-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpolkit.spec
388 lines (319 loc) · 12.3 KB
/
polkit.spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
Summary: PolicyKit Authorization Framework
Name: polkit
Version: 0.96
Release: 11.1%{?dist}
License: LGPLv2+
URL: http://www.freedesktop.org/wiki/Software/PolicyKit
Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Group: System Environment/Libraries
BuildRequires: glib2-devel
BuildRequires: expat-devel
BuildRequires: pam-devel
BuildRequires: eggdbus-devel
BuildRequires: gtk-doc
BuildRequires: intltool
Requires: ConsoleKit
Requires: dbus
Requires(preun,postun): dbus, gawk
Obsoletes: PolicyKit <= 0.10
Provides: PolicyKit = 0.11
# Backport of patches that fix CVE-2011-1485
# See https://bugzilla.redhat.com/show_bug.cgi?id=692922
#
# Also see the polkit-0-96 branch in the upstream git repo.
#
Patch10: 0001-PolkitUnixProcess-Clarify-that-the-real-uid-is-retur.patch
Patch11: 0002-Make-PolkitUnixProcess-also-record-the-uid-of-the-pr.patch
Patch12: 0003-Use-polkit_unix_process_get_uid-to-get-the-owner-of-.patch
Patch13: 0004-pkexec-Avoid-TOCTTOU-problems-with-parent-process.patch
Patch14: 0005-Bug-26982-pkexec-information-disclosure-vulnerabilit.patch
Patch15: 0006-Bug-29051-Configuration-reload-on-every-query.patch
# Backported 52c927893a2ab135462b616c2e00fec377da9885 by Colin Walters
# <[email protected]>, yet to be committed upstream.
Patch16: polkit-0.96-CVE-2013-4288.patch
# Parts of http://bugs.freedesktop.org/show_bug.cgi?id=29936
Patch17: polkit-0.96-help.patch
# polkit-pkla-compat commits 158b21ecd4e0997ae01d0f7b528737dd7c39f470 ,
# 6dc94f276aee05b163b5f8da51431dcc0877b874 and parts of
# 4f65eb2df62cbc0c8eed68f402e14eab65cd1523 .
Patch18: polkit-0.96-default.patch
# polkit-pkla-compat commits e88fb4b733e0fd6b8cb22cdbd387e132b87ffdde
# and a54bff567936c4bb21b728d8f85239e30ccb81ef .
Patch19: polkit-0.96-order.patch
# Part of b031cf007ff8ac08055a737d69e5d83a13e8ef7c
Patch20: polkit-0.96-cmdline-crash.patch
#by liudehong @ 20220129
Patch21: polkit-0.96-CVE-2021-4034.patch
%description
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
%package devel
Summary: Development files for PolicyKit
Group: Development/Libraries
Requires: %name = %{version}-%{release}
Requires: %name-docs = %{version}-%{release}
Requires: pkgconfig
Requires: glib2-devel
Obsoletes: PolicyKit-devel <= 0.10
Provides: PolicyKit-devel = 0.11
%description devel
Development files for PolicyKit.
%package docs
Summary: Development documentation for PolicyKit
Group: Development/Libraries
Requires: %name-devel = %{version}-%{release}
Requires: gtk-doc
Obsoletes: PolicyKit-docs <= 0.10
Provides: PolicyKit-docs = 0.11
%description docs
Development documentation for PolicyKit.
%package desktop-policy
Summary: Roles and default policy for desktop usage
Group: Development/Libraries
#Requires: %name = %{version}-%{release}
Requires(pre): /usr/sbin/groupadd
Requires(preun): /usr/sbin/groupdel
BuildArch: noarch
%description desktop-policy
Roles and default policy for desktop usage.
%prep
%setup -q
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1 -b .help
%patch18 -p1 -b .default
%patch19 -p1 -b .order
%patch20 -p1 -b .cmdline-crash
%patch21 -p1
%build
export CFLAGS='-fPIC %optflags'
export LDFLAGS='-pie -Wl,-z,now -Wl,-z,relro'
%configure --enable-gtk-doc --disable-static --libexecdir=%{_libexecdir}/polkit-1 --enable-examples --disable-introspection
make
%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/polkit-1/extensions/*.la
# fix up multilib problems in the docs
sed -i -e "s#/usr/lib/polkit-1/extensions#\${libdir}/polkit-1/extensions#" \
-e "s#/usr/lib64/polkit-1/extensions#\${libdir}/polkit-1/extensions#" \
$RPM_BUILD_ROOT%{_datadir}/gtk-doc/html/polkit-1/polkit-extending.html
sed -i -e "s#/usr/lib/polkit-1/extensions#\${libdir}/polkit-1/extensions#" \
-e "s#/usr/lib64/polkit-1/extensions#\${libdir}/polkit-1/extensions#" \
$RPM_BUILD_ROOT%{_datadir}/gtk-doc/html/polkit-1/polkit-1-polkitunixprocess.html
%find_lang polkit-1
###
### BEGIN DESKTOP POLICY CONFIGURATION ###
###
cat > $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/localauthority.conf.d/60-desktop-policy.conf << EOF
# This allows users in the desktop_admin_r group to authenticate as
# the administrator.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
[Configuration]
AdminIdentities=unix-group:desktop_admin_r
EOF
cat > $RPM_BUILD_ROOT%{_localstatedir}/lib/polkit-1/localauthority/10-vendor.d/10-desktop-policy.pkla << EOF
# Authorizations/policy for the desktop_admin_r and desktop_user_r groups.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
# Allow "standard users" to do some things without being interrupted by
# password dialogs (TODO: not complete)
#
[Desktop User Permissions]
Identity=unix-group:desktop_user_r
Action=org.gnome.clockapplet.mechanism.settimezone
ResultAny=no
ResultInactive=no
ResultActive=yes
# Allow "administrative users" to do a lot of things without being interrupted by
# password dialogs (TODO: not complete)
#
[Desktop Administrator Permissions]
Identity=unix-group:desktop_admin_r
Action=org.gnome.clockapplet.mechanism.*;org.freedesktop.udisks.*;org.freedesktop.RealtimeKit1.*
ResultAny=no
ResultInactive=no
ResultActive=yes
EOF
###
### END DESKTOP POLICY CONFIGURATION
###
%clean
rm -rf $RPM_BUILD_ROOT
%preun
if [ "$1" -eq 0 ] ; then
pid=$(dbus-send --system --dest=org.freedesktop.DBus --print-reply \
/org/freedesktop/DBus org.freedesktop.DBus.GetConnectionUnixProcessID \
string:org.freedesktop.PolicyKit1 2>/dev/null \
| awk '$1 == "uint32" { print $2 }')
if [ -n "$pid" ]; then
kill "$pid" 2>/dev/null || :
fi
fi
%post -p /sbin/ldconfig
%postun
/sbin/ldconfig
if [ "$1" -ge 1 ] ; then
pid=$(dbus-send --system --dest=org.freedesktop.DBus --print-reply \
/org/freedesktop/DBus org.freedesktop.DBus.GetConnectionUnixProcessID \
string:org.freedesktop.PolicyKit1 2>/dev/null \
| awk '$1 == "uint32" { print $2 }')
if [ -n "$pid" ]; then
kill "$pid" 2>/dev/null || :
fi
fi
%pre desktop-policy
/usr/sbin/groupadd -r desktop_admin_r 2> /dev/null || :
/usr/sbin/groupadd -r desktop_user_r 2> /dev/null || :
%files desktop-policy
%{_sysconfdir}/polkit-1/localauthority.conf.d/60-desktop-policy.conf
%{_localstatedir}/lib/polkit-1/localauthority/10-vendor.d/10-desktop-policy.pkla
%files -f polkit-1.lang
%defattr(-,root,root,-)
%doc COPYING
%{_libdir}/lib*.so.*
%dir %{_libdir}/polkit-1
%dir %{_libdir}/polkit-1/extensions
%{_libdir}/polkit-1/extensions/*.so
%{_datadir}/man/man1/*
%{_datadir}/man/man8/*
%{_datadir}/dbus-1/system-services/*
%dir %{_datadir}/polkit-1/
%dir %{_datadir}/polkit-1/actions
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
%{_sysconfdir}/pam.d/polkit-1
%{_sysconfdir}/polkit-1
%{_bindir}/pkaction
%{_bindir}/pkcheck
%{_libexecdir}/polkit-1/polkitd
# see upstream docs for why these permissions are necessary
%attr(4755,root,root) %{_bindir}/pkexec
%attr(4755,root,root) %{_libexecdir}/polkit-1/polkit-agent-helper-1
%attr(0700,root,root) %dir %{_localstatedir}/lib/polkit-1/
%dir %{_localstatedir}/lib/polkit-1/localauthority
%dir %{_localstatedir}/lib/polkit-1/localauthority/10-vendor.d
%dir %{_localstatedir}/lib/polkit-1/localauthority/20-org.d
%dir %{_localstatedir}/lib/polkit-1/localauthority/30-site.d
%dir %{_localstatedir}/lib/polkit-1/localauthority/50-local.d
%dir %{_localstatedir}/lib/polkit-1/localauthority/90-mandatory.d
%files devel
%defattr(-,root,root,-)
%{_libdir}/lib*.so
%{_libdir}/pkgconfig/*.pc
%{_includedir}/*
%{_bindir}/pk-example-frobnicate
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
%files docs
%defattr(-,root,root,-)
%{_datadir}/gtk-doc/html/*
%changelog
* Fri Dec 17 2021 Jan Rybar <[email protected]> - 0.96-11.1
- 参考网上的资料,修改、打包 By liudehong
- Fri Dec 17 2021 Jan Rybar <[email protected]> - 0.112-26.1
- pkexec: argv overflow results in local privilege esc.
- Resolves: CVE-2021-4034
* Sat Mar 7 2015 Miloslav Trmač <[email protected]> - 0.96-11
- Gracefully handle race conditions and other failures to kill polkitd
Related: #1115649
* Wed Mar 4 2015 Miloslav Trmač <[email protected]> - 0.96-10
- Fix scriptlet failure when polkitd is not running
Related: #1115649
* Tue Mar 3 2015 Miloslav Trmač <[email protected]> - 0.96-9
- Restart polkitd on package upgrade or uninstallation
Resolves: #1115649
* Fri Feb 20 2015 Miloslav Trmač <[email protected]> - 0.96-8
- Fix text in (pkcheck --help)
Resolves: #1130156
* Wed Aug 27 2014 Miloslav Trmač <[email protected]> - 0.96-7
- Fix a crash on failure to read a command line of a process
Resolves: #1132830
* Tue Jun 10 2014 Miloslav Trmač <[email protected]> - 0.96-6
- Use real --help text and error messages instead of showing a man page in
pkaction and pkcheck. Fix description of (pkaction --action-id) in the man
page.
Resolves: #628862
- Add support for Identity=default in .pkla files
Resolves: #812684
- Use a consistent order for .pkla files within a directory. Based on a patch
by Jared Jennings <[email protected]>.
Resolves: #864613
- Build using PIE and relro
Resolves: #927406
* Tue Sep 17 2013 Miloslav Trmač <[email protected]> - 0.96-5
- Actually apply the patch, and modify it to apply to 0.96
- Resolves: #1006264
* Fri Sep 13 2013 Jan Lieskovsky <[email protected]> - 0.96-4%{?dist}
- Include fix for CVE-2013-4288
- Resolves: #1006264
* Mon Apr 11 2011 David Zeuthen <[email protected]> - 0.96-3%{?dist}
- Include fixes for CVE-2011-1485
- Resolves: #692942
* Mon Jun 21 2010 Matthias Clasen <[email protected]> - 0.96-2
- Fix a multilib problem
Resolves: #605099
* Fri Jan 15 2010 David Zeuthen <[email protected]> - 0.96-1
- Update to 0.96
- Related: rhbz#543948
* Wed Jan 13 2010 David Zeuthen <[email protected]> - 0.95-4
- Rebuild
- Related: rhbz#543948
* Wed Jan 13 2010 David Zeuthen <[email protected]> - 0.95-3
- Disable GObject Introspection
- Related: rhbz#543948
* Fri Nov 13 2009 David Zeuthen <[email protected]> - 0.95-2
- Rebuild
* Fri Nov 13 2009 David Zeuthen <[email protected]> - 0.95-1
- Update to 0.95
- Drop upstreamed patches
* Tue Oct 20 2009 Matthias Clasen <[email protected]> - 0.95-0.git20090913.3
- Fix a typo in pklocalauthority(8)
* Mon Sep 14 2009 David Zeuthen <[email protected]> - 0.95-0.git20090913.2
- Refine how Obsolete: is used and also add Provides: (thanks Jesse
Keating and nim-nim)
* Mon Sep 14 2009 David Zeuthen <[email protected]> - 0.95-0.git20090913.1
- Add bugfix for polkit_unix_process_new_full() (thanks Bastien Nocera)
- Obsolete old PolicyKit packages
* Sun Sep 13 2009 David Zeuthen <[email protected]> - 0.95-0.git20090913
- Update to git snapshot
- Drop upstreamed patches
- Turn on GObject introspection
- Don't delete desktop_admin_r and desktop_user_r groups when
uninstalling polkit-desktop-policy
* Fri Sep 11 2009 David Zeuthen <[email protected]> - 0.94-4
- Add some patches from git master
- Sort pkaction(1) output
- Bug 23867 – UnixProcess vs. SystemBusName aliasing
* Thu Aug 13 2009 David Zeuthen <[email protected]> - 0.94-3
- Add desktop_admin_r and desktop_user_r groups along with a first cut
of default authorizations for users in these groups.
* Wed Aug 12 2009 David Zeuthen <[email protected]> - 0.94-2
- Disable GObject Introspection for now as it breaks the build
* Wed Aug 12 2009 David Zeuthen <[email protected]> - 0.94-1
- Update to upstream release 0.94
* Sun Jul 26 2009 Fedora Release Engineering <[email protected]> - 0.93-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Jul 20 2009 David Zeuthen <[email protected]> - 0.93-2
- Rebuild
* Mon Jul 20 2009 David Zeuthen <[email protected]> - 0.93-1
- Update to 0.93
* Tue Jun 09 2009 David Zeuthen <[email protected]> - 0.92-3
- Don't make docs noarch (I *heart* multilib)
- Change license to LGPLv2+
* Mon Jun 08 2009 David Zeuthen <[email protected]> - 0.92-2
- Rebuild
* Mon Jun 08 2009 David Zeuthen <[email protected]> - 0.92-1
- Update to 0.92 release
* Wed May 27 2009 David Zeuthen <[email protected]> - 0.92-0.git20090527
- Update to 0.92 snapshot
* Mon Feb 9 2009 David Zeuthen <[email protected]> - 0.91-1
- Initial spec file.