e78bcf27d4
https://gitlab.freedesktop.org/polkit/polkit/-/blob/121/NEWS.md Highlights: - new versioning - duktape added as backend JS engine - autotools build system removed - new translations Signed-off-by: Daniel Lang <d.lang@abatec.at> [Peter: drop CVE-2021-4034 reference] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
261 lines
8.7 KiB
Diff
261 lines
8.7 KiB
Diff
From b57deee8178190a7ecc75290fa13cf7daabc2c66 Mon Sep 17 00:00:00 2001
|
|
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
|
|
Date: Sun, 15 May 2022 05:04:10 +0000
|
|
Subject: [PATCH] Make netgroup support optional
|
|
|
|
On at least Linux/musl and Linux/uclibc, netgroup support is not
|
|
available. PolKit fails to compile on these systems for that reason.
|
|
|
|
This change makes netgroup support conditional on the presence of the
|
|
setnetgrent(3) function which is required for the support to work. If
|
|
that function is not available on the system, an error will be returned
|
|
to the administrator if unix-netgroup: is specified in configuration.
|
|
|
|
(sam: rebased for Meson and Duktape.)
|
|
|
|
Closes: https://gitlab.freedesktop.org/polkit/polkit/-/issues/14
|
|
Closes: https://gitlab.freedesktop.org/polkit/polkit/-/issues/163
|
|
Closes: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/52
|
|
Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>
|
|
Signed-off-by: Daniel Lang <d.lang@abatec.at>
|
|
|
|
---
|
|
meson.build | 1 +
|
|
src/polkit/polkitidentity.c | 17 +++++++++++++++++
|
|
src/polkit/polkitunixnetgroup.c | 3 +++
|
|
.../polkitbackendduktapeauthority.c | 4 ++--
|
|
.../polkitbackendinteractiveauthority.c | 14 ++++++++------
|
|
src/polkitbackend/polkitbackendjsauthority.cpp | 2 ++
|
|
test/polkit/polkitidentitytest.c | 8 +++++++-
|
|
test/polkit/polkitunixnetgrouptest.c | 2 ++
|
|
.../test-polkitbackendjsauthority.c | 2 ++
|
|
9 files changed, 44 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/meson.build b/meson.build
|
|
index 908f0aa..66c4e9b 100644
|
|
--- a/meson.build
|
|
+++ b/meson.build
|
|
@@ -89,6 +89,7 @@ config_h.set('_GNU_SOURCE', true)
|
|
check_functions = [
|
|
'clearenv',
|
|
'fdatasync',
|
|
+ 'setnetgrent',
|
|
]
|
|
|
|
foreach func: check_functions
|
|
diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c
|
|
index 3aa1f7f..793f17d 100644
|
|
--- a/src/polkit/polkitidentity.c
|
|
+++ b/src/polkit/polkitidentity.c
|
|
@@ -182,7 +182,15 @@ polkit_identity_from_string (const gchar *str,
|
|
}
|
|
else if (g_str_has_prefix (str, "unix-netgroup:"))
|
|
{
|
|
+#ifndef HAVE_SETNETGRENT
|
|
+ g_set_error (error,
|
|
+ POLKIT_ERROR,
|
|
+ POLKIT_ERROR_FAILED,
|
|
+ "Netgroups are not available on this machine ('%s')",
|
|
+ str);
|
|
+#else
|
|
identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1);
|
|
+#endif
|
|
}
|
|
|
|
if (identity == NULL && (error != NULL && *error == NULL))
|
|
@@ -344,6 +352,14 @@ polkit_identity_new_for_gvariant (GVariant *variant,
|
|
GVariant *v;
|
|
const char *name;
|
|
|
|
+#ifndef HAVE_SETNETGRENT
|
|
+ g_set_error (error,
|
|
+ POLKIT_ERROR,
|
|
+ POLKIT_ERROR_FAILED,
|
|
+ "Netgroups are not available on this machine");
|
|
+ goto out;
|
|
+#else
|
|
+
|
|
v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
|
|
if (v == NULL)
|
|
{
|
|
@@ -353,6 +369,7 @@ polkit_identity_new_for_gvariant (GVariant *variant,
|
|
name = g_variant_get_string (v, NULL);
|
|
ret = polkit_unix_netgroup_new (name);
|
|
g_variant_unref (v);
|
|
+#endif
|
|
}
|
|
else
|
|
{
|
|
diff --git a/src/polkit/polkitunixnetgroup.c b/src/polkit/polkitunixnetgroup.c
|
|
index 8a2b369..83f8d4a 100644
|
|
--- a/src/polkit/polkitunixnetgroup.c
|
|
+++ b/src/polkit/polkitunixnetgroup.c
|
|
@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group,
|
|
PolkitIdentity *
|
|
polkit_unix_netgroup_new (const gchar *name)
|
|
{
|
|
+#ifndef HAVE_SETNETGRENT
|
|
+ g_assert_not_reached();
|
|
+#endif
|
|
g_return_val_if_fail (name != NULL, NULL);
|
|
return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
|
|
"name", name,
|
|
diff --git a/src/polkitbackend/polkitbackendduktapeauthority.c b/src/polkitbackend/polkitbackendduktapeauthority.c
|
|
index c89dbcf..f4b4304 100644
|
|
--- a/src/polkitbackend/polkitbackendduktapeauthority.c
|
|
+++ b/src/polkitbackend/polkitbackendduktapeauthority.c
|
|
@@ -1035,7 +1035,7 @@ js_polkit_user_is_in_netgroup (duk_context *cx)
|
|
|
|
user = duk_require_string (cx, 0);
|
|
netgroup = duk_require_string (cx, 1);
|
|
-
|
|
+#ifdef HAVE_SETNETGRENT
|
|
if (innetgr (netgroup,
|
|
NULL, /* host */
|
|
user,
|
|
@@ -1043,7 +1043,7 @@ js_polkit_user_is_in_netgroup (duk_context *cx)
|
|
{
|
|
is_in_netgroup = TRUE;
|
|
}
|
|
-
|
|
+#endif
|
|
duk_push_boolean (cx, is_in_netgroup);
|
|
return 1;
|
|
}
|
|
diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
|
|
index d935a7a..1cfc88e 100644
|
|
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
|
|
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
|
|
@@ -2248,25 +2248,26 @@ get_users_in_net_group (PolkitIdentity *group,
|
|
GList *ret;
|
|
|
|
ret = NULL;
|
|
+#ifdef HAVE_SETNETGRENT
|
|
name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group));
|
|
|
|
-#ifdef HAVE_SETNETGRENT_RETURN
|
|
+# ifdef HAVE_SETNETGRENT_RETURN
|
|
if (setnetgrent (name) == 0)
|
|
{
|
|
g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno));
|
|
goto out;
|
|
}
|
|
-#else
|
|
+# else
|
|
setnetgrent (name);
|
|
-#endif
|
|
+# endif /* HAVE_SETNETGRENT_RETURN */
|
|
|
|
for (;;)
|
|
{
|
|
-#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
|
|
+# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
|
|
const char *hostname, *username, *domainname;
|
|
-#else
|
|
+# else
|
|
char *hostname, *username, *domainname;
|
|
-#endif
|
|
+# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */
|
|
PolkitIdentity *user;
|
|
GError *error = NULL;
|
|
|
|
@@ -2297,6 +2298,7 @@ get_users_in_net_group (PolkitIdentity *group,
|
|
|
|
out:
|
|
endnetgrent ();
|
|
+#endif /* HAVE_SETNETGRENT */
|
|
return ret;
|
|
}
|
|
|
|
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
|
|
index 2568e8e..999269b 100644
|
|
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
|
|
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
|
|
@@ -1271,6 +1271,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx,
|
|
|
|
JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
|
|
|
|
+#ifdef HAVE_SETNETGRENT
|
|
JS::RootedString usrstr (authority->priv->cx);
|
|
usrstr = args[0].toString();
|
|
user = JS_EncodeStringToUTF8 (cx, usrstr);
|
|
@@ -1285,6 +1286,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx,
|
|
{
|
|
is_in_netgroup = true;
|
|
}
|
|
+#endif
|
|
|
|
ret = true;
|
|
|
|
diff --git a/test/polkit/polkitidentitytest.c b/test/polkit/polkitidentitytest.c
|
|
index e91967b..2635c4c 100644
|
|
--- a/test/polkit/polkitidentitytest.c
|
|
+++ b/test/polkit/polkitidentitytest.c
|
|
@@ -145,11 +145,15 @@ struct ComparisonTestData comparison_test_data [] = {
|
|
{"unix-group:root", "unix-group:jane", FALSE},
|
|
{"unix-group:jane", "unix-group:jane", TRUE},
|
|
|
|
+#ifdef HAVE_SETNETGRENT
|
|
{"unix-netgroup:foo", "unix-netgroup:foo", TRUE},
|
|
{"unix-netgroup:foo", "unix-netgroup:bar", FALSE},
|
|
+#endif
|
|
|
|
{"unix-user:root", "unix-group:root", FALSE},
|
|
+#ifdef HAVE_SETNETGRENT
|
|
{"unix-user:jane", "unix-netgroup:foo", FALSE},
|
|
+#endif
|
|
|
|
{NULL},
|
|
};
|
|
@@ -181,11 +185,13 @@ main (int argc, char *argv[])
|
|
g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string);
|
|
g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string);
|
|
|
|
+#ifdef HAVE_SETNETGRENT
|
|
g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string);
|
|
+ g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
|
|
+#endif
|
|
|
|
g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant);
|
|
g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant);
|
|
- g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
|
|
|
|
add_comparison_tests ();
|
|
|
|
diff --git a/test/polkit/polkitunixnetgrouptest.c b/test/polkit/polkitunixnetgrouptest.c
|
|
index 3701ba1..e1d211e 100644
|
|
--- a/test/polkit/polkitunixnetgrouptest.c
|
|
+++ b/test/polkit/polkitunixnetgrouptest.c
|
|
@@ -69,7 +69,9 @@ int
|
|
main (int argc, char *argv[])
|
|
{
|
|
g_test_init (&argc, &argv, NULL);
|
|
+#ifdef HAVE_SETNETGRENT
|
|
g_test_add_func ("/PolkitUnixNetgroup/new", test_new);
|
|
g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name);
|
|
+#endif
|
|
return g_test_run ();
|
|
}
|
|
diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
|
|
index 2103b17..b187a2f 100644
|
|
--- a/test/polkitbackend/test-polkitbackendjsauthority.c
|
|
+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
|
|
@@ -137,12 +137,14 @@ test_get_admin_identities (void)
|
|
"unix-group:users"
|
|
}
|
|
},
|
|
+#ifdef HAVE_SETNETGRENT
|
|
{
|
|
"net.company.action3",
|
|
{
|
|
"unix-netgroup:foo"
|
|
}
|
|
},
|
|
+#endif
|
|
};
|
|
guint n;
|
|
|
|
--
|
|
GitLab
|
|
|