summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Guthrie <colin@mageia.org>2013-11-21 21:12:37 +0000
committerColin Guthrie <colin@mageia.org>2013-11-21 21:24:53 +0000
commit3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1 (patch)
treeefa80eca1b88a28fdb4e52deee5717e934a6f983
parent7828203e308e62a47eac337a193d0fa1680b97d9 (diff)
downloaddrakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.tar
drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.tar.gz
drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.tar.bz2
drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.tar.xz
drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.zip
polkit: Add support to draksec for writing polkit policy override rules.
This allows draksec to override things properly under polkit.
-rw-r--r--perl-install/NEWS3
-rwxr-xr-xperl-install/standalone/draksec52
-rw-r--r--perl-install/standalone/polkit/Makefile5
-rw-r--r--perl-install/standalone/polkit/org.mageia.draksec.rules11
4 files changed, 54 insertions, 17 deletions
diff --git a/perl-install/NEWS b/perl-install/NEWS
index 7a2a447c8..40de8d645 100644
--- a/perl-install/NEWS
+++ b/perl-install/NEWS
@@ -1,5 +1,6 @@
-Version 15.73.1 - 19 November 2013
+- draksec: support polkit rules editing for permissions overrides.
+Version 15.73.1 - 19 November 2013
- add chrony support to drakclock mga#11092
Version 15.73 - 12 November 2013
diff --git a/perl-install/standalone/draksec b/perl-install/standalone/draksec
index b5fd5d5ca..a4716da9b 100755
--- a/perl-install/standalone/draksec
+++ b/perl-install/standalone/draksec
@@ -110,33 +110,54 @@ my %progs;
my $auth_string = N("Configure authentication required to access %s tools", N("Mageia"));
my %auth = (
+ default => N("Default"),
no_passwd => N("No password"),
root_passwd => N("Root password"),
user_passwd => N("User password"),
);
+my $polkit_rules_file = "/etc/polkit-1/rules.d/51-draksec.rules";
+my %overrides = map { if ( /case '([^']+)': return polkit\.Result\.(YES|AUTH_ADMIN_KEEP|AUTH_SELF_KEEP)/ ) { ($1, $2) } } cat_($polkit_rules_file);
+
+
sub default_auth_value {
my ($prog) = @_;
- my $link = readlink("/etc/pam.d/$prog");
- if ($link =~ /mageia-console-auth/) {
- return $auth{no_passwd};
- } elsif ($link =~ /mageia-simple-auth/) {
- my ($user) = cat_("/etc/security/console.apps/$prog") =~ /USER=(.*)/;
- return $auth{root_passwd} if $user eq 'root';
- return $auth{user_passwd} if $user eq '<user>';
- }
+
+ return $auth{no_passwd} if $overrides{$prog} eq 'YES';
+ return $auth{root_passwd} if $overrides{$prog} eq 'AUTH_ADMIN_KEEP';
+ return $auth{user_passwd} if $overrides{$prog} eq 'AUTH_SELF_KEEP';
+ return $auth{default};
}
sub set_auth_value {
my ($prog, $auth) = @_;
if ($auth eq 'no_passwd') {
- symlinkf('../../etc/pam.d/mageia-console-auth', "/etc/pam.d/$prog");
+ $overrides{$prog} = 'YES';
+ } elsif ($auth eq 'root_passwd') {
+ $overrides{$prog} = 'AUTH_ADMIN_KEEP';
+ } elsif ($auth eq 'user_passwd') {
+ $overrides{$prog} = 'AUTH_SELF_KEEP';
+ } else {
+ delete $overrides{$prog};
+ }
+}
+
+sub write_rules() {
+ my $contents = '';
+ keys %overrides;
+ while(my($k, $v) = each %overrides) {
+ $contents .= "case '$k': return polkit.Result.$v;\n" if ($k && $v);
+ }
+
+ if ($contents) {
+ output($polkit_rules_file, <<EOF);
+// This file is written by draksec. Do not edit.
+var drakToolAuth = function(tool){switch (tool){
+$contents
+}return polkit.Result.NOT_HANDLED;};
+EOF
} else {
- symlinkf('../../etc/pam.d/mageia-simple-auth', "/etc/pam.d/$prog");
- my $value = $auth eq 'user_passwd' ? '<user>' : 'root';
- substInFile {
- s/^USER=.*/USER=$value/;
- } "/etc/security/console.apps/$prog";
+ rm_rf($polkit_rules_file);
}
}
@@ -188,7 +209,7 @@ gtkpack_($vbox,
[
gtkshow(gtknew('Label_Left', line_wrap => 1, text => $descr{$_} || $_)),
$progs{$_} = new_nonedit_combo([
- @auth{qw(user_passwd root_passwd no_passwd)}
+ @auth{qw(default user_passwd root_passwd no_passwd)}
],
default_auth_value($_)
#$msec->get_check_value($opt)
@@ -217,6 +238,7 @@ gtkpack_($vbox,
set_auth_value($key, $rev_auth{$value});
}
+ write_rules();
remove_wait_msg($w);
ugtk2->exit(0);
}
diff --git a/perl-install/standalone/polkit/Makefile b/perl-install/standalone/polkit/Makefile
index 070f4211e..6cd42c013 100644
--- a/perl-install/standalone/polkit/Makefile
+++ b/perl-install/standalone/polkit/Makefile
@@ -1,8 +1,10 @@
BINDIR = /usr/bin
LIBEXECDIR = /usr/libexec
BINDEST = $(PREFIX)$(BINDIR)
+POLKITRULESDEST = $(PREFIX)/usr/share/polkit-1/rules.d
POLKITPOLICYDEST = $(PREFIX)/usr/share/polkit-1/actions
+RULES := $(wildcard *.rules)
POLICY_IN := $(wildcard *.policy.in)
POLICY = $(POLICY_IN:.policy.in=.policy)
WRAPPERS = $(patsubst org.mageia.%.policy,%,$(POLICY))
@@ -19,6 +21,7 @@ clean:
intltool-merge --utf8 ../po $< $@ -x -u -c ../po/.intltool-merge-cache
install: all
- install -d $(BINDEST) $(POLKITPOLICYDEST)
+ install -d $(BINDEST) $(POLKITRULESDEST) $(POLKITPOLICYDEST)
install -m755 $(WRAPPERS) $(BINDEST)
install -m644 $(POLICY) $(POLKITPOLICYDEST)
+ install -m644 $(RULES) $(POLKITRULESDEST)
diff --git a/perl-install/standalone/polkit/org.mageia.draksec.rules b/perl-install/standalone/polkit/org.mageia.draksec.rules
new file mode 100644
index 000000000..45a7f0efe
--- /dev/null
+++ b/perl-install/standalone/polkit/org.mageia.draksec.rules
@@ -0,0 +1,11 @@
+polkit.addRule(function(action, subject) {
+ if (typeof drakToolAuth != "function" || action.id.indexOf("org.mageia.") != 0)
+ return polkit.Result.NOT_HANDLED;
+
+ var tool = action.id.split(".")[2];
+ var rv = drakToolAuth(tool);
+ if (rv != polkit.Result.NOT_HANDLED)
+ polkit.log("draksec security policy for '" + tool + "' is overriden to '" + rv + "'");
+ return rv;
+});
+