From 8404e7816a045c215cdfa185aebb35d555646f3a2423db775956eb039921ff3f Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 26 Nov 2015 16:31:33 +0000 Subject: [PATCH 1/3] Accepting request 346395 from home:msmeissn:branches:Base:System - revert a session detection change that could lead to sessions not being detected as active due to a systemd bug. bsc#954139 OBS-URL: https://build.opensuse.org/request/show/346395 OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=107 --- polkit-revert-session-magic.patch | 66 +++++++++++++++++++++++++++++++ polkit.changes | 7 ++++ polkit.spec | 3 ++ 3 files changed, 76 insertions(+) create mode 100644 polkit-revert-session-magic.patch diff --git a/polkit-revert-session-magic.patch b/polkit-revert-session-magic.patch new file mode 100644 index 0000000..2a2e051 --- /dev/null +++ b/polkit-revert-session-magic.patch @@ -0,0 +1,66 @@ +commit a29653ffa99e0809e15aa34afcd7b2df8593871c +Author: Philip Withnall +Date: Tue Jun 2 16:19:51 2015 +0100 + + sessionmonitor-systemd: Use sd_uid_get_state() to check session activity + + Instead of using sd_pid_get_session() then sd_session_is_active() to + determine whether the user is active, use sd_uid_get_state() directly. + This gets the maximum of the states of all the user’s sessions, rather + than the state of the session containing the subject process. Since the + user is the security boundary, this is fine. + + This change is necessary for `systemd --user` sessions, where most user + code will be forked off user@.service, rather than running inside the + logind session (whether that be a foreground/active or background/online + session). + + Policy-wise, the change is from checking whether the subject process is + in an active session; to checking whether the subject process is owned + by a user with at least one active session. + + https://bugs.freedesktop.org/show_bug.cgi?id=76358 + +diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c +index 9995f87..2a6c739 100644 +--- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c ++++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c +@@ -389,6 +389,37 @@ gboolean + polkit_backend_session_monitor_is_session_active (PolkitBackendSessionMonitor *monitor, + PolkitSubject *session) + { +- return sd_session_is_active (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session))); ++ const char *session_id; ++ char *state; ++ uid_t uid; ++ gboolean is_active = FALSE; ++ ++ session_id = polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session)); ++ ++ g_debug ("Checking whether session %s is active.", session_id); ++ ++ /* Check whether *any* of the user's current sessions are active. */ ++ if (sd_session_get_uid (session_id, &uid) < 0) ++ goto fallback; ++ ++ g_debug ("Session %s has UID %u.", session_id, uid); ++ ++ if (sd_uid_get_state (uid, &state) < 0) ++ goto fallback; ++ ++ g_debug ("UID %u has state %s.", uid, state); ++ ++ is_active = (g_strcmp0 (state, "active") == 0); ++ free (state); ++ ++ return is_active; ++ ++fallback: ++ /* Fall back to checking the session. This is not ideal, since the user ++ * might have multiple sessions, and we cannot guarantee to have chosen ++ * the active one. ++ * ++ * See: https://bugs.freedesktop.org/show_bug.cgi?id=76358. */ ++ return sd_session_is_active (session_id); + } + diff --git a/polkit.changes b/polkit.changes index aeed5a8..9111073 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Nov 26 16:26:09 UTC 2015 - meissner@suse.com + +- revert a session detection change that could lead + to sessions not being detected as active due to + a systemd bug. bsc#954139 + ------------------------------------------------------------------- Thu Aug 6 21:26:18 UTC 2015 - antoine.belvire@laposte.net diff --git a/polkit.spec b/polkit.spec index c764ccf..3a979af 100644 --- a/polkit.spec +++ b/polkit.spec @@ -37,6 +37,8 @@ Source99: baselibs.conf Patch0: polkit-no-wheel-group.patch # PATCH-FIX-UPSTREAM polkit-no-systemd.patch bnc#782395 fdo#55377 vuntz@opensuse.org -- Do not reference non-existing polkit.service file for systemd (only applied if not built with systemd support) Patch1: polkit-no-systemd.patch +# PATCH-REVERT-UPSTREAM polkit-revert-session-magic.patch various bugs meissner -- systemd session magic was not updating the user seats correctly +Patch2: polkit-revert-session-magic.patch # needed for patch1 BuildRequires: autoconf # needed for patch1 @@ -129,6 +131,7 @@ This package provides the GObject Introspection bindings for PolicyKit. %if !(0%{?with_systemd}) %patch1 -p1 %endif +%patch2 -p1 %build export V=1 From 59a096cb91e7ff99bf2d4f476c550c4e69979c0179ca5187164163904431cd56 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 26 Nov 2015 16:49:11 +0000 Subject: [PATCH 2/3] - polkit-revert-session-magic.patch: revert a session detection change that could lead to sessions not being detected as active due to OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=108 --- polkit.changes | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/polkit.changes b/polkit.changes index 9111073..8c37a90 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,8 +1,8 @@ ------------------------------------------------------------------- Thu Nov 26 16:26:09 UTC 2015 - meissner@suse.com -- revert a session detection change that could lead - to sessions not being detected as active due to +- polkit-revert-session-magic.patch: revert a session detection change + that could lead to sessions not being detected as active due to a systemd bug. bsc#954139 ------------------------------------------------------------------- From 0740074701a1e221097333c08b609f0738ecccf38c0eae7bcafd56d062c83d7e Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 30 Nov 2015 08:39:43 +0000 Subject: [PATCH 3/3] OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=109 --- polkit.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/polkit.spec b/polkit.spec index 3a979af..7ad8332 100644 --- a/polkit.spec +++ b/polkit.spec @@ -131,7 +131,7 @@ This package provides the GObject Introspection bindings for PolicyKit. %if !(0%{?with_systemd}) %patch1 -p1 %endif -%patch2 -p1 +%patch2 -p1 -R %build export V=1