From c1967a3fdd7aef928ca827fda9be92f95f9e02a1 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Aug 18 2010 18:38:44 +0000 Subject: fix a CK interaction bug --- diff --git a/0001-Fix-ConsoleKit-interaction-bug.patch b/0001-Fix-ConsoleKit-interaction-bug.patch new file mode 100644 index 0000000..ab54b49 --- /dev/null +++ b/0001-Fix-ConsoleKit-interaction-bug.patch @@ -0,0 +1,132 @@ +From 22363658629553e04277259ccac8dbf4e33839ea Mon Sep 17 00:00:00 2001 +From: David Zeuthen +Date: Wed, 18 Aug 2010 12:24:04 -0400 +Subject: [PATCH] Fix ConsoleKit interaction bug + +First of all, there was a glaring bug where we forgot to load the +GKeyFile for /var/run/ConsoleKit/database resulting in criticals like +this: + + (lt-polkitd:17984): GLib-CRITICAL **: g_key_file_get_boolean: assertion `key_file != NULL' failed + (lt-polkitd:17984): GLib-CRITICAL **: g_key_file_get_boolean: assertion `key_file != NULL' failed + +Furthermore, this resulted in the Authority returning "not authorized" +for subjects that should have been authorized. For an example, see + + https://bugzilla.redhat.com/show_bug.cgi?id=624125 + +Fix this bug by calling ensure_database() to make sure the GKeyFile +contains information from /var/run/ConsoleKit/database. Also, since +there is a race (theoretical at least, but see +https://bugzilla.gnome.org/show_bug.cgi?id=627285 ) with file +monitoring, also ensure that we are using the latest and greatest +version of /var/run/ConsoleKit/database. + +Signed-off-by: David Zeuthen +--- + src/polkitbackend/polkitbackendsessionmonitor.c | 52 ++++++++++++++++++++-- + 1 files changed, 47 insertions(+), 5 deletions(-) + +diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c +index 2b63f3c..877d69e 100644 +--- a/src/polkitbackend/polkitbackendsessionmonitor.c ++++ b/src/polkitbackend/polkitbackendsessionmonitor.c +@@ -47,6 +47,7 @@ struct _PolkitBackendSessionMonitor + + GKeyFile *database; + GFileMonitor *database_monitor; ++ time_t database_mtime; + }; + + struct _PolkitBackendSessionMonitorClass +@@ -74,17 +75,34 @@ reload_database (PolkitBackendSessionMonitor *monitor, + GError **error) + { + gboolean ret; ++ struct stat statbuf; + + ret = FALSE; + ++ if (monitor->database != NULL) ++ { ++ g_key_file_free (monitor->database); ++ monitor->database = NULL; ++ } ++ ++ if (stat (CKDB_PATH, &statbuf) != 0) ++ { ++ g_set_error (error, ++ G_IO_ERROR, ++ g_io_error_from_errno (errno), ++ "Error statting file " CKDB_PATH ": %s", ++ strerror (errno)); ++ goto out; ++ } ++ ++ monitor->database_mtime = statbuf.st_mtime; ++ + monitor->database = g_key_file_new (); + if (!g_key_file_load_from_file (monitor->database, + CKDB_PATH, + G_KEY_FILE_NONE, + error)) + { +- g_key_file_free (monitor->database); +- monitor->database = NULL; + goto out; + } + +@@ -102,8 +120,22 @@ ensure_database (PolkitBackendSessionMonitor *monitor, + + if (monitor->database != NULL) + { +- ret = TRUE; +- goto out; ++ struct stat statbuf; ++ ++ if (stat (CKDB_PATH, &statbuf) != 0) ++ { ++ g_set_error (error, ++ G_IO_ERROR, ++ g_io_error_from_errno (errno), ++ "Error statting file " CKDB_PATH " to check timestamp: %s", ++ strerror (errno)); ++ goto out; ++ } ++ if (statbuf.st_mtime == monitor->database_mtime) ++ { ++ ret = TRUE; ++ goto out; ++ } + } + + ret = reload_database (monitor, error); +@@ -266,7 +298,6 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor + if (local_error != NULL) + { + g_propagate_prefixed_error (error, local_error, "Error getting user for process: "); +- g_error_free (local_error); + goto out; + } + +@@ -427,6 +458,17 @@ get_boolean (PolkitBackendSessionMonitor *monitor, + group = g_strdup_printf ("Session %s", polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session))); + + error = NULL; ++ if (!ensure_database (monitor, &error)) ++ { ++ g_printerr ("Error getting boolean `%s' in group `%s': Error ensuring CK database at " CKDB_PATH ": %s", ++ key_name, ++ group, ++ error->message); ++ g_error_free (error); ++ goto out; ++ } ++ ++ error = NULL; + ret = g_key_file_get_boolean (monitor->database, group, key_name, &error); + if (error != NULL) + { +-- +1.7.2.1 + diff --git a/polkit.spec b/polkit.spec index a772426..0e83cf4 100644 --- a/polkit.spec +++ b/polkit.spec @@ -1,11 +1,10 @@ Summary: PolicyKit Authorization Framework Name: polkit Version: 0.97 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/PolicyKit Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Group: System Environment/Libraries BuildRequires: glib2-devel >= 2.25.12 BuildRequires: expat-devel @@ -27,6 +26,10 @@ Conflicts: polkit-gnome < 0.97 # upstream Patch0: polkit-0.97-subject-scanning.patch +# Upstream fix +Patch1: 0001-Fix-ConsoleKit-interaction-bug.patch + + %description PolicyKit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged @@ -70,13 +73,13 @@ Roles and default policy for desktop usage. %prep %setup -q %patch0 -p1 -b .subject-scanning +%patch1 -p1 -b .ck-interaction %build %configure --enable-gtk-doc --disable-static --libexecdir=%{_libexecdir}/polkit-1 --disable-introspection --enable-examples make %install -rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT%{_libdir}/*.la @@ -129,9 +132,6 @@ EOF ### END DESKTOP POLICY CONFIGURATION ### -%clean -rm -rf $RPM_BUILD_ROOT - %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -191,6 +191,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/gtk-doc/html/* %changelog +* Wed Aug 18 2010 Matthias Clasen - 0.97-4 +- Fix a ConsoleKit interaction bug + * Fri Aug 13 2010 David Zeuthen - 0.97-3 - Add a patch to make pkcheck(1) work the way libvirtd uses it (#623257) - Require GLib >= 2.25.12 instead of 2.25.11