diff options
author | Colin Guthrie <colin@mageia.org> | 2013-11-21 21:12:37 +0000 |
---|---|---|
committer | Colin Guthrie <colin@mageia.org> | 2013-11-21 21:24:53 +0000 |
commit | 3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1 (patch) | |
tree | efa80eca1b88a28fdb4e52deee5717e934a6f983 | |
parent | 7828203e308e62a47eac337a193d0fa1680b97d9 (diff) | |
download | drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.tar drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.tar.gz drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.tar.bz2 drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.tar.xz drakx-3b641cb27c28bdf42865ee15f7ccd2b6c9e9d3d1.zip |
polkit: Add support to draksec for writing polkit policy override rules.
This allows draksec to override things properly under polkit.
-rw-r--r-- | perl-install/NEWS | 3 | ||||
-rwxr-xr-x | perl-install/standalone/draksec | 52 | ||||
-rw-r--r-- | perl-install/standalone/polkit/Makefile | 5 | ||||
-rw-r--r-- | perl-install/standalone/polkit/org.mageia.draksec.rules | 11 |
4 files changed, 54 insertions, 17 deletions
diff --git a/perl-install/NEWS b/perl-install/NEWS index 7a2a447c8..40de8d645 100644 --- a/perl-install/NEWS +++ b/perl-install/NEWS @@ -1,5 +1,6 @@ -Version 15.73.1 - 19 November 2013 +- draksec: support polkit rules editing for permissions overrides. +Version 15.73.1 - 19 November 2013 - add chrony support to drakclock mga#11092 Version 15.73 - 12 November 2013 diff --git a/perl-install/standalone/draksec b/perl-install/standalone/draksec index b5fd5d5ca..a4716da9b 100755 --- a/perl-install/standalone/draksec +++ b/perl-install/standalone/draksec @@ -110,33 +110,54 @@ my %progs; my $auth_string = N("Configure authentication required to access %s tools", N("Mageia")); my %auth = ( + default => N("Default"), no_passwd => N("No password"), root_passwd => N("Root password"), user_passwd => N("User password"), ); +my $polkit_rules_file = "/etc/polkit-1/rules.d/51-draksec.rules"; +my %overrides = map { if ( /case '([^']+)': return polkit\.Result\.(YES|AUTH_ADMIN_KEEP|AUTH_SELF_KEEP)/ ) { ($1, $2) } } cat_($polkit_rules_file); + + sub default_auth_value { my ($prog) = @_; - my $link = readlink("/etc/pam.d/$prog"); - if ($link =~ /mageia-console-auth/) { - return $auth{no_passwd}; - } elsif ($link =~ /mageia-simple-auth/) { - my ($user) = cat_("/etc/security/console.apps/$prog") =~ /USER=(.*)/; - return $auth{root_passwd} if $user eq 'root'; - return $auth{user_passwd} if $user eq '<user>'; - } + + return $auth{no_passwd} if $overrides{$prog} eq 'YES'; + return $auth{root_passwd} if $overrides{$prog} eq 'AUTH_ADMIN_KEEP'; + return $auth{user_passwd} if $overrides{$prog} eq 'AUTH_SELF_KEEP'; + return $auth{default}; } sub set_auth_value { my ($prog, $auth) = @_; if ($auth eq 'no_passwd') { - symlinkf('../../etc/pam.d/mageia-console-auth', "/etc/pam.d/$prog"); + $overrides{$prog} = 'YES'; + } elsif ($auth eq 'root_passwd') { + $overrides{$prog} = 'AUTH_ADMIN_KEEP'; + } elsif ($auth eq 'user_passwd') { + $overrides{$prog} = 'AUTH_SELF_KEEP'; + } else { + delete $overrides{$prog}; + } +} + +sub write_rules() { + my $contents = ''; + keys %overrides; + while(my($k, $v) = each %overrides) { + $contents .= "case '$k': return polkit.Result.$v;\n" if ($k && $v); + } + + if ($contents) { + output($polkit_rules_file, <<EOF); +// This file is written by draksec. Do not edit. +var drakToolAuth = function(tool){switch (tool){ +$contents +}return polkit.Result.NOT_HANDLED;}; +EOF } else { - symlinkf('../../etc/pam.d/mageia-simple-auth', "/etc/pam.d/$prog"); - my $value = $auth eq 'user_passwd' ? '<user>' : 'root'; - substInFile { - s/^USER=.*/USER=$value/; - } "/etc/security/console.apps/$prog"; + rm_rf($polkit_rules_file); } } @@ -188,7 +209,7 @@ gtkpack_($vbox, [ gtkshow(gtknew('Label_Left', line_wrap => 1, text => $descr{$_} || $_)), $progs{$_} = new_nonedit_combo([ - @auth{qw(user_passwd root_passwd no_passwd)} + @auth{qw(default user_passwd root_passwd no_passwd)} ], default_auth_value($_) #$msec->get_check_value($opt) @@ -217,6 +238,7 @@ gtkpack_($vbox, set_auth_value($key, $rev_auth{$value}); } + write_rules(); remove_wait_msg($w); ugtk2->exit(0); } diff --git a/perl-install/standalone/polkit/Makefile b/perl-install/standalone/polkit/Makefile index 070f4211e..6cd42c013 100644 --- a/perl-install/standalone/polkit/Makefile +++ b/perl-install/standalone/polkit/Makefile @@ -1,8 +1,10 @@ BINDIR = /usr/bin LIBEXECDIR = /usr/libexec BINDEST = $(PREFIX)$(BINDIR) +POLKITRULESDEST = $(PREFIX)/usr/share/polkit-1/rules.d POLKITPOLICYDEST = $(PREFIX)/usr/share/polkit-1/actions +RULES := $(wildcard *.rules) POLICY_IN := $(wildcard *.policy.in) POLICY = $(POLICY_IN:.policy.in=.policy) WRAPPERS = $(patsubst org.mageia.%.policy,%,$(POLICY)) @@ -19,6 +21,7 @@ clean: intltool-merge --utf8 ../po $< $@ -x -u -c ../po/.intltool-merge-cache install: all - install -d $(BINDEST) $(POLKITPOLICYDEST) + install -d $(BINDEST) $(POLKITRULESDEST) $(POLKITPOLICYDEST) install -m755 $(WRAPPERS) $(BINDEST) install -m644 $(POLICY) $(POLKITPOLICYDEST) + install -m644 $(RULES) $(POLKITRULESDEST) diff --git a/perl-install/standalone/polkit/org.mageia.draksec.rules b/perl-install/standalone/polkit/org.mageia.draksec.rules new file mode 100644 index 000000000..45a7f0efe --- /dev/null +++ b/perl-install/standalone/polkit/org.mageia.draksec.rules @@ -0,0 +1,11 @@ +polkit.addRule(function(action, subject) { + if (typeof drakToolAuth != "function" || action.id.indexOf("org.mageia.") != 0) + return polkit.Result.NOT_HANDLED; + + var tool = action.id.split(".")[2]; + var rv = drakToolAuth(tool); + if (rv != polkit.Result.NOT_HANDLED) + polkit.log("draksec security policy for '" + tool + "' is overriden to '" + rv + "'"); + return rv; +}); + |