Opened 2 months ago

Closed 5 weeks ago

#15640 closed enhancement (fixed)

polkit-0.120

Reported by: Xi Ruoyao Owned by: Douglas R. Reno
Priority: normal Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

Change History (10)

comment:1 by Douglas R. Reno, 6 weeks ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 5 weeks ago

NOTICE:
This is the LAST version to support AUTOTOOLS build system, as it has been obsoleted
by meson build system.
The next release of polkit will REQUIRE meson build system.


Highlights:
 tarball fix-ups
 re-enabled documentation
 Intltool to gettext migration
 new translations

Build requirements

 glib, gobject, gio    >= 2.32
 mozjs-78
 gobject-introspection >= 0.6.2 (optional)
 pam (optional)
 ConsoleKit OR systemd
 gettext
 meson (optional)
 autotools (DEPRECATED)

Changes since polkit 0.119:

 Inigo Martinez:
    transition from Intltool to gettext

 Simon McVittie:
    several tarball, meson and pipeline fixups

 Hugo Carvalho:
    Portuguese translation

 Sergiu Bivol:
    Romanian translation

As part of this, we need to move to meson. Pierre and I are discussing various problems related to this in IRC at the moment, but there are several bugs in Polkit's meson install procedures, ranging from the subprojects directory not being included, to a hack required to install on SysV systems, to a /usr/share/polkit-1/rules.d issue, and also to a problem with not installing binaries as SUID root.

So far we've dug up:

https://gitlab.freedesktop.org/polkit/polkit/-/issues/144

https://gitlab.freedesktop.org/polkit/polkit/-/issues/158

comment:3 by Douglas R. Reno, 5 weeks ago

We've come to the conclusion that, so far, the following things are needed:

chmod -v 4755 /usr/bin/pkexec

[ on sysv ] rm -v /tmp/*.service (needed because otherwise meson 
bails due to an error regarding systemd units, even if systemd is 
explicitly disabled by only enabling the libelogind session manager ... 
have to use -Dsession_tracking=libelogind and -Dsystemdsystemunitdir=/tmp)

chmod -v 755 /usr/lib/polkit-1/polkit-agent-helper-1

chown polkitd /usr/share/polkit-1/rules.d

[ possibly ] chmod 700 /usr/share/polkit-1/rules.d

This update is becoming rather complex. So far I have the following in my notes:

Comment out the Note for systemd
Comment out the --disable-static option
Comment out the --disable-libsystemd-login option
Replace --enable-gtk-doc with -Dgtk_doc=true 
Replace --with-authfw=shadow with -Dauthfw=shadow
Add a command explanation for -Dintrospection=false
Comment out test suite for now (missing the subprojects directory, so even if
 -Dtests=true is passed, mocklibc won't be built and the meson will bail)
	- Promote gobject-introspection to recommended
	- Promote libxslt to recommended, remove docbook*

meson line for sysv:

meson --prefix=/usr -Dexamples=true -Dsession_tracking=libelogind \
     -Dsystemdsystemunitdir=/tmp -Dman=true

meson line for systemd:

meson --prefix=/usr -Dexamples=true -Dsession_tracking=libsystemd-login -Dman=true

Regarding manual pages, you have to add -Dman=true or there will be no manual pages generated or installed. I'm going to add a command explanation for disabling them (-Dman=false) and -Dintrospection=false (-Dintrospection=true is set by default, while -Dman=false is set by default. We want manual pages, and we need gobject-introspection stuff for GNOME and possibly other applications. Currently it autodetects, but meson has no capability of handling that). That is my reasoning behind the dependency promotions.

This is without looking at installed files changes (hopefully there are none). By not installing binaries as suid-root, gnome-control-center (and possibly ksystemsettings and many others) will not function because pkexec cannot run/elevate privileges.

I don't feel comfortable staying with autotools because upstream has made it very clear that it will no longer be supported after this release.

In addition, this package has problems with meson-0.60.0... see https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/99/diffs

Last edited 5 weeks ago by Bruce Dubbs (previous) (diff)

comment:4 by pierre, 5 weeks ago

For the perms problem, it looks like the order of the calls in meson_post_install.py should be reverted: it has:

    os.chmod(dst, 0o4755)
    os.chown(dst, 0, -1)

but according to chown(2):

When the owner or group of an executable file is changed by an unprivi‐
leged user, the S_ISUID and S_ISGID mode bits are cleared.  POSIX  does
not specify whether this also should happen when root does the chown();
the Linux behavior depends on  the  kernel  version,  and  since  Linux
2.2.13,  root is treated like other users.

Conclusion, the suid bit is reset by the call to os.chown. I've verified that commenting out the os.chown line allows to effectively change the suid bit...

comment:5 by pierre, 5 weeks ago

I'm worried that devs of an important security package such as polkit are unable to catch or avoid such basic errors!!! Note that in this case, security is increased by the error, since the package becomes unusable... Will look at upstream issues. this should be somewhere...

comment:6 by pierre, 5 weeks ago

The following sed could allows installing suid:

sed '/0,/s/^/#/' -i meson_post_install.py

in reply to:  3 ; comment:7 by pierre, 5 weeks ago

Replying to Douglas R. Reno:

chmod -v 755 /usr/lib/polkit-1/polkit-agent-helper-1

chown polkitd /usr/share/polkit-1/rules.d

[ possibly ] chmod 700 /usr/share/polkit-1/rules.d }}}

This part is correctly taken care by the build system, up to the order of the calls as said above. Only the sed is needed.

comment:8 by Douglas R. Reno, 5 weeks ago

Summary: polkit-0.120 (maybe currency issue)polkit-0.120

Editing the title because that currency script issue has been taken care of

in reply to:  7 comment:9 by Douglas R. Reno, 5 weeks ago

Replying to pierre:

Replying to Douglas R. Reno:

chmod -v 755 /usr/lib/polkit-1/polkit-agent-helper-1

chown polkitd /usr/share/polkit-1/rules.d

[ possibly ] chmod 700 /usr/share/polkit-1/rules.d }}}

This part is correctly taken care by the build system, up to the order of the calls as said above. Only the sed is needed.

Thank you again for all of your help on this!

comment:10 by Douglas R. Reno, 5 weeks ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.