-1/actions + +%pre -f polkit.pre +%service_add_pre polkit.service + +%preun +%service_del_preun polkit.service + +%postun +%service_del_postun polkit.service + +%post -n pkexec +%set_permissions %{_bindir}/pkexec + +%post +%set_permissions %{_libexecdir}/polkit-1/polkit-agent-helper-1 +%service_add_post polkit.service + +%verifyscript -n pkexec +%verify_permissions -e %{_bindir}/pkexec + +%verifyscript +%verify_permissions -e %{_libexecdir}/polkit-1/polkit-agent-helper-1 + +%post -n libpolkit-agent-1-0 -p /sbin/ldconfig +%postun -n libpolkit-agent-1-0 -p /sbin/ldconfig +%post -n libpolkit-gobject-1-0 -p /sbin/ldconfig +%postun -n libpolkit-gobject-1-0 -p /sbin/ldconfig + +%files -n libpolkit-agent-1-0 +%{_libdir}/libpolkit-agent-1.so.* + +%files -n libpolkit-gobject-1-0 +%{_libdir}/libpolkit-gobject-1.so.* + +%files -n typelib-1_0-Polkit-1_0 +%{_libdir}/girepository-1.0/Polkit-1.0.typelib +%{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib + +%files -f polkit-1.lang +%doc NEWS.md README.md +%license COPYING + +%{_mandir}/man1/pkaction.1%{?ext_man} +%{_mandir}/man1/pkcheck.1%{?ext_man} +%{_mandir}/man1/pkttyagent.1%{?ext_man} +%{_mandir}/man8/polkitd.8%{?ext_man} +%{_mandir}/man8/polkit.8%{?ext_man} +%dir %{_datadir}/dbus-1 +%dir %{_datadir}/dbus-1/system-services +%{_datadir}/dbus-1/system-services/org.freedesktop.PolicyKit1.service +%dir %{_datadir}/dbus-1/system.d +%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf +%dir %{_datadir}/polkit-1 +%{_datadir}/polkit-1/policyconfig-1.dtd +%dir %{_datadir}/polkit-1/actions +%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy +%attr(0555,root,root) %dir %{_polkit_rulesdir} + %{_polkit_rulesdir}/50-default.rules +%{_pam_vendordir}/polkit-1 +%dir %{_sysconfdir}/polkit-1 +%attr(0750,root,polkitd) %dir %{_sysconfdir}/polkit-1/rules.d +%dir %{_sysconfdir}/polkit-1/actions +%{_bindir}/pkaction +%{_bindir}/pkcheck +%{_bindir}/pkttyagent +%dir %{_libexecdir}/polkit-1 +%{_libexecdir}/polkit-1/polkitd +%verify(not mode) %attr(4755,root,root) %{_libexecdir}/polkit-1/polkit-agent-helper-1 +# $HOME for polkit user +%dir %{_localstatedir}/lib/polkit +%{_sysusersdir}/system-user-polkitd.conf +%{_unitdir}/polkit.service + +%files devel +%{_libdir}/libpolkit-agent-1.so +%{_libdir}/libpolkit-gobject-1.so +%{_libdir}/pkgconfig/polkit-agent-1.pc +%{_libdir}/pkgconfig/polkit-gobject-1.pc +%{_includedir}/polkit-1/ +%{_bindir}/pk-example-frobnicate +%{_datadir}/gir-1.0/*.gir +%{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy +%{_datadir}/gettext/its/polkit.its +%{_datadir}/gettext/its/polkit.loc + +%files -n pkexec +%{_mandir}/man1/pkexec.1%{?ext_man} +%verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec + +%files doc +%doc %{_datadir}/gtk-doc/html/polkit-1/ + +%changelog diff --git a/system-user-polkitd.conf b/system-user-polkitd.conf new file mode 100644 index 0000000..59ba3ba --- /dev/null +++ b/system-user-polkitd.conf @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u polkitd - "User for polkitd" /var/lib/polkit -