Mercurial > vanilla
changeset 490:dbffca6c243e
security/polkit: initial import, closes #1578
author | David Demelier <markand@malikania.fr> |
---|---|
date | Sun, 07 Apr 2019 14:36:39 +0200 |
parents | ba543d44b357 |
children | 9deb4fcc5475 |
files | UIDS_GIDS.md mate/mate-settings-daemon/mate-settings-daemon.sh security/polkit/CVE-2018-19788.patch security/polkit/make-innetgr-optional.patch security/polkit/polkit.sh xfce/xfce4-session/xfce4-session.sh |
diffstat | 6 files changed, 297 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/UIDS_GIDS.md Sun Apr 07 14:37:20 2019 +0200 +++ b/UIDS_GIDS.md Sun Apr 07 14:36:39 2019 +0200 @@ -8,6 +8,7 @@ The following UID/GID are defined: -| uid | gid | package(s) | -|----------- |------------|------------| -| sshd (100) | sshd (100) | openssh | +| uid | gid | package(s) | +|---------------|---------------|------------| +| sshd (100) | sshd (100) | openssh | +| polkitd (101) | polkitd (101) | polkit |
--- a/mate/mate-settings-daemon/mate-settings-daemon.sh Sun Apr 07 14:37:20 2019 +0200 +++ b/mate/mate-settings-daemon/mate-settings-daemon.sh Sun Apr 07 14:36:39 2019 +0200 @@ -50,7 +50,7 @@ fi if [ "$POLICYKIT" = "yes" ]; then - PKGDEPENDS="security/policykit $PKGDEPENDS" + PKGDEPENDS="security/polkit $PKGDEPENDS" with_policykit="--enable-polkit" else with_policykit="--disable-polkit"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security/polkit/CVE-2018-19788.patch Sun Apr 07 14:36:39 2019 +0200 @@ -0,0 +1,150 @@ +--- src/polkit/polkitunixgroup.c ++++ src/polkit/polkitunixgroup.c +@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT, + static void + polkit_unix_group_init (PolkitUnixGroup *unix_group) + { ++ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */ + } + + static void +@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object, + GParamSpec *pspec) + { + PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); ++ gint val; + + switch (prop_id) + { + case PROP_GID: +- unix_group->gid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ unix_group->gid = val; + break; + + default: +@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass) + g_param_spec_int ("gid", + "Group ID", + "The UNIX group ID", +- 0, ++ G_MININT, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group) + */ + void + polkit_unix_group_set_gid (PolkitUnixGroup *group, +- gint gid) ++ gint gid) + { + g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); ++ g_return_if_fail (gid != -1); + group->gid = gid; + } + +@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, + PolkitIdentity * + polkit_unix_group_new (gint gid) + { ++ g_return_val_if_fail (gid != -1, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, + "gid", gid, + NULL)); +--- src/polkit/polkitunixprocess.c ++++ src/polkit/polkitunixprocess.c +@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object, + polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); + break; + +- case PROP_UID: +- polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); ++ case PROP_UID: { ++ gint val; ++ ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ polkit_unix_process_set_uid (unix_process, val); + break; ++ } + + case PROP_START_TIME: + polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); +@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass) + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- -1, ++ G_MININT, + G_MAXINT, + -1, + G_PARAM_CONSTRUCT | +@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process, + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process)); +- g_return_if_fail (uid >= -1); + process->uid = uid; + } + +--- src/polkit/polkitunixuser.c ++++ src/polkit/polkitunixuser.c +@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT, + static void + polkit_unix_user_init (PolkitUnixUser *unix_user) + { ++ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */ + unix_user->name = NULL; + } + +@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object, + GParamSpec *pspec) + { + PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); ++ gint val; + + switch (prop_id) + { + case PROP_UID: +- unix_user->uid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ unix_user->uid = val; + break; + + default: +@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass) + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- 0, ++ G_MININT, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_USER (user)); ++ g_return_if_fail (uid != -1); + user->uid = uid; + } + +@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, + PolkitIdentity * + polkit_unix_user_new (gint uid) + { ++ g_return_val_if_fail (uid != -1, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, + "uid", uid, + NULL));
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security/polkit/make-innetgr-optional.patch Sun Apr 07 14:36:39 2019 +0200 @@ -0,0 +1,68 @@ +--- configure.ac ++++ configure.ac +@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"], + [AC_MSG_ERROR([Can't find expat library. Please install expat.])]) + AC_SUBST(EXPAT_LIBS) + +-AC_CHECK_FUNCS(clearenv fdatasync) ++AC_CHECK_FUNCS(clearenv fdatasync getnetgrent) + + if test "x$GCC" = "xyes"; then + LDFLAGS="-Wl,--as-needed $LDFLAGS" +--- src/polkitbackend/polkitbackendinteractiveauthority.c ++++ src/polkitbackend/polkitbackendinteractiveauthority.c +@@ -2228,6 +2228,7 @@ get_users_in_net_group (PolkitIdentity *group, + ret = NULL; + name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group)); + ++#if defined HAVE_GETNETGRENT + #ifdef HAVE_SETNETGRENT_RETURN + if (setnetgrent (name) == 0) + { +@@ -2236,6 +2237,7 @@ get_users_in_net_group (PolkitIdentity *group, + } + #else + setnetgrent (name); ++#endif + #endif + + for (;;) +@@ -2248,8 +2250,10 @@ get_users_in_net_group (PolkitIdentity *group, + PolkitIdentity *user; + GError *error = NULL; + ++#if defined HAVE_GETNETGRENT + if (getnetgrent (&hostname, &username, &domainname) == 0) + break; ++#endif + + /* Skip NULL entries since we never want to make everyone an admin + * Skip "-" entries which mean "no match ever" in netgroup land */ +@@ -2274,7 +2278,9 @@ get_users_in_net_group (PolkitIdentity *group, + ret = g_list_reverse (ret); + + out: ++#if defined HAVE_GETNETGRENT + endnetgrent (); ++#endif + return ret; + } + +--- src/polkitbackend/polkitbackendjsauthority.cpp ++++ src/polkitbackend/polkitbackendjsauthority.cpp +@@ -1499,6 +1499,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, + + JS::CallArgs args = JS::CallArgsFromVp (argc, vp); + ++#if defined HAVE_GETNETGRENT + user = JS_EncodeString (cx, args[0].toString()); + netgroup = JS_EncodeString (cx, args[1].toString()); + +@@ -1514,6 +1515,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, + JS_free (cx, user); + + ret = true; ++#endif + + args.rval ().setBoolean (is_in_netgroup); +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security/polkit/polkit.sh Sun Apr 07 14:36:39 2019 +0200 @@ -0,0 +1,73 @@ +#!/bin/sh +# +# Copyright (c) 2019 David Demelier <markand@malikania.fr> +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# + +PKGNAME=polkit +PKGVERSION=0.115 +PKGREVISION=1 +PKGLICENSE="toolkit for handling authorizations" +PKGSUMMARY="short summary" +PKGDOWNLOAD="https://www.freedesktop.org/software/$PKGNAME/releases/$PKGNAME-$PKGVERSION.tar.gz" +PKGDEPENDS="lib/expat" +PKGOPTIONS="PAM" +PKGUIDS="polkitd:101" +PKGGIDS="polkitd:101" + +: ${CHOST:=$(uname -m)-linux-musl} +: ${CBUILD:=$(uname -m)-linux-musl} +: ${CC:=clang} +: ${CFLAGS:=-O2} +: ${LDFLAGS:=} +: ${LIBS:=} +: ${PAM:=yes} + +if [ "$PAM" = "yes" ]; then + PKGDEPENDS="security/linux-pam $PKGDEPENDS" + with_pam="--with-authfw=pam" +else + PKGDEPENDS="core/shadow $PKGDEPENDS" + with_pam="--with-authfw=shadow" +fi + +build() +{ + rm -rf $PKGNAME-$PKGVERSION + tar xvaf $PKGNAME-$PKGVERSION.tar.gz + pushd $PKGNAME-$PKGVERSION + + # credits to void-linux. + patch -p0 < ../CVE-2018-19788.patch + patch -p0 < ../make-innetgr-optional.patch + CC="$CC" \ + CFLAGS="$CFLAGS" \ + LDFLAGS="$LDFLAGS" \ + LIBS="$LIBS" \ + ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --localstatedir=/var \ + --sysconfdir=/etc \ + --disable-libsystemd-login \ + --disable-libelogind \ + --enable-introspection=yes \ + $with_pam + make + make install DESTDIR=$DESTDIR + + popd + rm -rf $PKGNAME-$PKGVERSION +}
--- a/xfce/xfce4-session/xfce4-session.sh Sun Apr 07 14:37:20 2019 +0200 +++ b/xfce/xfce4-session/xfce4-session.sh Sun Apr 07 14:36:39 2019 +0200 @@ -43,7 +43,7 @@ : ${UPOWER:=yes} if [ "$POLICYKIT" = "yes" ]; then - PKGDEPENDS="security/policykit $PKGDEPENDS" + PKGDEPENDS="security/polkit $PKGDEPENDS" with_policykit="--enable-polkit" else with_policykit="--disable-polkit"