[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCHES] Whip polkit into shape
|
From: |
Andy Wingo |
|
Subject: |
Re: [PATCHES] Whip polkit into shape |
|
Date: |
Tue, 01 Sep 2015 13:57:14 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
On Tue 01 Sep 2015 13:53, Andy Wingo <address@hidden> writes:
> Attached are three patches to polkit. The first makes polkit use
> elogind for seat management. The second is based on a WIP patch from
> Mark, and arranges for polkit to look in the system profile for rules
> and actions. The third adds a polkit service. I've tested these by
> running "pkaction" and "pkcheck", both with an embedded authentication
> agent and with an external agent. Kinda cool to see these work.
> Unfortunately I haven't gotten user-mode "loginctl reboot" to work --
> for some reason it doesn't end up spawning the authentication agent
> correctly. Oh well, future work. Usually people will be running with a
> authentication agent linked to their graphical session anyway.
>
> BTW, for XFCE there appears to be this thing:
>
> https://github.com/ncopa/xfce-polkit
>
> See also:
>
> https://wiki.archlinux.org/index.php/Polkit#Authentication_agents
>
> Cheers,
aaaaaaand here they are
>From e409449f493da3a42b9f989c819d3290fe9a523a Mon Sep 17 00:00:00 2001
From: Andy Wingo <address@hidden>
Date: Tue, 18 Aug 2015 11:39:22 +0200
Subject: [PATCH 3/7] gnu: polkit: Use elogind for seat management.
* gnu/packages/polkit.scm (polkit): Depend on elogind.
---
gnu/packages/polkit.scm | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index 172b0e1..acbc03d 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -23,6 +23,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (gnu packages)
+ #:use-module (gnu packages freedesktop)
#:use-module (gnu packages glib)
#:use-module (gnu packages gnuzilla)
#:use-module (gnu packages linux)
@@ -44,11 +45,28 @@
(sha256
(base32
"109w86kfqrgz83g9ivggplmgc77rz8kx8646izvm2jb57h4rbh71"))
- (patches (list (search-patch "polkit-drop-test.patch")))))
+ (patches (list (search-patch "polkit-drop-test.patch")))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ (use-modules (guix build utils))
+ (substitute* "configure"
+ ;; Replace libsystemd-login with libelogind.
+ (("libsystemd-login") "libelogind")
+ ;; Skip the sanity check that the current system runs
+ ;; systemd.
+ (("test ! -d /sys/fs/cgroup/systemd/") "false"))
+ (substitute* "src/polkit/polkitunixsession-systemd.c"
+ (("systemd") "elogind"))
+ (substitute*
"src/polkitbackend/polkitbackendsessionmonitor-systemd.c"
+ (("systemd") "elogind"))
+ (substitute* "src/polkitbackend/polkitbackendjsauthority.c"
+ (("systemd") "elogind"))))))
(build-system gnu-build-system)
(inputs
`(("expat" ,expat)
("glib:bin" ,glib "bin") ; for glib-mkenums
+ ("elogind" ,elogind)
("intltool" ,intltool)
("linux-pam" ,linux-pam)
("mozjs" ,mozjs)
--
2.4.3
>From 11e1301553117f093642142bf50bb4462c87ba47 Mon Sep 17 00:00:00 2001
From: Andy Wingo <address@hidden>
Date: Tue, 1 Sep 2015 13:30:31 +0200
Subject: [PATCH 4/7] gnu: polkit: Look for rules in
/run/current-system/profile.
* gnu/packages/polkit.scm (polkit): Configure to look for actions and
rules in the system profile. Arrange to look for the setuid helper in
/run/setuid-programs. Fix introspection installation.
Based on a patch by Mark H Weaver <address@hidden>.
---
gnu/packages/polkit.scm | 62 +++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 52 insertions(+), 10 deletions(-)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index acbc03d..010d47a 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014 Andreas Enge <address@hidden>
+;;; Copyright © 2015 Mark H Weaver <address@hidden>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -61,20 +62,61 @@
(substitute*
"src/polkitbackend/polkitbackendsessionmonitor-systemd.c"
(("systemd") "elogind"))
(substitute* "src/polkitbackend/polkitbackendjsauthority.c"
- (("systemd") "elogind"))))))
+ (("systemd") "elogind"))
+
+ (substitute* "src/polkitagent/polkitagentsession.c"
+ (("PACKAGE_PREFIX \"/lib/polkit-1/polkit-agent-helper-1\"")
+ "\"/run/setuid-programs/polkit-agent-helper-1\""))
+ (substitute*
"src/polkitbackend/polkitbackendinteractiveauthority.c"
+ (("PACKAGE_DATA_DIR \"/polkit-1/actions\"")
+ "\"/run/current-system/profile/share/polkit-1/actions\""))
+ (substitute* "src/polkitbackend/polkitbackendjsauthority.c"
+ (("PACKAGE_SYSCONF_DIR \"/polkit-1/rules.d\"")
+ "\"/run/current-system/profile/etc/polkit-1/rules.d\""))
+ (substitute* "src/polkitbackend/polkitbackendjsauthority.c"
+ (("PACKAGE_DATA_DIR \"/polkit-1/rules.d\"")
+
"\"/run/current-system/profile/share/polkit-1/rules.d\""))))))
(build-system gnu-build-system)
(inputs
- `(("expat" ,expat)
- ("glib:bin" ,glib "bin") ; for glib-mkenums
- ("elogind" ,elogind)
- ("intltool" ,intltool)
- ("linux-pam" ,linux-pam)
- ("mozjs" ,mozjs)
- ("nspr" ,nspr)))
+ `(("expat" ,expat)
+ ("linux-pam" ,linux-pam)
+ ("elogind" ,elogind)
+ ("mozjs" ,mozjs)
+ ("nspr" ,nspr)))
(propagated-inputs
- `(("glib" ,glib))) ; required by polkit-gobject-1.pc
+ `(("glib" ,glib))) ; required by polkit-gobject-1.pc
(native-inputs
- `(("pkg-config", pkg-config)))
+ `(("pkg-config" ,pkg-config)
+ ("glib:bin" ,glib "bin") ; for glib-mkenums
+ ("intltool" ,intltool)
+ ("gobject-introspection" ,gobject-introspection)))
+ (arguments
+ `(#:configure-flags '("--sysconfdir=/etc"
+ "--enable-man-pages")
+ #:phases
+ (modify-phases %standard-phases
+ (add-after
+ 'unpack 'fix-introspection-install-dir
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((out (assoc-ref outputs "out")))
+ (substitute* (find-files "." "Makefile.in")
+ (("@INTROSPECTION_GIRDIR@")
+ (string-append out "/share/gir-1.0/"))
+ (("@INTROSPECTION_TYPELIBDIR@")
+ (string-append out "/lib/girepository-1.0/"))))))
+ (replace
+ 'install
+ (lambda* (#:key outputs (make-flags '()) #:allow-other-keys)
+ ;; Override sysconfdir during "make install", to avoid attempting
+ ;; to install in /etc, and to instead install the skeletons in the
+ ;; output directory.
+ (let ((out (assoc-ref outputs "out")))
+ (zero? (apply system*
+ "make" "install"
+ (string-append "sysconfdir=" out "/etc")
+ (string-append "polkit_actiondir="
+ out "/share/polkit-1/actions")
+ make-flags))))))))
(home-page "http://www.freedesktop.org/wiki/Software/polkit/";)
(synopsis "Authorization API for privilege management")
(description "Polkit is an application-level toolkit for defining and
--
2.4.3
>From ec20ffc9bdad2d467ec0f7e76f1b7f7a92580eff Mon Sep 17 00:00:00 2001
From: Andy Wingo <address@hidden>
Date: Tue, 18 Aug 2015 11:57:15 +0200
Subject: [PATCH 5/7] gnu: Add polkit service.
* gnu/services/desktop.scm (polkit-service): New function.
(%desktop-services): Add polkit service.
---
gnu/services/desktop.scm | 51 +++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 46 insertions(+), 5 deletions(-)
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 764954c..500933c 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -24,12 +24,14 @@
#:use-module (gnu services xorg)
#:use-module (gnu services networking)
#:use-module (gnu system shadow)
+ #:use-module (gnu system linux) ; unix-pam-service
#:use-module (gnu packages glib)
#:use-module (gnu packages admin)
#:use-module (gnu packages freedesktop)
#:use-module (gnu packages gnome)
#:use-module (gnu packages avahi)
#:use-module (gnu packages wicd)
+ #:use-module (gnu packages polkit)
#:use-module (guix monads)
#:use-module (guix store)
#:use-module (guix gexp)
@@ -40,6 +42,7 @@
geoclue-application
%standard-geoclue-applications
geoclue-service
+ polkit-service
elogind-service
%desktop-services))
@@ -376,6 +379,42 @@ site} for more information."
�
;;;
+;;; Polkit privilege management service.
+;;;
+
+(define* (polkit-service #:key (polkit polkit))
+ "Return a service that runs the @command{polkit} privilege management
+service. By querying the @command{polkit} service, a privileged system
+component can know when it should grant additional capabilities to ordinary
+users. For example, an ordinary user can be granted the capability to suspend
+the system if the user is logged in locally."
+ (with-monad %store-monad
+ (return
+ (service
+ (documentation "Run the polkit privilege management service.")
+ (provision '(polkit-daemon))
+ (requirement '(dbus-system))
+
+ (start #~(make-forkexec-constructor
+ (list (string-append #$polkit "/lib/polkit-1/polkitd"))))
+ (stop #~(make-kill-destructor))
+
+ (user-groups (list (user-group
+ (name "polkitd")
+ (system? #t))))
+ (user-accounts (list (user-account
+ (name "polkitd")
+ (group "polkitd")
+ (system? #t)
+ (comment "Polkit daemon user")
+ (home-directory "/var/empty")
+ (shell
+ "/run/current-system/profile/sbin/nologin"))))
+
+ (pam-services (list (unix-pam-service "polkit-1")))))))
+
+�
+;;;
;;; Elogind login and seat management service.
;;;
@@ -552,14 +591,16 @@ when they log out."
(avahi-service)
(wicd-service)
(upower-service)
- ;; FIXME: The colord and geoclue services could all be bus-activated
- ;; by default, so they don't run at program startup. However, user
- ;; creation and /var/lib.colord creation happen at service activation
- ;; time, so we currently add them to the set of default services.
+ ;; FIXME: The colord, geoclue, and polkit services could all be
+ ;; bus-activated by default, so they don't run at program startup.
+ ;; However, user creation and /var/lib/colord creation happen at
+ ;; service activation time, so we currently add them to the set of
+ ;; default services.
(colord-service)
(geoclue-service)
+ (polkit-service)
(elogind-service)
- (dbus-service (list avahi wicd upower colord geoclue elogind))
+ (dbus-service (list avahi wicd upower colord geoclue polkit elogind))
(ntp-service)
--
2.4.3