--- policykit-0.9.orig/debian/control +++ policykit-0.9/debian/control @@ -0,0 +1,100 @@ +Source: policykit +Section: admin +Priority: optional +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Utopia Maintenance Team +Uploaders: Michael Biebl +Build-Depends: cdbs, debhelper (>= 5), autotools-dev, pkg-config, libglib2.0-dev (>= 2.6.0), libdbus-1-dev (>= 1.0), libdbus-glib-1-dev (>= 0.73), libexpat1-dev, libpam0g-dev, libselinux1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64], gtk-doc-tools, xsltproc +Standards-Version: 3.8.0 +Vcs-Svn: svn://svn.debian.org/svn/pkg-utopia/packages/unstable/policykit +Vcs-Browser: http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/policykit +Homepage: http://hal.freedesktop.org/docs/PolicyKit/ + +Package: policykit +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, consolekit, dbus +Suggests: policykit-gnome +Description: framework for managing administrative policies and privileges + PolicyKit is an application-level toolkit for defining and handling the policy + that allows unprivileged processes to speak to privileged processes. + . + It is a framework for centralizing the decision making process with respect to + granting access to privileged operations (like calling the HAL Mount() method) + for unprivileged (desktop) applications. + +Package: policykit-doc +Architecture: all +Section: doc +Depends: ${misc:Depends} +Suggests: devhelp +Description: documentation for PolicyKit + PolicyKit is a toolkit for defining and handling the policy that + allows unprivileged processes to speak to privileged processes. + . + This package contains the API documentation of PolicyKit. + +Package: libpolkit2 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: library for accessing PolicyKit + PolicyKit is a toolkit for defining and handling the policy that + allows unprivileged processes to speak to privileged processes. + . + This package contains a library for querying system-wide policy. + +Package: libpolkit-dev +Architecture: any +Section: libdevel +Depends: libpolkit2 (= ${binary:Version}), ${misc:Depends}, libglib2.0-dev +Description: library for accessing PolicyKit - development files + PolicyKit is a toolkit for defining and handling the policy that + allows unprivileged processes to speak to privileged processes. + . + This package contains the development files for the library found in + libpolkit2. + +Package: libpolkit-dbus2 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: library for accessing PolicyKit via D-Bus + PolicyKit is a toolkit for defining and handling the policy that + allows unprivileged processes to speak to privileged processes. + . + This package contains a helper library for obtaining seat, session + and caller information via D-Bus and ConsoleKit. + +Package: libpolkit-dbus-dev +Architecture: any +Section: libdevel +Depends: libpolkit-dbus2 (= ${binary:Version}), ${misc:Depends}, libpolkit-dev, libdbus-1-dev +Description: library for accessing PolicyKit via D-Bus - development files + PolicyKit is a toolkit for defining and handling the policy that + allows unprivileged processes to speak to privileged processes. + Helper library for obtaining seat, session and caller information via D-Bus + and ConsoleKit. + . + This package contains the development files for the library found in + libpolkit-dbus2. + +Package: libpolkit-grant2 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: library for obtaining privileges via PolicyKit + PolicyKit is a toolkit for defining and handling the policy that + allows unprivileged processes to speak to privileged processes. + . + This package contains a library for obtaining privileges via PolicyKit. + +Package: libpolkit-grant-dev +Architecture: any +Section: libdevel +Depends: libpolkit-grant2 (= ${binary:Version}), ${misc:Depends}, libpolkit-dev, libglib2.0-dev +Description: library for obtaining privileges via PolicyKit - development files + PolicyKit is a toolkit for defining and handling the policy that + allows unprivileged processes to speak to privileged processes. + . + This package contains the development files for the library found in + libpolkit-grant2. --- policykit-0.9.orig/debian/changelog +++ policykit-0.9/debian/changelog @@ -0,0 +1,297 @@ +policykit (0.9-2ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: LP: #314985 + - debian/patches/ubuntu-admin-group.patch: Change PolicyKit.conf to use + 'admin' as administrator group, instead of the 'root' user. Also + grant all permissions to root, since root is not in the admin group and + is already almighty anyway. This unbreaks running tools like g-s-t as + root. + - debian/policykit.init: Create /var/run/PolicyKit if it does not exist. + This happens if /var/run is on a tmpfs. Install it in debian/rules. + - debian/control: Drop policykit-gnome from Recommends: to Suggests: to + match the Suggests semantics and to avoid pulling in -gnome in + non-GNOMEish installations. + - 02_noptrace.patch.disabled: Disable ptrace() and core dumping for + programs using libpolkit for security reasons; not enabled during + development. + - Add debian/patches/03_consolekit0.3-api.patch: Try both the ConsoleKit 0.3 + and the older 0.2 API, to work with either. + - Don't chown /var/run/PolicyKit in the postinst, as /var/run is on a tmpfs, + and it should be the job of the init script to do this. + - Use root:polkituser for /var/run/PolicyKit in the init script, as this + is what the postinst uses. Thanks to Chris Coulson for spotting this. + - Don't ship /var/run/PolicyKit in the package either, since the init + script should always handle it per the above. + + -- Bhavani Shankar Thu, 08 Jan 2009 12:48:00 +0530 + +policykit (0.9-2) unstable; urgency=high + + [ Simon McVittie ] + * Add patch committed in Fedora (although not upstream) by the upstream + maintainer, to allow PolicyKit to be used when CVE-2008-4311 has + been fixed in dbus-daemon. (Closes: #510646) + + [ Michael Biebl ] + * debian/control + - Add ${misc:Depends} to all binary packages. + + -- Michael Biebl Wed, 07 Jan 2009 18:18:56 +0100 + +policykit (0.9-1ubuntu3) intrepid; urgency=low + + [ James Westby ] + * Don't chown /var/run/PolicyKit in the postinst, as /var/run is on a tmpfs, + and it should be the job of the init script to do this. (LP: #275355) + * Use root:polkituser for /var/run/PolicyKit in the init script, as this + is what the postinst uses. Thanks to Chris Coulson for spotting this. + + [ Steve Langasek ] + * Don't ship /var/run/PolicyKit in the package either, since the init + script should always handle it per the above. + + -- Steve Langasek Wed, 08 Oct 2008 06:42:17 +0000 + +policykit (0.9-1ubuntu2) intrepid; urgency=low + + * Add debian/patches/03_consolekit0.3-api.patch: Try both the ConsoleKit 0.3 + and the older 0.2 API, to work with either. (LP: #273711) + + -- Martin Pitt Wed, 24 Sep 2008 13:41:28 +0200 + +policykit (0.9-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable. Remaining Ubuntu changes: + - debian/patches/ubuntu-admin-group.patch: Change PolicyKit.conf to use + 'admin' as administrator group, instead of the 'root' user. Also + grant all permissions to root, since root is not in the admin group and + is already almighty anyway. This unbreaks running tools like g-s-t as + root. + - debian/policykit.init: Create /var/run/PolicyKit if it does not exist. + This happens if /var/run is on a tmpfs. Install it in debian/rules. + - debian/control: Drop policykit-gnome from Recommends: to Suggests: to + match the Suggests semantics and to avoid pulling in -gnome in + non-GNOMEish installations. + - 02_noptrace.patch.disabled: Disable ptrace() and core dumping for + programs using libpolkit for security reasons; not enabled during + development. + + -- Martin Pitt Wed, 06 Aug 2008 09:59:16 +0200 + +policykit (0.9-1) unstable; urgency=low + + * New upstream release. + * debian/control + - Bump Standards-Version to 3.8.0. No further changes. + + -- Michael Biebl Sun, 03 Aug 2008 10:53:11 +0200 + +policykit (0.8-2) unstable; urgency=low + + * Add symbols files for libpolkit2, libpolkit-grant2 and libpolkit-dbus2. + * debian/policykit.postinst + - Set correct permissions for all files. (Closes: #482064) + - Define a small helper function to apply the permissions. This makes it + more concise and readable. + + -- Michael Biebl Fri, 23 May 2008 04:33:48 +0200 + +policykit (0.8-1ubuntu2) intrepid; urgency=low + + * Changed policykit Recommends policykit-gnome to a Suggests to + which causes packages like landscape-client to install a lot of + unneeded packages (LP: #250619) + + -- Michael Casadevall Tue, 22 Jul 2008 05:34:34 +0000 + +policykit (0.8-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable (LP: #232227), remaining changes: + - debian/patches/ubuntu-admin-group.patch: Change PolicyKit.conf to use + 'admin' as administrator group, instead of the 'root' user. Also + grant all permissions to root, since root is not in the admin group and + is already almighty anyway. This unbreaks running tools like g-s-t as + root. + - debian/policykit.init: Create /var/run/PolicyKit if it does not exist. + This happens if /var/run is on a tmpfs. Install it in debian/rules. + - Add Breaks: policykit (<< 0.7) to libpolkit2. + - debian/policykit.postinst: Drop the dpkg-statoverride and chown + operations for /var/run/PolicyKit. /var/run is a tmpfs and thus + volatile, stat overrides do not make sense on it, and it's the init + script's job to properly set up the directory. + * Disable debian/patches/02_noptrace.patch for now, since it prevents us + from collecting crash reports for gnome-panel and other PK-using + applications. This will be re-enabled again just before the intrepid + release. + * Drop debian/patches/03_readdir_filetype_unknown.patch as it is + now fixed upstream. + * Drop debian/patches/10_format-string-security.patch as it is now + fixed upstream. + * debian/policykit.postinst: change the permissions applied to some + files to match what is now required upstream: + - /var/lib/PolicyKit - Now owned by polkituser:polkituser and mode 770 + - /var/lib/PolicyKit-public - Now owned by polkituser and mode 755 + - /var/lib/misc/PolicyKit.reload - Now owned by polkituser and mode 755 + - /usr/lib/policykit/polkit-set-default-helper - Now owned by polkituser + and mode 4755. + - /usr/lib/policykit/polkit-resolve-exe-helper - Now in group polkituser + and mode 4755 + + -- James Westby Tue, 13 May 2008 10:29:24 +0100 + +policykit (0.8-1) unstable; urgency=medium + + * New upstream release. + - SECURITY - CVE-2008-1658: + Fixes format string vulnerability in the grant helper. (Closes: #476615) + * debian/control + - Add Build-Depends on pkg-config. + + -- Michael Biebl Fri, 18 Apr 2008 01:39:08 +0200 + +policykit (0.7-2ubuntu7) hardy; urgency=low + + * Re-enable 02_noptrace.patch again for the final release, where security + matters more than getting core dumps (apport is disabled by default in the + final release anyway). (LP: #207151) + + -- Martin Pitt Wed, 16 Apr 2008 12:48:03 +0200 + +policykit (0.7-2ubuntu6) hardy; urgency=low + + * Add 10_format-string-security.patch: fix format strings (LP: #205037). + + -- Kees Cook Mon, 31 Mar 2008 16:06:38 -0700 + +policykit (0.7-2ubuntu5) hardy; urgency=low + + * debian/policykit.postinst: Drop the dpkg-statoverride and chown operations + for /var/run/PolicyKit. /var/run is a tmpfs and thus volatile, stat + overrides do not make sense on it, and it's the init script's job to + properly set up the directory. (LP: #193533) + * debian/policykit.init: Make setup of /var/run/PolicyKit more robust. + * Disable debian/patches/02_noptrace.patch for now, since it prevents us + from collecting crash reports for gnome-panel and other PK-using + applications. This will be re-enabled again just before the hardy release. + (LP: #202314) + + -- Martin Pitt Wed, 26 Mar 2008 16:05:58 +0100 + +policykit (0.7-2ubuntu4) hardy; urgency=low + + * debian/patches/ubuntu-admin-group.patch: Grant all permissions to root, + since root is not in the admin group and is already almighty anyway. This + unbreaks running tools like g-s-t as root. Thanks to Colin Watson for this + idea. (LP: #188650) + + -- Martin Pitt Mon, 04 Feb 2008 09:17:59 +0100 + +policykit (0.7-2ubuntu3) hardy; urgency=low + + * Add Breaks: policykit (<< 0.7) to libpolkit2. + + -- Martin Pitt Mon, 28 Jan 2008 14:56:45 +0100 + +policykit (0.7-2ubuntu2) hardy; urgency=low + + * Add Breaks: policykit-gnome (<< 0.7). (LP: #183673) + + -- Martin Pitt Thu, 17 Jan 2008 23:13:29 +0100 + +policykit (0.7-2ubuntu1) hardy; urgency=low + + * Merge with Debian unstable. Remaining Ubuntu changes: + - debian/patches/ubuntu-admin-group.patch: Change PolicyKit.conf to use + 'admin' as administrator group, instead of the 'root' user. + - debian/policykit.init: Create /var/run/PolicyKit if it does not exist. + This happens if /var/run is on a tmpfs. Install it in debian/rules. + - debian/patches/02_noptrace.patch: Disable ptrace() for + polkit-gnome-manager, to make it harder to silently abuse gained PK + privileges. (See policykit-integration spec). Forwarded to FD#13742. + * Add debian/patches/03_readdir_filetype_unknown.patch: + - Fall back to stat() if readdir() cannot determine the type of an entry + (this happens for some file systems). + - Forwarded to FD #14082 + + -- Martin Pitt Tue, 15 Jan 2008 23:29:43 +0100 + +policykit (0.7-2) unstable; urgency=low + + * Upload to unstable. + + -- Michael Biebl Fri, 11 Jan 2008 01:02:59 +0100 + +policykit (0.7-1) experimental; urgency=low + + * New upstream release. (Closes: #455874) + * debian/control + - Bump Standards-Version to 3.7.3. No further changes required. + - Add Build-Depends on libdbus-glib-1-dev (>= 0.73). + - Change Homepage URL to http://hal.freedesktop.org/docs/PolicyKit/. + (Closes: #446504) + - Improve package description. (Closes: #446554) + * debian/copyright + - All code is now licensed under the MIT/X11 license. Update the copyright + notice accordingly. + * debian/policykit.dirs + - Add the directory /var/lib/PolicyKit-public. + * debian/policykit.install + - Install the D-Bus config and service files for the PolicyKit system + service. + - Install /var/lib/misc/PolicyKit.reload. + * debian/rules + - Fix the permissions of /var/lib/misc/PolicyKit.reload. + * debian/policykit.postinst + - Use dpkg-statoverride to check for local modifications before setting + the SUID/SGID bits. + + -- Michael Biebl Thu, 20 Dec 2007 18:01:38 +0100 + +policykit (0.6-1ubuntu3) hardy; urgency=low + + * Add debian/patches/02_noptrace.patch: Disable ptrace() for + polkit-gnome-manager, to make it harder to silently abuse gained PK + privileges. + (See https://wiki.ubuntu.com/DesktopTeam/Specs/PolicyKitIntegration) + Forwarded to FD #13742. + + -- Martin Pitt Thu, 20 Dec 2007 01:16:47 +0100 + +policykit (0.6-1ubuntu2) hardy; urgency=low + + * Add debian/policykit.init: Create /var/run/PolicyKit if it does not exist. + This happens if /var/run is on a tmpfs. + * debian/rules: Install init script. + + -- Martin Pitt Tue, 20 Nov 2007 21:42:46 +0100 + +policykit (0.6-1ubuntu1) hardy; urgency=low + + * Add debian/patches/ubuntu-admin-group.patch: + - Change PolicyKit.conf to use 'admin' as administrator group, instead of + the 'root' user. + * Modify Maintainer value to match the DebianMaintainerField + specification. + + -- Martin Pitt Tue, 20 Nov 2007 15:18:39 +0100 + +policykit (0.6-1) experimental; urgency=low + + * New upstream release. + * debian/control + - Use new "Homepage:" field to specify the upstream URL. + - The Vcs-* fields are now officially supported, so remove the XS- prefix. + - Add a Recommends: policykit-gnome to the policykit package. + - Enable SELinux support by adding a Build-Depends on libselinux1-dev for + all supported platforms. + * debian/policykit.postinst + - Install polkit-grant-helper-pam with the correct permissions. + + -- Michael Biebl Sat, 03 Nov 2007 00:02:33 +0100 + +policykit (0.5-1) experimental; urgency=low + + * Initial release. (Closes: #397087) + + -- Michael Biebl Tue, 02 Oct 2007 22:38:04 +0200 + --- policykit-0.9.orig/debian/policykit.postinst +++ policykit-0.9/debian/policykit.postinst @@ -0,0 +1,71 @@ +#!/bin/sh +# postinst script for policykit +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +set_perms() { + USER=$1 + GROUP=$2 + MODE=$3 + FILE=$4 + if ! dpkg-statoverride --list $FILE > /dev/null 2>&1; then + chown $USER:$GROUP $FILE + chmod $MODE $FILE + fi +} + +case "$1" in + configure) + adduser --system \ + --quiet \ + --disabled-password \ + --home /var/run/PolicyKit \ + --no-create-home \ + --gecos "PolicyKit" \ + --group polkituser + + libexec=/usr/lib/policykit + set_perms root polkituser 770 /var/lib/PolicyKit + set_perms polkituser root 755 /var/lib/PolicyKit-public + set_perms polkituser polkituser 664 /var/lib/misc/PolicyKit.reload + set_perms root polkituser 2755 $libexec/polkit-read-auth-helper + set_perms root polkituser 2755 $libexec/polkit-revoke-helper + set_perms root polkituser 2755 $libexec/polkit-grant-helper + set_perms root polkituser 2755 $libexec/polkit-explicit-grant-helper + set_perms polkituser root 4755 $libexec/polkit-set-default-helper + set_perms root root 4755 $libexec/polkit-resolve-exe-helper + set_perms root polkituser 4754 $libexec/polkit-grant-helper-pam + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- policykit-0.9.orig/debian/libpolkit-grant2.symbols +++ policykit-0.9/debian/libpolkit-grant2.symbols @@ -0,0 +1,16 @@ +libpolkit-grant.so.2 libpolkit-grant2 #MINVER# + _polkit_authorization_db_auth_file_add@Base 0.7 + polkit_authorization_db_add_entry_always@Base 0.7 + polkit_authorization_db_add_entry_process@Base 0.7 + polkit_authorization_db_add_entry_process_one_shot@Base 0.7 + polkit_authorization_db_add_entry_session@Base 0.7 + polkit_authorization_db_grant_negative_to_uid@Base 0.7 + polkit_authorization_db_grant_to_uid@Base 0.7 + polkit_grant_cancel_auth@Base 0.7 + polkit_grant_child_func@Base 0.7 + polkit_grant_initiate_auth@Base 0.7 + polkit_grant_io_func@Base 0.7 + polkit_grant_new@Base 0.7 + polkit_grant_ref@Base 0.7 + polkit_grant_set_functions@Base 0.7 + polkit_grant_unref@Base 0.7 --- policykit-0.9.orig/debian/rules +++ policykit-0.9/debian/rules @@ -0,0 +1,14 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +include /usr/share/cdbs/1/class/autotools.mk +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/rules/utils.mk + +DEB_CONFIGURE_EXTRA_FLAGS := --enable-gtk-doc \ + --enable-man-pages + +DEB_DH_INSTALLINIT_ARGS := -r -- start 01 2 3 4 5 . stop 99 1 . +binary-install/policykit:: + chmod -x debian/policykit/var/lib/misc/PolicyKit.reload --- policykit-0.9.orig/debian/libpolkit-dbus-dev.install +++ policykit-0.9/debian/libpolkit-dbus-dev.install @@ -0,0 +1,3 @@ +debian/tmp/usr/lib/libpolkit-dbus.{so,a} +debian/tmp/usr/lib/pkgconfig/polkit-dbus.pc +debian/tmp/usr/include/PolicyKit/polkit-dbus/ --- policykit-0.9.orig/debian/libpolkit-grant-dev.install +++ policykit-0.9/debian/libpolkit-grant-dev.install @@ -0,0 +1,3 @@ +debian/tmp/usr/lib/libpolkit-grant.{so,a} +debian/tmp/usr/lib/pkgconfig/polkit-grant.pc +debian/tmp/usr/include/PolicyKit/polkit-grant/ --- policykit-0.9.orig/debian/libpolkit-dbus2.symbols +++ policykit-0.9/debian/libpolkit-dbus2.symbols @@ -0,0 +1,21 @@ +libpolkit-dbus.so.2 libpolkit-dbus2 #MINVER# + polkit_auth_obtain@Base 0.7 + polkit_caller_new_from_dbus_name@Base 0.7 + polkit_caller_new_from_pid@Base 0.7 + polkit_check_auth@Base 0.7 + polkit_check_authv@Base 0.7 + polkit_dbus_error_generate@Base 0.8 + polkit_dbus_error_parse@Base 0.8 + polkit_dbus_error_parse_from_strings@Base 0.8 + polkit_is_authorization_relevant@Base 0.7 + polkit_session_new_from_cookie@Base 0.7 + polkit_session_new_from_objpath@Base 0.7 + polkit_tracker_dbus_func@Base 0.7 + polkit_tracker_get_caller_from_dbus_name@Base 0.7 + polkit_tracker_get_caller_from_pid@Base 0.7 + polkit_tracker_init@Base 0.7 + polkit_tracker_is_authorization_relevant@Base 0.7 + polkit_tracker_new@Base 0.7 + polkit_tracker_ref@Base 0.7 + polkit_tracker_set_system_bus_connection@Base 0.7 + polkit_tracker_unref@Base 0.7 --- policykit-0.9.orig/debian/watch +++ policykit-0.9/debian/watch @@ -0,0 +1,3 @@ +version=3 + +http://hal.freedesktop.org/releases/PolicyKit-(.*)\.tar\.gz --- policykit-0.9.orig/debian/policykit.install +++ policykit-0.9/debian/policykit.install @@ -0,0 +1,9 @@ +debian/tmp/etc/pam.d/ +debian/tmp/etc/dbus-1/ +debian/tmp/etc/PolicyKit/ +debian/tmp/usr/bin/* +debian/tmp/usr/lib/policykit/* +debian/tmp/usr/share/man/ +debian/tmp/usr/share/PolicyKit/ +debian/tmp/usr/share/dbus-1/ +debian/tmp/var/lib/misc/PolicyKit.reload --- policykit-0.9.orig/debian/libpolkit-dev.install +++ policykit-0.9/debian/libpolkit-dev.install @@ -0,0 +1,3 @@ +debian/tmp/usr/lib/libpolkit.{so,a} +debian/tmp/usr/lib/pkgconfig/polkit.pc +debian/tmp/usr/include/PolicyKit/polkit/ --- policykit-0.9.orig/debian/copyright +++ policykit-0.9/debian/copyright @@ -0,0 +1,66 @@ +This package was debianized by Michael Biebl on +Sun, 02 Sep 2007 06:04:06 +0200. + +It was downloaded from http://hal.freedesktop.org/releases/ + +Upstream Author: + + David Zeuthen + +Copyright: + + Copyright (C) 2007 David Zeuthen + +License: + +The PolicyKit source code is licensed under the MIT/X11 license. The +license is included below. + + -- BEGIN MIT/X11 License --- + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated + documentation files (the "Software"), to deal in the + Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, + sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, + subject to the following conditions: + + The above copyright notice and this permission notice shall + be included in all copies or substantial portions of the + Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY + KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE + WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + + -- END MIT/X11 License --- + +=============================================================================== + +The API documentation in the doc/ subdirectory is licensed under the GFDL. + + Permission is granted to copy, distribute and/or modify this document under + the terms of the GNU Free Documentation License, Version 1.1 or any later + version published by the Free Software Foundation with no Invariant Sections, + no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the + GNU Free Documentation License from the Free Software Foundation by visiting + their Web site or by writing to: + + Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301, USA. + +On Debian systems, the complete text of the GNU Free Documentation +License can be found in `/usr/share/common-licenses/GFDL'. + +=============================================================================== + +The Debian packaging is (C) 2007, Michael Biebl and +is licensed under the GPL, see `/usr/share/common-licenses/GPL'. + --- policykit-0.9.orig/debian/policykit-doc.install +++ policykit-0.9/debian/policykit-doc.install @@ -0,0 +1,2 @@ +debian/tmp/usr/share/gtk-doc/html/polkit/* /usr/share/doc/policykit-doc/html/ + --- policykit-0.9.orig/debian/policykit.init +++ policykit-0.9/debian/policykit.init @@ -0,0 +1,29 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: policykit +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short-Description: Create PolicyKit runtime directories +# Description: Create directories which PolicyKit needs at runtime, +# such as /var/run/PolicyKit +### END INIT INFO + +# Author: Martin Pitt + +case "$1" in + start) + mkdir -p /var/run/PolicyKit + chown root:polkituser /var/run/PolicyKit + chmod 770 /var/run/PolicyKit + ;; + stop|restart|force-reload) + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: --- policykit-0.9.orig/debian/libpolkit2.symbols +++ policykit-0.9/debian/libpolkit2.symbols @@ -0,0 +1,169 @@ +libpolkit.so.2 libpolkit2 #MINVER# + _pk_validate_unique_bus_name@Base 0.7 + polkit_action_debug@Base 0.7 + polkit_action_equal@Base 0.8 + polkit_action_get_action_id@Base 0.7 + polkit_action_new@Base 0.7 + polkit_action_new_from_string_representation@Base 0.8 + polkit_action_ref@Base 0.7 + polkit_action_set_action_id@Base 0.7 + polkit_action_to_string_representation@Base 0.8 + polkit_action_unref@Base 0.7 + polkit_action_validate@Base 0.7 + polkit_action_validate_id@Base 0.7 + polkit_authorization_constraint_check_caller@Base 0.7 + polkit_authorization_constraint_check_session@Base 0.7 + polkit_authorization_constraint_debug@Base 0.7 + polkit_authorization_constraint_equal@Base 0.7 + polkit_authorization_constraint_from_string@Base 0.7 + polkit_authorization_constraint_get_exe@Base 0.8 + polkit_authorization_constraint_get_from_caller@Base 0.7 + polkit_authorization_constraint_get_require_active@Base 0.7 + polkit_authorization_constraint_get_require_exe@Base 0.8 + polkit_authorization_constraint_get_require_local@Base 0.7 + polkit_authorization_constraint_get_require_selinux_context@Base 0.8 + polkit_authorization_constraint_get_selinux_context@Base 0.8 + polkit_authorization_constraint_ref@Base 0.7 + polkit_authorization_constraint_to_string@Base 0.7 + polkit_authorization_constraint_type@Base 0.7 + polkit_authorization_constraint_unref@Base 0.7 + polkit_authorization_constraint_validate@Base 0.7 + polkit_authorization_constraints_foreach@Base 0.7 + polkit_authorization_db_debug@Base 0.7 + polkit_authorization_db_foreach@Base 0.7 + polkit_authorization_db_foreach_for_action@Base 0.7 + polkit_authorization_db_foreach_for_action_for_uid@Base 0.7 + polkit_authorization_db_foreach_for_uid@Base 0.7 + polkit_authorization_db_get_capabilities@Base 0.7 + polkit_authorization_db_is_caller_authorized@Base 0.7 + polkit_authorization_db_is_session_authorized@Base 0.7 + polkit_authorization_db_is_uid_blocked_by_self@Base 0.7 + polkit_authorization_db_ref@Base 0.7 + polkit_authorization_db_revoke_entry@Base 0.7 + polkit_authorization_db_unref@Base 0.7 + polkit_authorization_db_validate@Base 0.7 + polkit_authorization_debug@Base 0.7 + polkit_authorization_get_action_id@Base 0.7 + polkit_authorization_get_scope@Base 0.7 + polkit_authorization_get_time_of_grant@Base 0.7 + polkit_authorization_get_uid@Base 0.7 + polkit_authorization_ref@Base 0.7 + polkit_authorization_scope_process_get_pid@Base 0.7 + polkit_authorization_scope_session_get_ck_objref@Base 0.7 + polkit_authorization_type@Base 0.7 + polkit_authorization_unref@Base 0.7 + polkit_authorization_validate@Base 0.7 + polkit_authorization_was_granted_explicitly@Base 0.7 + polkit_authorization_was_granted_via_defaults@Base 0.7 + polkit_caller_debug@Base 0.7 + polkit_caller_get_ck_session@Base 0.7 + polkit_caller_get_dbus_name@Base 0.7 + polkit_caller_get_pid@Base 0.7 + polkit_caller_get_selinux_context@Base 0.7 + polkit_caller_get_uid@Base 0.7 + polkit_caller_new@Base 0.7 + polkit_caller_ref@Base 0.7 + polkit_caller_set_ck_session@Base 0.7 + polkit_caller_set_dbus_name@Base 0.7 + polkit_caller_set_pid@Base 0.7 + polkit_caller_set_selinux_context@Base 0.7 + polkit_caller_set_uid@Base 0.7 + polkit_caller_unref@Base 0.7 + polkit_caller_validate@Base 0.7 + polkit_config_can_caller_do_action@Base 0.7 + polkit_config_can_session_do_action@Base 0.7 + polkit_config_determine_admin_auth_type@Base 0.7 + polkit_config_new@Base 0.7 + polkit_config_ref@Base 0.7 + polkit_config_unref@Base 0.7 + polkit_context_can_caller_do_action@Base 0.7 + polkit_context_can_session_do_action@Base 0.7 + polkit_context_force_reload@Base 0.7 + polkit_context_get_authorization_db@Base 0.7 + polkit_context_get_config@Base 0.7 + polkit_context_get_policy_cache@Base 0.7 + polkit_context_init@Base 0.7 + polkit_context_io_func@Base 0.7 + polkit_context_is_caller_authorized@Base 0.7 + polkit_context_is_session_authorized@Base 0.7 + polkit_context_new@Base 0.7 + polkit_context_ref@Base 0.7 + polkit_context_set_config_changed@Base 0.7 + polkit_context_set_io_watch_functions@Base 0.7 + polkit_context_set_load_descriptions@Base 0.7 + polkit_context_unref@Base 0.7 + polkit_debug@Base 0.8 + polkit_error_free@Base 0.7 + polkit_error_get_error_code@Base 0.7 + polkit_error_get_error_message@Base 0.7 + polkit_error_get_error_name@Base 0.7 + polkit_error_is_set@Base 0.7 + polkit_error_set_error@Base 0.7 + polkit_policy_cache_debug@Base 0.7 + polkit_policy_cache_foreach@Base 0.7 + polkit_policy_cache_get_entry@Base 0.7 + polkit_policy_cache_get_entry_by_annotation@Base 0.7 + polkit_policy_cache_get_entry_by_id@Base 0.7 + polkit_policy_cache_ref@Base 0.7 + polkit_policy_cache_unref@Base 0.7 + polkit_policy_default_can_caller_do_action@Base 0.7 + polkit_policy_default_can_session_do_action@Base 0.7 + polkit_policy_default_clone@Base 0.7 + polkit_policy_default_debug@Base 0.7 + polkit_policy_default_equals@Base 0.7 + polkit_policy_default_get_allow_active@Base 0.7 + polkit_policy_default_get_allow_any@Base 0.7 + polkit_policy_default_get_allow_inactive@Base 0.7 + polkit_policy_default_new@Base 0.7 + polkit_policy_default_ref@Base 0.7 + polkit_policy_default_set_allow_active@Base 0.7 + polkit_policy_default_set_allow_any@Base 0.7 + polkit_policy_default_set_allow_inactive@Base 0.7 + polkit_policy_default_unref@Base 0.7 + polkit_policy_file_entry_annotations_foreach@Base 0.7 + polkit_policy_file_entry_debug@Base 0.7 + polkit_policy_file_entry_foreach@Base 0.7 + polkit_policy_file_entry_get_action_description@Base 0.7 + polkit_policy_file_entry_get_action_icon_name@Base 0.7 + polkit_policy_file_entry_get_action_message@Base 0.7 + polkit_policy_file_entry_get_action_vendor@Base 0.7 + polkit_policy_file_entry_get_action_vendor_url@Base 0.7 + polkit_policy_file_entry_get_annotation@Base 0.7 + polkit_policy_file_entry_get_default@Base 0.7 + polkit_policy_file_entry_get_default_factory@Base 0.7 + polkit_policy_file_entry_get_id@Base 0.7 + polkit_policy_file_entry_ref@Base 0.7 + polkit_policy_file_entry_set_default@Base 0.7 + polkit_policy_file_entry_unref@Base 0.7 + polkit_policy_file_new@Base 0.7 + polkit_policy_file_ref@Base 0.7 + polkit_policy_file_unref@Base 0.7 + polkit_result_from_string_representation@Base 0.7 + polkit_result_to_string_representation@Base 0.7 + polkit_seat_debug@Base 0.7 + polkit_seat_get_ck_objref@Base 0.7 + polkit_seat_new@Base 0.7 + polkit_seat_ref@Base 0.7 + polkit_seat_set_ck_objref@Base 0.7 + polkit_seat_unref@Base 0.7 + polkit_seat_validate@Base 0.7 + polkit_session_debug@Base 0.7 + polkit_session_get_ck_is_active@Base 0.7 + polkit_session_get_ck_is_local@Base 0.7 + polkit_session_get_ck_objref@Base 0.7 + polkit_session_get_ck_remote_host@Base 0.7 + polkit_session_get_seat@Base 0.7 + polkit_session_get_uid@Base 0.7 + polkit_session_new@Base 0.7 + polkit_session_ref@Base 0.7 + polkit_session_set_ck_is_active@Base 0.7 + polkit_session_set_ck_is_local@Base 0.7 + polkit_session_set_ck_objref@Base 0.7 + polkit_session_set_ck_remote_host@Base 0.7 + polkit_session_set_seat@Base 0.7 + polkit_session_set_uid@Base 0.7 + polkit_session_unref@Base 0.7 + polkit_session_validate@Base 0.7 + polkit_sysdeps_get_exe_for_pid@Base 0.7 + polkit_sysdeps_get_exe_for_pid_with_helper@Base 0.8 + polkit_sysdeps_get_start_time_for_pid@Base 0.7 --- policykit-0.9.orig/debian/policykit-doc.links +++ policykit-0.9/debian/policykit-doc.links @@ -0,0 +1 @@ +usr/share/doc/policykit-doc/html/ usr/share/gtk-doc/html/polkit --- policykit-0.9.orig/debian/compat +++ policykit-0.9/debian/compat @@ -0,0 +1 @@ +5 --- policykit-0.9.orig/debian/libpolkit-dbus2.install +++ policykit-0.9/debian/libpolkit-dbus2.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpolkit-dbus.so.* --- policykit-0.9.orig/debian/libpolkit2.install +++ policykit-0.9/debian/libpolkit2.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpolkit.so.* --- policykit-0.9.orig/debian/libpolkit-grant2.install +++ policykit-0.9/debian/libpolkit-grant2.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpolkit-grant.so.* --- policykit-0.9.orig/debian/policykit.dirs +++ policykit-0.9/debian/policykit.dirs @@ -0,0 +1,2 @@ +var/lib/PolicyKit +var/lib/PolicyKit-public --- policykit-0.9.orig/debian/patches/02_dbus_policy.patch +++ policykit-0.9/debian/patches/02_dbus_policy.patch @@ -0,0 +1,12 @@ +--- PolicyKit-0.8.orig/polkitd/org.freedesktop.PolicyKit.conf.in 2008-12-08 10:55:12.000000000 -0500 ++++ PolicyKit-0.8/polkitd/org.freedesktop.PolicyKit.conf.in 2008-12-08 12:05:33.000000000 -0500 +@@ -8,4 +8,9 @@ + + + ++ ++ ++ ++ ++ + --- policykit-0.9.orig/debian/patches/03_consolekit0.3-api.patch +++ policykit-0.9/debian/patches/03_consolekit0.3-api.patch @@ -0,0 +1,86 @@ +# Description: Make PolicyKit work with ConsoleKit 0.3 API as well +# Ubuntu: https://bugs.launchpad.net/273711 +# Upstream: http://cvs.fedoraproject.org/viewvc/rpms/PolicyKit/devel/pk-ck-api-change.patch?view=markup +--- policykit-0.9/src/polkit-dbus/polkit-dbus.c 2008-05-30 23:24:44.000000000 +0200 ++++ policykit-0.9.new/src/polkit-dbus/polkit-dbus.c 2008-09-24 13:40:37.000000000 +0200 +@@ -214,11 +214,17 @@ + dbus_message_unref (reply); + goto out; + } ++ /* GetUnixUser API Changed in CK 0.3.0 */ + if (!dbus_message_get_args (reply, NULL, +- DBUS_TYPE_INT32, &uid, ++ DBUS_TYPE_UINT32, &uid, + DBUS_TYPE_INVALID)) { +- kit_warning ("Invalid GetUnixUser reply from CK"); +- goto out; ++ /* try the older API */ ++ if (!dbus_message_get_args (reply, NULL, ++ DBUS_TYPE_INT32, &uid, ++ DBUS_TYPE_INVALID)) { ++ kit_warning ("Invalid GetUnixUser reply from CK"); ++ goto out; ++ } + } + dbus_message_unref (message); + dbus_message_unref (reply); +@@ -1326,16 +1332,21 @@ + + dbus_error_init (&error); + seat_objpath = dbus_message_get_path (message); +- if (!dbus_message_get_args (message, &error, +- DBUS_TYPE_STRING, &session_objpath, ++ /* API fixed in CK 0.3 to match spec */ ++ if (!dbus_message_get_args (message, &error, ++ DBUS_TYPE_OBJECT_PATH, &session_objpath, + DBUS_TYPE_INVALID)) { ++ if (!dbus_message_get_args (message, &error, ++ DBUS_TYPE_STRING, &session_objpath, ++ DBUS_TYPE_INVALID)) { ++ ++ /* TODO: should be _pk_critical */ ++ kit_warning ("The SessionAdded signal on the org.freedesktop.ConsoleKit.Seat " ++ "interface for object %s has the wrong signature! " ++ "Your system is misconfigured.", seat_objpath); + +- /* TODO: should be _pk_critical */ +- kit_warning ("The SessionAdded signal on the org.freedesktop.ConsoleKit.Seat " +- "interface for object %s has the wrong signature! " +- "Your system is misconfigured.", seat_objpath); +- +- goto out; ++ goto out; ++ } + } + + /* TODO: add to sessions - see polkit_tracker_is_authorization_relevant() */ +@@ -1353,16 +1364,21 @@ + + dbus_error_init (&error); + seat_objpath = dbus_message_get_path (message); +- if (!dbus_message_get_args (message, &error, +- DBUS_TYPE_STRING, &session_objpath, ++ /* API fixed in CK 0.3 to match spec */ ++ if (!dbus_message_get_args (message, &error, ++ DBUS_TYPE_OBJECT_PATH, &session_objpath, + DBUS_TYPE_INVALID)) { ++ if (!dbus_message_get_args (message, &error, ++ DBUS_TYPE_STRING, &session_objpath, ++ DBUS_TYPE_INVALID)) { ++ ++ /* TODO: should be _pk_critical */ ++ kit_warning ("The SessionRemoved signal on the org.freedesktop.ConsoleKit.Seat " ++ "interface for object %s has the wrong signature! " ++ "Your system is misconfigured.", seat_objpath); + +- /* TODO: should be _pk_critical */ +- kit_warning ("The SessionRemoved signal on the org.freedesktop.ConsoleKit.Seat " +- "interface for object %s has the wrong signature! " +- "Your system is misconfigured.", seat_objpath); +- +- goto out; ++ goto out; ++ } + } + + _remove_caller_by_session (pk_tracker, session_objpath); --- policykit-0.9.orig/debian/patches/ubuntu-admin-group.patch +++ policykit-0.9/debian/patches/ubuntu-admin-group.patch @@ -0,0 +1,12 @@ +diff -Nur -x '*.orig' -x '*~' policykit-0.7/data/PolicyKit.conf.in policykit-0.7.new/data/PolicyKit.conf.in +--- policykit-0.7/data/PolicyKit.conf.in 2007-07-27 23:07:25.000000000 +0200 ++++ policykit-0.7.new/data/PolicyKit.conf.in 2008-02-04 09:17:39.000000000 +0100 +@@ -6,4 +6,8 @@ + + + ++ ++ ++ ++ + --- policykit-0.9.orig/debian/patches/02_noptrace.patch.disabled +++ policykit-0.9/debian/patches/02_noptrace.patch.disabled @@ -0,0 +1,29 @@ +# Description: Disable ptrace() and core dumping for programs using libpolkit +# Ubuntu: https://wiki.ubuntu.com/DesktopTeam/Specs/PolicyKitIntegration +# Upstream: https://bugs.freedesktop.org/show_bug.cgi?id=13742 + +--- policykit-0.7/src/polkit/polkit-policy-default.c 2007-11-28 22:22:52.000000000 +0100 ++++ policykit-0.7.new/src/polkit/polkit-policy-default.c 2007-12-31 18:14:45.000000000 +0100 +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + + #include "polkit-debug.h" + #include "polkit-error.h" +@@ -570,3 +571,14 @@ + }; + + #endif /* POLKIT_BUILD_TESTS */ ++ ++/** ++ * Library constructor: Disable ptrace() and core dumping for applications ++ * which use this library, so that local trojans cannot silently abuse PK ++ * privileges. (This is a just a bandaid, not a robust solution). ++ */ ++__attribute__ ((constructor)) ++void init() ++{ ++ /* prctl(PR_SET_DUMPABLE, 0); */ ++} --- policykit-0.9.orig/debian/patches/01_pam_polkit.patch +++ policykit-0.9/debian/patches/01_pam_polkit.patch @@ -0,0 +1,15 @@ +diff --git a/data/polkit.in b/data/polkit.in +index 142dadd..f923207 100644 +--- a/data/polkit.in ++++ b/data/polkit.in +@@ -1,6 +1,6 @@ + #%PAM-1.0 + +-auth include @PAM_FILE_INCLUDE_AUTH@ +-account include @PAM_FILE_INCLUDE_ACCOUNT@ +-password include @PAM_FILE_INCLUDE_PASSWORD@ +-session include @PAM_FILE_INCLUDE_SESSION@ ++@include common-auth ++@include common-account ++@include common-password ++@include common-session