source: postlfs/security/polkit.xml@ 60caf48

11.2 11.3 12.0 12.1 12.2 gimp3 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/for-12.3 xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/xf86-video-removal
Last change on this file since 60caf48 was 60caf48, checked in by Xi Ruoyao <xry111@…>, 3 years ago

polkit: use archive tarball and enable tests

Normally we perfer release tarballs than archives. But for polkit, we
are using meson so the generated configure script is not needed. And,
the release tarball lacks test support files and prevents us from
running tests.

For such a "security related" package, skipping test seems not good...
(That being said, we'd been busying fix CVEs not found by the test. :( )
  • Property mode set to 100644
File size: 15.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY polkit-download-http "https://gitlab.freedesktop.org/polkit/polkit/-/archive/&polkit-version;/polkit-&polkit-version;.tar.gz">
8 <!ENTITY polkit-download-ftp " ">
9 <!ENTITY polkit-md5sum "5687b19e9ca9a0225957b8967d8f4458">
10 <!ENTITY polkit-size "740 KB">
11 <!ENTITY polkit-buildsize "8.9 MB (with tests)">
12 <!ENTITY polkit-time "0.2 SBU (with tests, using parallelism=4)">
13]>
14
15<sect1 id="polkit" xreflabel="Polkit-&polkit-version;">
16 <?dbhtml filename="polkit.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>Polkit-&polkit-version;</title>
23
24 <indexterm zone="polkit">
25 <primary sortas="a-Polkit">Polkit</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to Polkit</title>
30
31 <para>
32 <application>Polkit</application> is a toolkit for defining and handling
33 authorizations. It is used for allowing unprivileged processes to
34 communicate with privileged processes.
35 </para>
36
37 &lfs111_checked;
38
39 <bridgehead renderas="sect3">Package Information</bridgehead>
40 <itemizedlist spacing="compact">
41 <listitem>
42 <para>
43 Download (HTTP): <ulink url="&polkit-download-http;"/>
44 </para>
45 </listitem>
46 <listitem>
47 <para>
48 Download (FTP): <ulink url="&polkit-download-ftp;"/>
49 </para>
50 </listitem>
51 <listitem>
52 <para>
53 Download MD5 sum: &polkit-md5sum;
54 </para>
55 </listitem>
56 <listitem>
57 <para>
58 Download size: &polkit-size;
59 </para>
60 </listitem>
61 <listitem>
62 <para>
63 Estimated disk space required: &polkit-buildsize;
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 Estimated build time: &polkit-time;
69 </para>
70 </listitem>
71 </itemizedlist>
72
73 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
74 <itemizedlist spacing="compact">
75 <listitem>
76 <para>
77 Required patch:
78 <ulink url="&patch-root;/polkit-&polkit-version;-security_fixes-1.patch"/>
79 </para>
80 </listitem>
81 <listitem>
82 <para>
83 Required patch:
84 <ulink url="&patch-root;/polkit-&polkit-version;-js91-1.patch"/>
85 </para>
86 </listitem>
87 </itemizedlist>
88
89 <bridgehead renderas="sect3">Polkit Dependencies</bridgehead>
90
91 <bridgehead renderas="sect4">Required</bridgehead>
92 <para role="required">
93 <xref linkend="glib2"/> and
94 <xref linkend="js91"/>
95 </para>
96
97 <bridgehead renderas="sect4">Recommended</bridgehead>
98 <para role="recommended">
99 <xref linkend="gobject-introspection"/>,
100 <xref linkend="libxslt"/>,
101 <xref linkend="linux-pam"/>
102 <phrase revision="sysv">
103 and <xref role="first" linkend="elogind"/>
104 </phrase>
105 </para>
106
107 <note>
108 <para>
109 Since <phrase revision="sysv"><command>elogind</command></phrase>
110 <phrase revision="systemd"><command>systemd-logind</command></phrase>
111 uses PAM to register user sessions, it is a good idea to build
112 <application>Polkit</application> with PAM support so
113 <phrase revision="sysv"><command>elogind</command></phrase>
114 <phrase revision="systemd"><command>systemd-logind</command></phrase>
115 can track <application>Polkit</application> sessions.
116 </para>
117 </note>
118
119
120 <!-- Due to the fact that meson will not autodetect g-i and
121 has it set to required unless you pass an option, and the likelihood
122 of users ignoring a command explanation and then sending in mails
123 regarding KDE or GNOME not working after installing polkit, let's move
124 it to recommended. See #15640 for logic
125 <bridgehead renderas="sect4">Optional (Required if building GNOME)</bridgehead>
126 <para role="optional">
127 <xref linkend="gobject-introspection"/>
128 </para>
129 -->
130
131 <bridgehead renderas="sect4">Optional</bridgehead>
132 <para role="optional">
133 <!--<xref linkend="dbus-python"/> and
134 <xref linkend="python-dbusmock"/> (for tests), and - no more tests -->
135 <!--<xref linkend="DocBook"/>, (Part of libxslt's chain)
136 <xref linkend="docbook-xsl"/>,-->
137 <xref linkend="gtk-doc"/>
138 </para>
139
140 <bridgehead renderas="sect4" revision="systemd">Required Runtime Dependencies</bridgehead>
141 <para role="required" revision="systemd">
142 <xref role="runtime" linkend="systemd"/>
143 </para>
144
145 <bridgehead renderas="sect4" id="polkit-agent" xreflabel="Polkit Authentication Agent">
146 Optional Runtime Dependencies
147 </bridgehead>
148 <para role="optional">
149 One polkit authentication agent for using polkit in the graphical
150 environment:
151 <application>polkit-kde-agent</application> in
152 <xref role="runtime" linkend="plasma5-build"/> for KDE,
153 the agent built in
154 <xref role="runtime" linkend="gnome-shell"/> for GNOME3,
155 <xref role="runtime" linkend="polkit-gnome"/> for XFCE, and
156 <application>lxpolkit</application> in
157 <xref role="runtime" linkend="lxsession"/> for LXDE.
158 </para>
159
160 <note>
161 <para>
162 If <xref linkend="libxslt"/> is installed,
163 then <xref linkend="DocBook"/> and <xref linkend="docbook-xsl"/> are
164 required. If you have installed <xref linkend="libxslt"/>, but you do
165 not want to install any of the DocBook packages mentioned, you will
166 need to use <option>-Dman=false</option> in the instructions
167 below.
168 </para>
169 </note>
170
171 <para condition="html" role="usernotes">User Notes:
172 <ulink url="&blfs-wiki;/polkit"/>
173 </para>
174 </sect2>
175
176 <sect2 role="installation">
177 <title>Installation of Polkit</title>
178
179 <para>
180 There should be a dedicated user and group to take control
181 of the <command>polkitd</command> daemon after it is
182 started. Issue the following commands as the
183 <systemitem class="username">root</systemitem> user:
184 </para>
185
186<screen role="root"><userinput>groupadd -fg 27 polkitd &amp;&amp;
187useradd -c "PolicyKit Daemon Owner" -d /etc/polkit-1 -u 27 \
188 -g polkitd -s /bin/false polkitd</userinput></screen>
189
190 <para>
191 First, fix problems with setting permissions during installation and with
192 meson-0.60.0:
193 </para>
194
195<screen><userinput remap="pre">sed '/0,/s/^/#/' -i meson_post_install.py &amp;&amp;
196sed '/policy,/d' -i actions/meson.build \
197 -i src/examples/meson.build</userinput></screen>
198
199 <para>
200 Apply a patch to fix two security issues:
201 </para>
202
203<screen><userinput remap="pre">patch -Np1 -i ../polkit-&polkit-version;-security_fixes-1.patch</userinput></screen>
204
205 <para>
206 Port this package to use JS-91:
207 </para>
208
209<screen><userinput remap="pre">patch -Np1 -i ../polkit-&polkit-version;-js91-1.patch</userinput></screen>
210
211 <para>
212 Install <application>Polkit</application> by running the following
213 commands:
214 </para>
215
216<screen revision="systemd"><userinput>mkdir build &amp;&amp;
217cd build &amp;&amp;
218
219meson --prefix=/usr \
220 --buildtype=release \
221 -Dman=true \
222 -Dsession_tracking=libsystemd-login \
223 -Dtests=true \
224 .. &amp;&amp;
225ninja</userinput></screen>
226
227<screen revision="sysv"><userinput>mkdir build &amp;&amp;
228cd build &amp;&amp;
229
230meson --prefix=/usr \
231 --buildtype=release \
232 -Dman=true \
233 -Dsession_tracking=libelogind \
234 -Dsystemdsystemunitdir=/tmp \
235 -Dtests=true \
236 .. &amp;&amp;
237ninja</userinput></screen>
238
239 <!--
240 "-t3" for raising the timeout to 90s, i. e. 3x the default:
241 https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/107
242 -->
243 <para>
244 To test the results, first ensure that the system
245 <application>D-Bus</application> daemon is running.
246 Then run <command>meson test -t3</command>.
247 </para>
248
249 <para>
250 Now, as the <systemitem class="username">root</systemitem> user:
251 </para>
252
253<screen role="root" revision="systemd"><userinput>ninja install</userinput></screen>
254
255<screen role="root" revision="sysv"><userinput>ninja install &amp;&amp;
256rm -v /tmp/*.service</userinput></screen>
257
258 </sect2>
259
260 <sect2 role="commands">
261 <title>Command Explanations</title>
262
263 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
264 href="../../xincludes/meson-buildtype-release.xml"/>
265
266 <!--
267 <para revision="sysv">
268 <parameter>- -disable-libsystemd-login</parameter>: This switch forces
269 polkit to build with elogind support (if available) rather than
270 systemd-logind.
271 </para>
272
273
274 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
275 href="../../xincludes/static-libraries.xml"/>
276 -->
277
278 <para>
279 <option>-Dauthfw=shadow</option>: This switch enables the
280 package to use the <application>Shadow</application> rather than the
281 <application>Linux PAM</application> Authentication framework. Use it
282 if you have not installed <application>Linux PAM</application>.
283 </para>
284
285 <!--
286 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
287 href="../../xincludes/gtk-doc-rebuild.xml"/>
288 -->
289
290 <para>
291 <option>-Dintrospection=false</option>: Use this option if you are certain
292 that you do not need gobject-introspection files for polkit, or do not have
293 gobject-introspection installed.
294 </para>
295
296 <para>
297 <option>-Dman=false</option>: Use this option to disable generating and
298 installing manual pages. This is useful if libxslt is not installed.
299 </para>
300
301 <para>
302 <option>-Dexamples=true</option>: Use this option to build the example
303 programs.
304 </para>
305
306 <para>
307 <option>-Dgtk_doc=true</option>: Use this option to enable building and
308 installing the API documentation.
309 </para>
310
311 </sect2>
312
313 <sect2 role="configuration">
314 <title>Configuring Polkit</title>
315
316 <sect3>
317 <title>PAM Configuration</title>
318
319 <note>
320 <para>
321 If you did not build <application>Polkit</application> with
322 <application>Linux PAM</application> support, you can skip this
323 section.
324 </para>
325 </note>
326
327 <para>
328 If you have built <application>Polkit</application> with
329 <application>Linux PAM</application> support, you need to modify
330 the default PAM configuration file which was installed by default to get
331 <application>Polkit</application> to work correctly with BLFS. Issue the
332 following commands as the <systemitem class="username">root</systemitem>
333 user to create the configuration file for <application>Linux PAM</application>:
334 </para>
335
336<screen role="root"><userinput>cat &gt; /etc/pam.d/polkit-1 &lt;&lt; "EOF"
337<literal># Begin /etc/pam.d/polkit-1
338
339auth include system-auth
340account include system-account
341password include system-password
342session include system-session
343
344# End /etc/pam.d/polkit-1</literal>
345EOF</userinput></screen>
346
347 </sect3>
348
349 </sect2>
350
351 <sect2 role="content">
352 <title>Contents</title>
353
354 <segmentedlist>
355 <segtitle>Installed Programs</segtitle>
356 <segtitle>Installed Libraries</segtitle>
357 <segtitle>Installed Directories</segtitle>
358
359 <seglistitem>
360 <seg>
361 pkaction, pkcheck, <!--pk-example-frobnicate,--> pkexec,
362 pkttyagent and polkitd
363 </seg>
364 <seg>
365 libpolkit-agent-1.so and
366 libpolkit-gobject-1.so
367 </seg>
368 <seg>
369 /etc/polkit-1,
370 /usr/include/polkit-1,
371 /usr/lib/polkit-1,
372 /usr/share/gtk-doc/html/polkit-1 and
373 /usr/share/polkit-1
374 </seg>
375 </seglistitem>
376 </segmentedlist>
377
378 <variablelist>
379 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
380 <?dbfo list-presentation="list"?>
381 <?dbhtml list-presentation="table"?>
382
383 <varlistentry id="pkaction">
384 <term><command>pkaction</command></term>
385 <listitem>
386 <para>
387 is used to obtain information about registered PolicyKit actions
388 </para>
389 <indexterm zone="polkit pkaction">
390 <primary sortas="b-pkaction">pkaction</primary>
391 </indexterm>
392 </listitem>
393 </varlistentry>
394
395 <varlistentry id="pkcheck">
396 <term><command>pkcheck</command></term>
397 <listitem>
398 <para>
399 is used to check whether a process is authorized for action
400 </para>
401 <indexterm zone="polkit pkcheck">
402 <primary sortas="b-pkcheck">pkcheck</primary>
403 </indexterm>
404 </listitem>
405 </varlistentry>
406
407<!--
408 <varlistentry id="pk-example-frobnicate">
409 <term><command>pk-example-frobnicate</command></term>
410 <listitem>
411 <para>
412 is an example program to test the <command>pkexec</command>
413 command
414 </para>
415 <indexterm zone="polkit pk-example-frobnicate">
416 <primary sortas="b-pk-example-frobnicate">pk-example-frobnicate</primary>
417 </indexterm>
418 </listitem>
419 </varlistentry>
420-->
421
422 <varlistentry id="pkexec">
423 <term><command>pkexec</command></term>
424 <listitem>
425 <para>
426 allows an authorized user to execute a command as another user
427 </para>
428 <indexterm zone="polkit pkexec">
429 <primary sortas="b-pkexec">pkexec</primary>
430 </indexterm>
431 </listitem>
432 </varlistentry>
433
434 <varlistentry id="pkttyagent">
435 <term><command>pkttyagent</command></term>
436 <listitem>
437 <para>
438 is used to start a textual authentication agent for the subject
439 </para>
440 <indexterm zone="polkit pkttyagent">
441 <primary sortas="b-pkttyagent">pkttyagent</primary>
442 </indexterm>
443 </listitem>
444 </varlistentry>
445
446 <varlistentry id="polkitd">
447 <term><command>polkitd</command></term>
448 <listitem>
449 <para>
450 provides the org.freedesktop.PolicyKit1 <application>D-Bus</application>
451 service on the system message bus
452 </para>
453 <indexterm zone="polkit polkitd">
454 <primary sortas="b-polkitd">polkitd</primary>
455 </indexterm>
456 </listitem>
457 </varlistentry>
458
459 <varlistentry id="libpolkit-agent-1">
460 <term><filename class="libraryfile">libpolkit-agent-1.so</filename></term>
461 <listitem>
462 <para>
463 contains the <application>Polkit</application> authentication
464 agent API functions
465 </para>
466 <indexterm zone="polkit libpolkit-agent-1">
467 <primary sortas="c-libpolkit-agent-1">libpolkit-agent-1.so</primary>
468 </indexterm>
469 </listitem>
470 </varlistentry>
471
472 <varlistentry id="libpolkit-gobject-1">
473 <term><filename class="libraryfile">libpolkit-gobject-1.so</filename></term>
474 <listitem>
475 <para>
476 contains the <application>Polkit</application> authorization API functions
477 </para>
478 <indexterm zone="polkit libpolkit-gobject-1">
479 <primary sortas="c-libpolkit-gobject-1">libpolkit-gobject-1.so</primary>
480 </indexterm>
481 </listitem>
482 </varlistentry>
483
484 </variablelist>
485
486 </sect2>
487
488</sect1>
Note: See TracBrowser for help on using the repository browser.