source: postlfs/security/polkit.xml@ faa948c

12.0 12.1 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18
Last change on this file since faa948c was b317cda, checked in by Xi Ruoyao <xry111@…>, 10 months ago

polkit: Expand and fix the command explanation for js102 sed

and demote duktape to recommended (but still keep it required internally
for jhalfs).

  • Property mode set to 100644
File size: 15.2 KB
RevLine 
[9d3d8a8]1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
[60caf48]7 <!ENTITY polkit-download-http "https://gitlab.freedesktop.org/polkit/polkit/-/archive/&polkit-version;/polkit-&polkit-version;.tar.gz">
[f47c6a6b]8 <!ENTITY polkit-download-ftp " ">
[6be3fe3]9 <!ENTITY polkit-md5sum "36540b837c588e1e77145523bb39f511">
10 <!ENTITY polkit-size "736 KB">
11 <!ENTITY polkit-buildsize "6.8 MB (with tests)">
[7d5d3d4]12 <!ENTITY polkit-time "0.3 SBU (with tests, using parallelism=4)">
[9d3d8a8]13]>
14
[01996ebb]15<sect1 id="polkit" xreflabel="Polkit-&polkit-version;">
[9d3d8a8]16 <?dbhtml filename="polkit.html"?>
17
18
[01996ebb]19 <title>Polkit-&polkit-version;</title>
[9d3d8a8]20
21 <indexterm zone="polkit">
[01996ebb]22 <primary sortas="a-Polkit">Polkit</primary>
[9d3d8a8]23 </indexterm>
24
25 <sect2 role="package">
[01996ebb]26 <title>Introduction to Polkit</title>
[9d3d8a8]27
[b84342d6]28 <para>
[01996ebb]29 <application>Polkit</application> is a toolkit for defining and handling
[9ca304a]30 authorizations. It is used for allowing unprivileged processes to
[30f82900]31 communicate with privileged processes.
[b84342d6]32 </para>
[9d3d8a8]33
[479979e]34 &lfs120_checked;
[27e62762]35
[9d3d8a8]36 <bridgehead renderas="sect3">Package Information</bridgehead>
37 <itemizedlist spacing="compact">
38 <listitem>
[b84342d6]39 <para>
40 Download (HTTP): <ulink url="&polkit-download-http;"/>
41 </para>
[9d3d8a8]42 </listitem>
43 <listitem>
[b84342d6]44 <para>
45 Download (FTP): <ulink url="&polkit-download-ftp;"/>
46 </para>
[9d3d8a8]47 </listitem>
48 <listitem>
[b84342d6]49 <para>
50 Download MD5 sum: &polkit-md5sum;
51 </para>
[9d3d8a8]52 </listitem>
53 <listitem>
[b84342d6]54 <para>
55 Download size: &polkit-size;
56 </para>
[9d3d8a8]57 </listitem>
58 <listitem>
[b84342d6]59 <para>
60 Estimated disk space required: &polkit-buildsize;
61 </para>
[9d3d8a8]62 </listitem>
63 <listitem>
[b84342d6]64 <para>
65 Estimated build time: &polkit-time;
66 </para>
[9d3d8a8]67 </listitem>
68 </itemizedlist>
[ad539dbe]69
[7d5d3d4]70<!--
[7e280b45]71 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
72 <itemizedlist spacing="compact">
[ad539dbe]73 <listitem>
[4a0b346]74 <para>
[7e280b45]75 Required patch:
[4483a9a]76 <ulink url="&patch-root;/polkit-&polkit-version;-security_fixes-1.patch"/>
[4a0b346]77 </para>
78 </listitem>
[b5b1af68]79 <listitem>
80 <para>
81 Required patch:
82 <ulink url="&patch-root;/polkit-&polkit-version;-js91-1.patch"/>
83 </para>
84 </listitem>
[3b40dbb3]85 </itemizedlist>
[7d5d3d4]86-->
[ad539dbe]87
[01996ebb]88 <bridgehead renderas="sect3">Polkit Dependencies</bridgehead>
[9d3d8a8]89
90 <bridgehead renderas="sect4">Required</bridgehead>
[bb947c32]91 <para role="required">
[b317cda]92 <xref linkend="glib2"/>
[4c2be438]93 </para>
94
[51dfb3e]95 <bridgehead renderas="sect4">Recommended</bridgehead>
96 <para role="recommended">
[b317cda]97 <!-- For jhalfs just make it required to avoid over-complexity. -->
98 <xref role="required" linkend="duktape"/>,
[59f6a1f]99 <xref linkend="gobject-introspection"/>,
[3345cfea]100 <xref linkend="libxslt"/>,<phrase revision="systemd"> and</phrase>
101 <xref linkend="linux-pam"/><phrase revision="sysv">, and
102 <xref linkend="elogind"/>
[7cb4635]103 </phrase>
[f586237]104 </para>
105
[51dfb3e]106 <note>
[f586237]107 <para>
[51dfb3e]108 Since <phrase revision="sysv"><command>elogind</command></phrase>
109 <phrase revision="systemd"><command>systemd-logind</command></phrase>
110 uses PAM to register user sessions, it is a good idea to build
111 <application>Polkit</application> with PAM support so
112 <phrase revision="sysv"><command>elogind</command></phrase>
113 <phrase revision="systemd"><command>systemd-logind</command></phrase>
114 can track <application>Polkit</application> sessions.
[f586237]115 </para>
116 </note>
117
118
[59f6a1f]119 <!-- Due to the fact that meson will not autodetect g-i and
120 has it set to required unless you pass an option, and the likelihood
121 of users ignoring a command explanation and then sending in mails
122 regarding KDE or GNOME not working after installing polkit, let's move
123 it to recommended. See #15640 for logic
[4c2be438]124 <bridgehead renderas="sect4">Optional (Required if building GNOME)</bridgehead>
125 <para role="optional">
126 <xref linkend="gobject-introspection"/>
127 </para>
[59f6a1f]128 -->
[9d3d8a8]129
130 <bridgehead renderas="sect4">Optional</bridgehead>
[bb947c32]131 <para role="optional">
[a428935]132 <xref linkend="gtk-doc"/>,
[14bd41d]133 <xref linkend="js102"/> (can be used in place of duktape), and
[a428935]134 <xref linkend="python-dbusmock"/> (for tests)
[f586237]135 </para>
136
137 <bridgehead renderas="sect4" revision="systemd">Required Runtime Dependencies</bridgehead>
138 <para role="required" revision="systemd">
[96e9478]139 <xref role="runtime" linkend="systemd"/>
[4c2be438]140 </para>
[875b4070]141
[f13e9026]142 <bridgehead renderas="sect4" id="polkit-agent" xreflabel="Polkit Authentication Agent">
143 Optional Runtime Dependencies
144 </bridgehead>
[fee64868]145 <para role="optional">
146 One polkit authentication agent for using polkit in the graphical
147 environment:
148 <application>polkit-kde-agent</application> in
149 <xref role="runtime" linkend="plasma5-build"/> for KDE,
150 the agent built in
151 <xref role="runtime" linkend="gnome-shell"/> for GNOME3,
152 <xref role="runtime" linkend="polkit-gnome"/> for XFCE, and
153 <application>lxpolkit</application> in
[a428935]154 <xref role="runtime" linkend="lxsession"/> for LXDE
[fee64868]155 </para>
156
[875b4070]157 <note>
[b84342d6]158 <para>
[f586237]159 If <xref linkend="libxslt"/> is installed,
160 then <xref linkend="DocBook"/> and <xref linkend="docbook-xsl"/> are
161 required. If you have installed <xref linkend="libxslt"/>, but you do
162 not want to install any of the DocBook packages mentioned, you will
[59f6a1f]163 need to use <option>-Dman=false</option> in the instructions
[f586237]164 below.
[b84342d6]165 </para>
[875b4070]166 </note>
[9d3d8a8]167
168 </sect2>
169
170 <sect2 role="installation">
[01996ebb]171 <title>Installation of Polkit</title>
[9d3d8a8]172
[b84342d6]173 <para>
[01996ebb]174 There should be a dedicated user and group to take control
175 of the <command>polkitd</command> daemon after it is
176 started. Issue the following commands as the
177 <systemitem class="username">root</systemitem> user:
178 </para>
179
180<screen role="root"><userinput>groupadd -fg 27 polkitd &amp;&amp;
181useradd -c "PolicyKit Daemon Owner" -d /etc/polkit-1 -u 27 \
182 -g polkitd -s /bin/false polkitd</userinput></screen>
183
[59f6a1f]184 <para>
[6be3fe3]185 If using <xref linkend="js102"/>, make the following change (see Command
186 Explanations below for more information):
[59f6a1f]187 </para>
188
[b317cda]189<screen><userinput remap="nodump">sed -e 's/JS_Init/JS::DisableJitBackend(); &amp;/' \
[6be3fe3]190 -i src/polkitbackend/polkitbackendjsauthority.cpp</userinput></screen>
[7e280b45]191
[6be3fe3]192<!--
[7e280b45]193 <para>
[4483a9a]194 Apply a patch to fix two security issues:
[7e280b45]195 </para>
196
[4483a9a]197<screen><userinput remap="pre">patch -Np1 -i ../polkit-&polkit-version;-security_fixes-1.patch</userinput></screen>
[7e280b45]198
[b5b1af68]199 <para>
200 Port this package to use JS-91:
201 </para>
202
203<screen><userinput remap="pre">patch -Np1 -i ../polkit-&polkit-version;-js91-1.patch</userinput></screen>
[7d5d3d4]204-->
[b5b1af68]205
[01996ebb]206 <para>
207 Install <application>Polkit</application> by running the following
[37aba7f]208 commands:
[b84342d6]209 </para>
[9d3d8a8]210
[59f6a1f]211<screen revision="systemd"><userinput>mkdir build &amp;&amp;
212cd build &amp;&amp;
213
[91318eb]214meson setup .. \
215 --prefix=/usr \
[60caf48]216 --buildtype=release \
[59f6a1f]217 -Dman=true \
218 -Dsession_tracking=libsystemd-login \
[91318eb]219 -Dtests=true &amp;&amp;
[59f6a1f]220ninja</userinput></screen>
[51dfb3e]221
[59f6a1f]222<screen revision="sysv"><userinput>mkdir build &amp;&amp;
223cd build &amp;&amp;
224
[91318eb]225meson setup .. \
226 --prefix=/usr \
[60caf48]227 --buildtype=release \
[59f6a1f]228 -Dman=true \
229 -Dsession_tracking=libelogind \
[91318eb]230 -Dtests=true &amp;&amp;
[59f6a1f]231ninja</userinput></screen>
232
[b84342d6]233 <para>
[8558044]234 To test the results, first ensure that the system
[bf654b1]235 <application>D-Bus</application> daemon is running,
236 and both <xref linkend='dbus-python'/> and
237 <xref linkend='python-dbusmock'/> are installed.
[8de6bb81]238 Then run <command>ninja test</command>.
[59f6a1f]239 </para>
[9d3d8a8]240
[b84342d6]241 <para>
242 Now, as the <systemitem class="username">root</systemitem> user:
243 </para>
[9d3d8a8]244
[6be3fe3]245<screen role="root"><userinput>ninja install</userinput></screen>
[9d3d8a8]246
247 </sect2>
248
249 <sect2 role="commands">
250 <title>Command Explanations</title>
251
[215c3ea5]252 <para>
[b317cda]253 <command>sed -e 's/JS_Init/JS::DisableJitBackend(); &amp;/' ...
254 </command>: The JIT compiling of JS102 needs W+X mapping which
255 is dangerous and is not permitted by the
256 <application>systemd</application> unit file shipped within the polkit
257 package. This command is not strictly needed on systems based on
258 sysvinit but it still improves security. It has no effect if building
259 polkit with the recommended <xref linkend='duktape'/> Javascript
260 engine.
[215c3ea5]261 </para>
262
[7e280b45]263 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
264 href="../../xincludes/meson-buildtype-release.xml"/>
265
[492cca2c]266 <para>
267 <parameter>-Dtests=true</parameter>: This switch allows to run the
268 test suite of this package. As <application>Polkit</application> is
269 used for authorizations, its integrity can affect system security.
270 So it's recommended to run the test suite building this package.
271 </para>
272
[7d5d3d4]273 <para>
[0c72a8b]274 <option>-Djs_engine=mozjs</option>: This switch allows using the
275 <xref linkend="js102"/> JavaScript engine instead of the
276 <xref linkend='duktape'/> JavaScript engine.
[7d5d3d4]277 </para>
278
[59f6a1f]279 <!--
[4a0b346]280 <para revision="sysv">
[59f6a1f]281 <parameter>- -disable-libsystemd-login</parameter>: This switch forces
[4a0b346]282 polkit to build with elogind support (if available) rather than
283 systemd-logind.
284 </para>
285
[7a9a7b26]286
[ad539dbe]287 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
288 href="../../xincludes/static-libraries.xml"/>
[59f6a1f]289 -->
[7a9a7b26]290
[1121404]291 <para>
292 <option>-Dos_type=lfs</option>: Use this switch if you did not create
293 the <filename>/etc/lfs-release</filename> file or distribution auto
294 detection will fail and you will be unable to use
295 <application>Polkit</application>.
296 </para>
297
[51dfb3e]298 <para>
[59f6a1f]299 <option>-Dauthfw=shadow</option>: This switch enables the
[f586237]300 package to use the <application>Shadow</application> rather than the
301 <application>Linux PAM</application> Authentication framework. Use it
302 if you have not installed <application>Linux PAM</application>.
[b84342d6]303 </para>
304
[59f6a1f]305 <!--
[e05cd03f]306 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
[51dfb3e]307 href="../../xincludes/gtk-doc-rebuild.xml"/>
[59f6a1f]308 -->
309
310 <para>
311 <option>-Dintrospection=false</option>: Use this option if you are certain
312 that you do not need gobject-introspection files for polkit, or do not have
313 gobject-introspection installed.
314 </para>
315
316 <para>
317 <option>-Dman=false</option>: Use this option to disable generating and
318 installing manual pages. This is useful if libxslt is not installed.
319 </para>
320
321 <para>
322 <option>-Dexamples=true</option>: Use this option to build the example
323 programs.
324 </para>
325
326 <para>
327 <option>-Dgtk_doc=true</option>: Use this option to enable building and
328 installing the API documentation.
329 </para>
[51dfb3e]330
[9d3d8a8]331 </sect2>
332
333 <sect2 role="content">
334 <title>Contents</title>
335
336 <segmentedlist>
337 <segtitle>Installed Programs</segtitle>
338 <segtitle>Installed Libraries</segtitle>
339 <segtitle>Installed Directories</segtitle>
340
341 <seglistitem>
[b84342d6]342 <seg>
[59f6a1f]343 pkaction, pkcheck, <!--pk-example-frobnicate,--> pkexec,
[a428935]344 pkttyagent, and polkitd
[b84342d6]345 </seg>
346 <seg>
[0d7900a]347 libpolkit-agent-1.so and
[b84342d6]348 libpolkit-gobject-1.so
349 </seg>
[028759b]350 <seg>
[01996ebb]351 /etc/polkit-1,
352 /usr/include/polkit-1,
353 /usr/lib/polkit-1,
[a428935]354 /usr/share/gtk-doc/html/polkit-1, and
[028759b]355 /usr/share/polkit-1
[b84342d6]356 </seg>
[9d3d8a8]357 </seglistitem>
358 </segmentedlist>
359
360 <variablelist>
361 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
362 <?dbfo list-presentation="list"?>
363 <?dbhtml list-presentation="table"?>
364
365 <varlistentry id="pkaction">
366 <term><command>pkaction</command></term>
367 <listitem>
[b84342d6]368 <para>
[4c24eb0a]369 is used to obtain information about registered PolicyKit actions
[b84342d6]370 </para>
[9d3d8a8]371 <indexterm zone="polkit pkaction">
372 <primary sortas="b-pkaction">pkaction</primary>
373 </indexterm>
374 </listitem>
375 </varlistentry>
376
377 <varlistentry id="pkcheck">
378 <term><command>pkcheck</command></term>
379 <listitem>
[b84342d6]380 <para>
[4c24eb0a]381 is used to check whether a process is authorized for action
[b84342d6]382 </para>
[9d3d8a8]383 <indexterm zone="polkit pkcheck">
384 <primary sortas="b-pkcheck">pkcheck</primary>
385 </indexterm>
386 </listitem>
387 </varlistentry>
388
[59f6a1f]389<!--
[72d90b67]390 <varlistentry id="pk-example-frobnicate">
391 <term><command>pk-example-frobnicate</command></term>
392 <listitem>
393 <para>
394 is an example program to test the <command>pkexec</command>
[4c24eb0a]395 command
[72d90b67]396 </para>
397 <indexterm zone="polkit pk-example-frobnicate">
398 <primary sortas="b-pk-example-frobnicate">pk-example-frobnicate</primary>
399 </indexterm>
400 </listitem>
401 </varlistentry>
[59f6a1f]402-->
[7a9a7b26]403
[9d3d8a8]404 <varlistentry id="pkexec">
405 <term><command>pkexec</command></term>
406 <listitem>
[b84342d6]407 <para>
[4c24eb0a]408 allows an authorized user to execute a command as another user
[b84342d6]409 </para>
[9d3d8a8]410 <indexterm zone="polkit pkexec">
411 <primary sortas="b-pkexec">pkexec</primary>
412 </indexterm>
413 </listitem>
414 </varlistentry>
415
[b84342d6]416 <varlistentry id="pkttyagent">
417 <term><command>pkttyagent</command></term>
[9d3d8a8]418 <listitem>
[b84342d6]419 <para>
[4c24eb0a]420 is used to start a textual authentication agent for the subject
[b84342d6]421 </para>
422 <indexterm zone="polkit pkttyagent">
423 <primary sortas="b-pkttyagent">pkttyagent</primary>
[9d3d8a8]424 </indexterm>
425 </listitem>
[b84342d6]426 </varlistentry>
[9d3d8a8]427
[875b4070]428 <varlistentry id="polkitd">
[9d3d8a8]429 <term><command>polkitd</command></term>
430 <listitem>
[b84342d6]431 <para>
[0d7900a]432 provides the org.freedesktop.PolicyKit1 <application>D-Bus</application>
[4c24eb0a]433 service on the system message bus
[b84342d6]434 </para>
[875b4070]435 <indexterm zone="polkit polkitd">
[9d3d8a8]436 <primary sortas="b-polkitd">polkitd</primary>
437 </indexterm>
438 </listitem>
439 </varlistentry>
440
441 <varlistentry id="libpolkit-agent-1">
[4c24eb0a]442 <term><filename class="libraryfile">libpolkit-agent-1.so</filename></term>
[9d3d8a8]443 <listitem>
[b84342d6]444 <para>
[01996ebb]445 contains the <application>Polkit</application> authentication
[4c24eb0a]446 agent API functions
[b84342d6]447 </para>
[9d3d8a8]448 <indexterm zone="polkit libpolkit-agent-1">
[b84342d6]449 <primary sortas="c-libpolkit-agent-1">libpolkit-agent-1.so</primary>
[9d3d8a8]450 </indexterm>
451 </listitem>
452 </varlistentry>
453
454 <varlistentry id="libpolkit-gobject-1">
[4c24eb0a]455 <term><filename class="libraryfile">libpolkit-gobject-1.so</filename></term>
[9d3d8a8]456 <listitem>
[b84342d6]457 <para>
[4c24eb0a]458 contains the <application>Polkit</application> authorization API functions
[b84342d6]459 </para>
[9d3d8a8]460 <indexterm zone="polkit libpolkit-gobject-1">
[b84342d6]461 <primary sortas="c-libpolkit-gobject-1">libpolkit-gobject-1.so</primary>
[9d3d8a8]462 </indexterm>
463 </listitem>
464 </varlistentry>
465
466 </variablelist>
467
468 </sect2>
469
470</sect1>
Note: See TracBrowser for help on using the repository browser.