Re: [gdm-list] Fixes for ConsoleKit and GDM 2.21 for Solaris
- From: Brian Cameron <Brian Cameron Sun COM>
- To: Brian Cameron <Brian Cameron Sun COM>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] Fixes for ConsoleKit and GDM 2.21 for Solaris
- Date: Sat, 26 Jan 2008 09:59:11 -0600
Jon:
Here's an updated patch that works just as well as the previous
patch except it uses the getuid () to the the current user when
checking against RBAC instead of looking up the "GDM User" via the
configuration. This is needed to avoid showing the Restart and
Shutdown buttons if the user doesn't have RBAC permissions to
perform the operation.
This is slightly different than the way things are done with
PolicyKit, but makes GDM 2.21 work the same as GDM 2.20 does
for shutodwn/reboot on Solaris wit RBAC.
The main difference with PolicyKit is that PolicyKit will ask
you for the root password and grant you the authority on the fly.
With RBAC you need to first configure RBAC for the shutdown/reboot
features to work. This is more in-line with the way the Solaris
security team wants things to work. They prefer to avoid asking
for passwords in GUI's, for example.
This avoids needing to make the simple-greeter know about the
settings, so the patch is less intrusive and looks better.
Otherwise same information as before.
Brian
gdm-rbac.diff:
Very similar to the ConsoleKit-02-RBAC.diff patch. It basically
fixes GDM so that polkit-gnome is an optional dependency and
instead you can specify the --enable-rbac-shutdown=<key> value
and it has the same meaning as for ConsoleKit.
Also some cleanup in configure.ac to remove the way we used
to check for RBAC in the 2.20 branch.
I have tested the code and it works really well. If I define
the "gdm" user to have solaris.system.shutdown RBAC key, then
the buttons show up in the greeter and I have the ability to
shutdown/reboot the system. If the "gdm" user doesn' thave the
RBAC key defined, the buttons don't show up and ConsoleKit
does not allow me to shut down or reboot the system.
Index: gui/simple-greeter/gdm-greeter-login-window.c
===================================================================
--- gui/simple-greeter/gdm-greeter-login-window.c (revision 5635)
+++ gui/simple-greeter/gdm-greeter-login-window.c (working copy)
@@ -33,6 +33,11 @@
#include <errno.h>
#include <pwd.h>
+#ifdef ENABLE_RBAC_SHUTDOWN
+#include <auth_attr.h>
+#include <secdb.h>
+#endif
+
#include <glib.h>
#include <glib/gi18n.h>
#include <glib/gstdio.h>
@@ -49,7 +54,9 @@
#include <dbus/dbus-glib.h>
#include <dbus/dbus-glib-lowlevel.h>
+#if HAVE_POLKIT_GNOME
#include <polkit-gnome/polkit-gnome.h>
+#endif
#include "gdm-greeter-login-window.h"
#include "gdm-user-chooser-widget.h"
@@ -196,6 +203,25 @@
}
}
+#ifdef ENABLE_RBAC_SHUTDOWN
+static char *
+get_user_name (uid_t uid)
+{
+ struct passwd *pwent;
+ char *name;
+
+ name = NULL;
+
+ pwent = getpwuid (uid);
+
+ if (pwent != NULL) {
+ name = g_strdup (pwent->pw_name);
+ }
+
+ return name;
+}
+#endif
+
static void
switch_mode (GdmGreeterLoginWindow *login_window,
int number)
@@ -203,16 +229,35 @@
const char *default_name;
GtkWidget *user_chooser;
GtkWidget *box;
+ gchar *username;
+ gboolean show_restart_shutdown = TRUE;
+ uid_t uid;
/* FIXME: do animation */
default_name = NULL;
+#ifdef ENABLE_RBAC_SHUTDOWN
+ uid = getuid ();
+ username = get_user_name (uid);
+
+ if (username == NULL || !chkauthattr (RBAC_SHUTDOWN_KEY, username)) {
+ show_restart_shutdown = FALSE;
+ g_debug ("Not showing stop/restart buttons for user %s due to RBAC key %s",
+ username, RBAC_SHUTDOWN_KEY);
+ } else {
+ g_debug ("Showing stop/restart buttons for user %s due to RBAC key %s",
+ username, RBAC_SHUTDOWN_KEY);
+ }
+#endif
+
switch (number) {
case MODE_SELECTION:
show_widget (login_window, "log-in-button", FALSE);
show_widget (login_window, "cancel-button", FALSE);
- show_widget (login_window, "shutdown-button", login_window->priv->display_is_local);
- show_widget (login_window, "restart-button", login_window->priv->display_is_local);
+ show_widget (login_window, "shutdown-button",
+ login_window->priv->display_is_local && show_restart_shutdown);
+ show_widget (login_window, "restart-button",
+ login_window->priv->display_is_local && show_restart_shutdown);
show_widget (login_window, "suspend-button", login_window->priv->display_is_local);
show_widget (login_window, "disconnect-button", ! login_window->priv->display_is_local);
show_widget (login_window, "auth-input-box", FALSE);
@@ -525,6 +570,7 @@
return res;
}
+#ifdef HAVE_POLKIT_GNOME
static void
system_restart_auth_cb (PolKitAction *action,
gboolean gained_privilege,
@@ -613,6 +659,7 @@
return action;
}
+#endif
static void
do_system_restart (GdmGreeterLoginWindow *login_window)
@@ -630,6 +677,7 @@
}
res = try_system_restart (connection, &error);
+#ifdef HAVE_POLKIT_GNOME
if (! res) {
g_debug ("GdmGreeterLoginWindow: unable to restart system: %s: %s",
dbus_g_error_get_name (error),
@@ -662,7 +710,7 @@
}
}
-
+#endif
}
static void
@@ -681,6 +729,7 @@
}
res = try_system_stop (connection, &error);
+#ifdef HAVE_POLKIT_GNOME
if (! res) {
g_debug ("GdmGreeterLoginWindow: unable to stop system: %s: %s",
dbus_g_error_get_name (error),
@@ -713,7 +762,7 @@
}
}
-
+#endif
}
static void
Index: gui/simple-greeter/Makefile.am
===================================================================
--- gui/simple-greeter/Makefile.am (revision 5635)
+++ gui/simple-greeter/Makefile.am (working copy)
@@ -19,6 +19,7 @@
-DAT_SPI_REGISTRYD_DIR="\"$(AT_SPI_REGISTRYD_DIR)\"" \
$(GTK_CFLAGS) \
$(SIMPLE_GREETER_CFLAGS) \
+ $(POLKIT_GNOME_CFLAGS) \
$(NULL)
@INTLTOOL_SCHEMAS_RULE@
@@ -58,6 +59,9 @@
test_greeter_login_window_LDADD = \
$(SIMPLE_GREETER_LIBS) \
+ $(POLKIT_GNOME_LIBS) \
+ $(RBAC_LIBS) \
+ $(top_builddir)/common/libgdmcommon.la \
$(NULL)
test_greeter_panel_SOURCES = \
@@ -125,6 +129,7 @@
test_user_chooser_LDADD = \
$(SIMPLE_GREETER_LIBS) \
+ $(POLKIT_GNOME_LIBS) \
$(NULL)
test_user_manager_SOURCES = \
@@ -138,6 +143,7 @@
test_user_manager_LDADD = \
$(SIMPLE_GREETER_LIBS) \
+ $(POLKIT_GNOME_LIBS) \
$(NULL)
libexec_PROGRAMS = \
@@ -177,6 +183,9 @@
$(top_builddir)/common/libgdmcommon.la \
$(top_builddir)/gui/simple-greeter/libnotificationarea/libnotificationarea.la \
$(SIMPLE_GREETER_LIBS) \
+ $(POLKIT_GNOME_LIBS) \
+ $(RBAC_LIBS) \
+ $(top_builddir)/common/libgdmcommon.la \
$(NULL)
gladedir = $(pkgdatadir)
Index: acconfig.h
===================================================================
--- acconfig.h (revision 5635)
+++ acconfig.h (working copy)
@@ -9,7 +9,6 @@
#undef ENABLE_NLS
#undef ALWAYS_RESTART_SERVER
#undef GDM_USER_PATH
-#undef GDM_RBAC_SYSCMD_KEYS
#undef HAVE_ADT
#undef HAVE_CATGETS
#undef HAVE_CHKAUTHATTR
Index: configure.ac
===================================================================
--- configure.ac (revision 5635)
+++ configure.ac (working copy)
@@ -87,11 +87,20 @@
gtk+-2.0 >= $GTK_REQUIRED_VERSION
libglade-2.0 >= $LIBGLADE_REQUIRED_VERSION
gnome-vfs-2.0 >= $GNOME_VFS_REQUIRED_VERSION
- polkit-gnome >= $POLICYKIT_REQUIRED_VERSION
)
AC_SUBST(SIMPLE_GREETER_CFLAGS)
AC_SUBST(SIMPLE_GREETER_LIBS)
+PKG_CHECK_MODULES(POLKIT_GNOME,
+ polkit >= $POLICYKIT_REQUIRED_VERSION,
+ have_polkit=yes,
+ have_polkit=no)
+if test "x$have_polkit" = "xyes" ; then
+ AC_DEFINE(HAVE_POLKIT_GNOME, [], [Define if we have polkit])
+fi
+AM_CONDITIONAL(HAVE_POLKIT_GNOME, test x$have_polkit = xyes)
+AC_SUBST(HAVE_POLKIT_GNOME)
+
PKG_CHECK_MODULES(SIMPLE_CHOOSER,
dbus-glib-1 >= $DBUS_GLIB_REQUIRED_VERSION
gtk+-2.0 >= $GTK_REQUIRED_VERSION
@@ -862,6 +871,24 @@
dnl ---------------------------------------------------------------------------
+dnl check for RBAC
+dnl ---------------------------------------------------------------------------
+
+msg_rbac_shutdown=no
+AC_ARG_ENABLE(rbac-shutdown,
+ [AC_HELP_STRING([--enable-rbac-shutdown=<key>],
+ [Build with RBAC support specifying shutdown/reboot RBAC authentication key])],
+ enable_rbac_shutdown=$enableval,enable_rbac_shutdown=no)
+if test "x$enable_rbac_shutdown" != "xno"; then
+ RBAC_LIBS="-lsecdb -lsocket -lnsl"
+ AC_DEFINE(ENABLE_RBAC_SHUTDOWN, [], [Set if we build with RBAC support])
+ AC_DEFINE_UNQUOTED(RBAC_SHUTDOWN_KEY, "$enable_rbac_shutdown", [Set if we build with RBAC support])
+ msg_rbac_shutdown="yes, using key $enable_rbac_shutdown"
+fi
+AC_SUBST(RBAC_LIBS)
+
+
+dnl ---------------------------------------------------------------------------
dnl - Define some variables to represent the directories we use.
dnl ---------------------------------------------------------------------------
@@ -977,15 +1004,6 @@
AC_DEFINE(HAVE_LOGINDEVPERM)
EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -ldevinfo" ])
-# Check for RBAC support (chkauthattr
-#
-AC_MSG_CHECKING(for RBAC support - chkauthattr)
-AC_CHECK_LIB(secdb, chkauthattr, [
- AC_DEFINE(HAVE_CHKAUTHATTR)
- EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lsecdb"
- EXTRA_GREETER_LIBS="$EXTRA_GREETER_LIBS -lsecdb"])
-
-
dnl ---------------------------------------------------------------------------
dnl - Check for Halt, and Reboot commands
dnl ---------------------------------------------------------------------------
@@ -995,7 +1013,6 @@
# On Solaris/bin is a symlink to /usr/bin, so don't include it in
# GDM_USER_PATH.
GDM_USER_PATH=""
-GDM_RBAC_SYSCMD_KEYS=""
case "$host" in
*solaris*)
@@ -1006,7 +1023,6 @@
SUSPEND_COMMAND="/usr/openwin/bin/sys-suspend -n"
XSESSION_SHELL=/bin/ksh
SOUND_PROGRAM=/usr/bin/audioplay
- GDM_RBAC_SYSCMD_KEYS="HALT:solaris.system.shutdown;REBOOT:solaris.system.shutdown"
;;
*freebsd*)
GDM_USER_PATH="/bin:/usr/bin"
@@ -1201,16 +1217,6 @@
AC_SUBST(GDM_WORKING_DIR)
dnl ---------------------------------------------------------------------------
-dnl - Allow configure to specify RBAC keys.
-dnl ---------------------------------------------------------------------------
-
-AC_ARG_WITH(rbac-system-command-keys, [ --with-rbac-system-command-keys=<keys> RBAC system command keys])
-
-if ! test -z "$with_system_command_keys"; then
- GDM_RBAC_SYSCMD_KEYS=$with_system_command_keys
-fi
-
-dnl ---------------------------------------------------------------------------
dnl - Finish
dnl ---------------------------------------------------------------------------
@@ -1288,8 +1294,6 @@
AC_DEFINE_UNQUOTED(GDM_USER_PATH,"$GDM_USER_PATH")
AC_SUBST(SOUND_PROGRAM)
AC_DEFINE_UNQUOTED(SOUND_PROGRAM,"$SOUND_PROGRAM")
-AC_SUBST(GDM_RBAC_SYSCMD_KEYS)
-AC_DEFINE_UNQUOTED(GDM_RBAC_SYSCMD_KEYS,"$GDM_RBAC_SYSCMD_KEYS")
AC_SUBST(X_PATH)
AC_SUBST(X_SERVER)
@@ -1371,6 +1375,7 @@
echo \
" TCP Wrappers support: no"
else
+ echo \
" TCP Wrappers support: yes"
fi
@@ -1379,4 +1384,5 @@
XDMCP support: ${XDMCP_SUPPORT}
SELinux support: ${with_selinux}
ConsoleKit support: ${use_console_kit}
+ Build with RBAC: ${msg_rbac_shutdown}
"
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
