| Members: 353 | Topics: 767 | Posts: 3211We welcome our newest member: ClintBarton
Polkit Wrong defaults
Polkit Wrong defaults | |
|
|
Senior Mitglied Posts: 216 Registered: 2008-07-04 | Polkit has problem in the defaults configurations.
In the default configuration from the paldo livecd installer... users don't have possibility through polkit to be asked for the root password to do some tasks like making a network configuration as a system configuration instead of local, or changing system clock
These actions should prompt the user for a root password ask dialog by default and then if they want they can use polkit-gnome-authorization to change that
Now the biggest problem is... if you use the polkit-gnome-authorization to authorize your user for doing these actions... your problem is solved... but because you have no permissions... the polkit wont let you change the configuration as it should... prompting for root password and than changing it...
I have no idea what is the right configuration for that on /etc/polkit-1/ but the ones that are there are not the best ones... .............................. OSs: Paldo-testing x86_64 :: HP Pavilion dv9680ez |
|
|
|
|
|
Re: Polkit Authorizations Proble | |
|
|
Senior Mitglied Posts: 216 Registered: 2008-07-04 | UPDATE : This was a wrong information... forget this gnome-keyring fix... it is not correct assumption see post below for the right solution
######################################################
Hi everyone,
I Realized that there were a problem with PolicyKit... but couldn't understand why it were fixed if a user were actually manually authorized to do something.
So here is the problem... for polkit to work correctly on a user desktop, gnome-keyring needs to be called whenever a user not authorized requests for an action.
The whole problem relies on the fact that even though gnome-keyring is installed on the system, and it installs pam_module correctly, the /etc/pam.d/* files don't request for gnome_keyring.so, this means that pam actually don't have any specific line to send a gtk window for requesting the root password when the user tries, for example, to add a system connection with NetworkManager.
So live.gnome.org has a topic about gnome-keyring : http://live.gnome.org/GnomeKeyring/Pam
But I'm still testing options for seeing the best implementation of the line auth optional pam_gnome_keyring.so where the whole problem should get fixed. .............................. OSs: Paldo-testing x86_64 :: HP Pavilion dv9680ez |
|
|
|
|
|
HUGE BUG with PolicyKit and Dbus [SOLUTION] | |
|
|
Senior Mitglied Posts: 216 Registered: 2008-07-04 | This is a really important post...
I've been for a long time trying to figure out why a user couldn't, for example, click on the nm-settings editor and edit a system connection or create a connection.
It's been more then a month since I've been tracking this bug
Now I got the solution
Please, I request the devels to apply the solution here listed as this problem is a coding problem from PolicyKit and form dbus-glib, and fedora, ubuntu, opensuse, gentoo, archlinux and my other distros have done this patching for making it work.
SOLUTION:
First it seems that the new dbus-glib, version 0.82, has dropped support for older introspection. But PolicyKit still uses the old introspection to write its .policy, .action and etc. The dbus devels later found better to release patches to add the compability with these older instrospection.
So the 1) step for this problem is patching dbus-glib-1. There are 3 patches
Copy-object-registration-list-when-unregistering
Post Scriptum | | From 90e2199ac99f5b8ab0cd5f45dcb398ecf9af03d9 Mon Sep 17 00:00:00 2001
From: Will Thompson <will.thompson@collabora.co.uk>
Date: Sat, 12 Sep 2009 11:58:22 +0100
Subject: [PATCH] Copy object registration list when unregistering.
Since the list of registrations on the object is modified when each path
is removed, iterating it directly is wrong: after the first pass of the
loop, 'iter' would point to a link which has been freed.
---
dbus/dbus-gobject.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/dbus/dbus-gobject.c b/dbus/dbus-gobject.c
index 85574c7..816194c 100644
--- a/dbus/dbus-gobject.c
+++ b/dbus/dbus-gobject.c
@@ -2117,7 +2117,10 @@ dbus_g_connection_unregister_g_object (DBusGConnection *connection,
{
GList *registrations, *iter;
- registrations = g_object_get_data (object, "dbus_glib_object_registrations");
+ /* Copy the list before iterating it: it will be modified in
+ * object_registration_free() each time an object path is unregistered.
+ */
+ registrations = g_list_copy (g_object_get_data (object, "dbus_glib_object_registrations"));
g_return_if_fail (registrations != NULL);
@@ -2127,6 +2130,9 @@ dbus_g_connection_unregister_g_object (DBusGConnection *connection,
dbus_connection_unregister_object_path (DBUS_CONNECTION_FROM_G_CONNECTION (o->connection),
o->object_path);
}
+
+ g_list_free (registrations);
+ g_assert (g_object_get_data (object, "dbus_glib_object_registrations") == NULL);
}
/**
--
1.6.3.3 |
Only-re-set-registration-list-if-its-non-empty
Post Scriptum | | From 39e2642e41b2293de7556fa15c57872f78ffcdc8 Mon Sep 17 00:00:00 2001
From: Will Thompson <will.thompson@collabora.co.uk>
Date: Sat, 12 Sep 2009 11:28:25 +0100
Subject: [PATCH] Only re-set registration list if it's non-empty
---
dbus/dbus-gobject.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/dbus/dbus-gobject.c b/dbus/dbus-gobject.c
index fb41168..85574c7 100644
--- a/dbus/dbus-gobject.c
+++ b/dbus/dbus-gobject.c
@@ -414,7 +414,9 @@ object_registration_free (ObjectRegistration *o)
*/
registrations = g_object_steal_data (o->object, "dbus_glib_object_registrations");
registrations = g_slist_remove (registrations, o);
- g_object_set_data (o->object, "dbus_glib_object_registrations", registrations);
+
+ if (registrations != NULL)
+ g_object_set_data (o->object, "dbus_glib_object_registrations", registrations);
g_object_weak_unref (o->object, object_registration_object_died, o);
}
--
1.6.3.3 |
Support-duplicate-object-registrations
Post Scriptum | | From 0263b72669de710e0adda419a520ae9f123a1be9 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 19 Aug 2009 13:27:53 -0400
Subject: [PATCH] Support duplicate object registrations
Before commit e869fda4, we semi-supported registering the
same object multiple times. We'd accept messages for both paths,
however when signals were emitted, they'd both use the first object
path.
That commit simply disallowed multiple registrations, which broke
backwards compatibility with some projects like PolicyKit which
had the same object registered with different paths.
With this commit, explicitly allow and support multiple registrations.
The primary change is that signals are now emitted once for each
registration path of an object, using the correct path.
---
dbus/dbus-gobject.c | 159 ++++++++++++++++++++++++++++-------------
test/core/test-dbus-glib.c | 41 +++++++++++
test/core/test-service-glib.c | 4 +
3 files changed, 154 insertions(+), 50 deletions(-)
diff --git a/dbus/dbus-gobject.c b/dbus/dbus-gobject.c
index f0c4df8..fb41168 100644
--- a/dbus/dbus-gobject.c
+++ b/dbus/dbus-gobject.c
@@ -407,9 +407,16 @@ object_registration_free (ObjectRegistration *o)
{
if (o->object != NULL)
{
+ GSList *registrations;
+
+ /* Ok, the object is still around; clear out this particular registration
+ * from the registrations list.
+ */
+ registrations = g_object_steal_data (o->object, "dbus_glib_object_registrations");
+ registrations = g_slist_remove (registrations, o);
+ g_object_set_data (o->object, "dbus_glib_object_registrations", registrations);
+
g_object_weak_unref (o->object, object_registration_object_died, o);
- g_object_steal_data (o->object, "dbus_glib_object_registration");
- o->object = NULL;
}
g_free (o->object_path);
@@ -1741,30 +1748,19 @@ dbus_g_signal_closure_finalize (gpointer data,
}
static void
-signal_emitter_marshaller (GClosure *closure,
- GValue *retval,
- guint n_param_values,
- const GValue *param_values,
- gpointer invocation_hint,
- gpointer marshal_data)
+emit_signal_for_registration (ObjectRegistration *o,
+ DBusGSignalClosure *sigclosure,
+ GValue *retval,
+ guint n_param_values,
+ const GValue *param_values)
{
- DBusGSignalClosure *sigclosure;
DBusMessage *signal;
DBusMessageIter iter;
guint i;
- const char *path;
-
- sigclosure = (DBusGSignalClosure *) closure;
-
- g_assert (retval == NULL);
-
- path = _dbus_gobject_get_path (sigclosure->object);
- g_assert (path != NULL);
-
- signal = dbus_message_new_signal (path,
- sigclosure->sigiface,
- sigclosure->signame);
+ signal = dbus_message_new_signal (o->object_path,
+ sigclosure->sigiface,
+ sigclosure->signame);
if (!signal)
{
g_error ("out of memory");
@@ -1777,20 +1773,45 @@ signal_emitter_marshaller (GClosure *closure,
for (i = 1; i < n_param_values; i++)
{
if (!_dbus_gvalue_marshal (&iter,
- (GValue *) (&(param_values))))
- {
- g_warning ("failed to marshal parameter %d for signal %s",
- i, sigclosure->signame);
- goto out;
- }
+ (GValue *) (&(param_values))))
+ {
+ g_warning ("failed to marshal parameter %d for signal %s",
+ i, sigclosure->signame);
+ goto out;
+ }
}
dbus_connection_send (DBUS_CONNECTION_FROM_G_CONNECTION (sigclosure->connection),
- signal, NULL);
- out:
+ signal, NULL);
+out:
dbus_message_unref (signal);
}
static void
+signal_emitter_marshaller (GClosure *closure,
+ GValue *retval,
+ guint n_param_values,
+ const GValue *param_values,
+ gpointer invocation_hint,
+ gpointer marshal_data)
+{
+ DBusGSignalClosure *sigclosure;
+ GSList *registrations, *iter;
+
+ sigclosure = (DBusGSignalClosure *) closure;
+
+ g_assert (retval == NULL);
+
+ registrations = g_object_get_data (sigclosure->object, "dbus_glib_object_registrations");
+
+ for (iter = registrations; iter; iter = iter->next)
+ {
+ ObjectRegistration *o = iter->data;
+
+ emit_signal_for_registration (o, sigclosure, retval, n_param_values, param_values);
+ }
+}
+
+static void
export_signals (DBusGConnection *connection, const GList *info_list, GObject *object)
{
GType gtype;
@@ -2092,14 +2113,18 @@ void
dbus_g_connection_unregister_g_object (DBusGConnection *connection,
GObject *object)
{
- ObjectRegistration *o;
+ GList *registrations, *iter;
- o = g_object_get_data (object, "dbus_glib_object_registration");
+ registrations = g_object_get_data (object, "dbus_glib_object_registrations");
- g_return_if_fail (o != NULL);
+ g_return_if_fail (registrations != NULL);
- dbus_connection_unregister_object_path (DBUS_CONNECTION_FROM_G_CONNECTION (o->connection),
- o->object_path);
+ for (iter = registrations; iter; iter = iter->next)
+ {
+ ObjectRegistration *o = iter->data;
+ dbus_connection_unregister_object_path (DBUS_CONNECTION_FROM_G_CONNECTION (o->connection),
+ o->object_path);
+ }
}
/**
@@ -2116,6 +2141,9 @@ dbus_g_connection_unregister_g_object (DBusGConnection *connection,
* The registration will be cancelled if either the #DBusConnection or
* the #GObject gets finalized, or if dbus_g_connection_unregister_g_object()
* is used.
+ *
+ * Note: If an object is registered multiple times, the first registration
+ * takes priority for cases such as turning an object into an object path.
*/
void
dbus_g_connection_register_g_object (DBusGConnection *connection,
@@ -2123,28 +2151,44 @@ dbus_g_connection_register_g_object (DBusGConnection *connection,
GObject *object)
{
GList *info_list;
+ GSList *registrations, *iter;
ObjectRegistration *o;
+ gboolean is_first_registration;
g_return_if_fail (connection != NULL);
g_return_if_fail (at_path != NULL);
g_return_if_fail (G_IS_OBJECT (object));
- info_list = lookup_object_info (object);
- if (info_list == NULL)
+ /* This is a GSList of ObjectRegistration* */
+ registrations = g_object_steal_data (object, "dbus_glib_object_registrations");
+
+ for (iter = registrations; iter; iter = iter->next)
{
- g_warning ("No introspection data registered for object class \"%s\"",
- g_type_name (G_TYPE_FROM_INSTANCE (object)));
- return;
+ o = iter->data;
+
+ /* Silently ignore duplicate registrations */
+ if (strcmp (o->object_path, at_path) == 0)
+ return;
}
- o = g_object_get_data (object, "dbus_glib_object_registration");
+ is_first_registration = registrations == NULL;
- if (o != NULL)
+ /* This is used to hook up signals below, but we do this check
+ * before trying to register the object to make sure we have
+ * introspection data for it.
+ */
+ if (is_first_registration)
{
- g_warning ("Object already registered at %s, can't re-register at %s",
- o->object_path, at_path);
- return;
+ info_list = lookup_object_info (object);
+ if (info_list == NULL)
+ {
+ g_warning ("No introspection data registered for object class \"%s\"",
+ g_type_name (G_TYPE_FROM_INSTANCE (object)));
+ return;
+ }
}
+ else
+ info_list = NULL;
o = object_registration_new (connection, at_path, object);
@@ -2155,12 +2199,22 @@ dbus_g_connection_register_g_object (DBusGConnection *connection,
{
g_error ("Failed to register GObject with DBusConnection");
object_registration_free (o);
+ g_list_free (info_list);
return;
}
- export_signals (connection, info_list, object);
- g_list_free (info_list);
- g_object_set_data (object, "dbus_glib_object_registration", o);
+ if (is_first_registration)
+ {
+ /* This adds a hook into every signal for the object. Only do this
+ * on the first registration, because inside the signal marshaller
+ * we emit a signal for each registration.
+ */
+ export_signals (connection, info_list, object);
+ g_list_free (info_list);
+ }
+
+ registrations = g_slist_append (registrations, o);
+ g_object_set_data (object, "dbus_glib_object_registrations", registrations);
}
/**
@@ -2539,15 +2593,20 @@ dbus_g_method_return_error (DBusGMethodInvocation *context, const GError *error)
g_free (context);
}
-const char * _dbus_gobject_get_path (GObject *obj)
+const char *
+_dbus_gobject_get_path (GObject *obj)
{
+ GSList *registrations;
ObjectRegistration *o;
- o = g_object_get_data (obj, "dbus_glib_object_registration");
+ registrations = g_object_get_data (obj, "dbus_glib_object_registrations");
- if (o == NULL)
+ if (registrations == NULL)
return NULL;
+ /* First one to have been registered wins */
+ o = registrations->data;
+
return o->object_path;
}
diff --git a/test/core/test-dbus-glib.c b/test/core/test-dbus-glib.c
index c6071a7..288606f 100644
--- a/test/core/test-dbus-glib.c
+++ b/test/core/test-dbus-glib.c
@@ -15,6 +15,7 @@ static const char *await_terminating_service = NULL;
static int n_times_foo_received = 0;
static int n_times_frobnicate_received = 0;
static int n_times_frobnicate_received_2 = 0;
+static int n_times_compat_frobnicate_received = 0;
static int n_times_sig0_received = 0;
static int n_times_sig1_received = 0;
static int n_times_sig2_received = 0;
@@ -139,6 +140,20 @@ frobnicate_signal_handler_2 (DBusGProxy *proxy,
}
static void
+frobnicate_signal_handler_compat (DBusGProxy *proxy,
+ int val,
+ void *user_data)
+{
+ n_times_compat_frobnicate_received += 1;
+
+ g_assert (val == 42);
+ g_print ("Got Frobnicate signal (compat)\n");
+
+ g_main_loop_quit (loop);
+ g_source_remove (exit_timeout);
+}
+
+static void
sig0_signal_handler (DBusGProxy *proxy,
const char *str0,
int val,
@@ -1886,6 +1901,32 @@ main (int argc, char **argv)
run_mainloop ();
+ /* Tests for a "compatibilty" object path. This is the same object as above, just
+ * at a different path.
+ */
+ proxy = dbus_g_proxy_new_for_name_owner (connection,
+ "org.freedesktop.DBus.GLib.TestService",
+ "/org/freedesktop/DBus/GLib/Tests/Compat/MyTestObjectCompat",
+ "org.freedesktop.DBus.GLib.Tests.MyObject",
+ &error);
+ dbus_g_proxy_add_signal (proxy, "Frobnicate", G_TYPE_INT, G_TYPE_INVALID);
+
+ dbus_g_proxy_connect_signal (proxy, "Frobnicate",
+ G_CALLBACK (frobnicate_signal_handler_compat),
+ NULL, NULL);
+
+ g_print ("Calling EmitFrobnicate (compat)\n");
+ if (!dbus_g_proxy_call (proxy, "EmitFrobnicate", &error,
+ G_TYPE_INVALID, G_TYPE_INVALID))
+ lose_gerror ("Failed to complete EmitFrobnicate call on compat proxy", error);
+
+ g_main_loop_run (loop);
+
+ if (n_times_compat_frobnicate_received != 1)
+ lose ("Frobnicate signal received %d times for compat proxy, should have been 1", n_times_compat_frobnicate_received);
+
+ g_object_unref (proxy);
+
/* Test introspection */
proxy = dbus_g_proxy_new_for_name_owner (connection,
"org.freedesktop.DBus.GLib.TestService",
diff --git a/test/core/test-service-glib.c b/test/core/test-service-glib.c
index 1cdb0ac..fad2473 100644
--- a/test/core/test-service-glib.c
+++ b/test/core/test-service-glib.c
@@ -66,6 +66,10 @@ main (int argc, char **argv)
dbus_g_connection_register_g_object (connection,
"/org/freedesktop/DBus/GLib/Tests/MyTestObject",
obj);
+ /* Register a second time; we want the object to also be reachable through this interface */
+ dbus_g_connection_register_g_object (connection,
+ "/org/freedesktop/DBus/GLib/Tests/Compat/MyTestObjectCompat",
+ obj);
dbus_g_connection_register_g_object (connection,
"/org/freedesktop/DBus/GLib/Tests/MyTestObject2",
obj2);
--
1.6.3.3 |
The new spec for dbus-glib-1
Post Scriptum | |
<?xml version="1.0"?>
<package name="dbus-glib-1">
<description>GLib Bindings for D-Bus</description>
<releases>
<release version="0.82" revision="3" branch="stable">
<!-- as-needed breaks build -->
<deps>
<dep name="dbus-1"/>
<dep name="glib-2.0"/>
<dep name="libxml2"/>
<dep name="expat"/><!-- doesn't build with only libxml2 -->
</deps>
<build>
<script>
<archive name="dbus-glib-$VERSION">
<!-- Patches from https://bugs.freedesktop.org/show_bug.cgi?id=23297 -->
<patch name="Support-duplicate-object-registrations"/>
<patch name="Copy-object-registration-list-when-unregistering"/>
<patch name="Only-re-set-registration-list-if-its-non-empty"/>
<!-- add introspect file to avoid the need to have d-bus running when building -->
<!--install name="dbus-bus-introspect-20060726.xml" dest="./tools/dbus-bus-introspect.xml"/-->
<cmd>./configure --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc --localstatedir=/var --disable-static</cmd>
<cmd>make -j 2</cmd>
<cmd>make install</cmd>
</archive>
</script>
</build>
</release>
</releases>
</package>
|
So the 2) step is that there is a problem with PolicyKit-gnome that when you click on a gtk button to call for policykit auth it actually doesn't send signals so it needs a patch to fix these action buttons. Got this patch actually from ArchLinux Bugs http://bugs.archlinux.org/task/14610, even though this patch is actually originally from Ubuntu
Post Scriptum | | # Ubuntu: https://bugs.launchpad.net/ubuntu/+source/policykit-gnome/+bug/332343
# Upstream: http://bugzilla.gnome.org/show_bug.cgi?id=572878
# Patch: http://bugzilla.gnome.org/attachment.cgi?id=129353&action=view
# Description: When "clicked" is blocked as the user is not authorized
# it should emit "auth-start" so that the user can authenticate. Makes
# it work with widgets that don't emit "activate", e.g. buttons.
--- ./polkit-gnome/polkit-gnome-action.c.old 2009-02-06 17:31:46.000000000 +0000
+++ ./polkit-gnome/polkit-gnome-action.c 2009-02-06 17:32:03.000000000 +0000
@@ -2062,6 +2062,8 @@ _button_clicked (GtkButton *button, PolK
case POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS:
/* g_debug ("blocking clicked"); */
g_signal_stop_emission_by_name (button, "clicked");
+ if (action->priv->polkit_action != NULL)
+ g_signal_emit (action, signals [AUTH_START_SIGNAL], 0);
break;
default: |
The new spec for PolicyKit-gnome
Post Scriptum | | <?xml version="1.0"?>
<package name="PolicyKit-gnome">
<description>PolicyKit add-on library for GNOME</description>
<releases>
<release version="0.9" revision="3" branch="stable">
<deps>
<dep name="dbus-1"/>
<dep name="dbus-glib-1"/>
<dep name="gconf-2.0"/>
<dep name="gnome-vfs-2.0"/>
<dep name="gtk+-2.0"/>
<dep name="libsexy"/>
<dep name="PolicyKit"/>
</deps>
<build>
<script>
<archive name="PolicyKit-gnome-$VERSION">
<patch name="05-fix-actions"/>
<cmd>./configure --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc --disable-static</cmd>
<cmd>make -j 2</cmd>
<cmd>make install</cmd>
</archive>
</script>
</build>
</release>
</releases>
</package> |
Now the system is correctly set and you will be able even if not granted from policykit to enter the root password for doing system networks, and for granting or revoke users on polkit-gnome-authorization, and others from the GUI
One advise... It will be a good practice if after the modifications the packages directly related get rebuild against these new lib. I mean the packages: PolicyKit , polkit-1 and polkit-gnome
I said it was a HUGE BUG, which meant a HUGE TEXT, and a HUGE TIME to find out how to fix it without degrading the system
Enjoy PolicyKit correctly !!!
UPDATE: this solution fixes another bug pointed out by frafra, after doing this patchings, when you click on the suspend button of the keyboard, it actually suspends, aparently, policykit wasn't granting the user to suspend through the FN-Keys .............................. OSs: Paldo-testing x86_64 :: HP Pavilion dv9680ez |
|
|
|
|
|
Re: Polkit Wrong defaults | |
|
|
Mitglied Posts: 73 Registered: 2009-07-15 | Well done. !!!
It's very good to see that there's always someone who cares about Paldo and their users, as that's a guaranty that it's alive and healthy.
The quality of this project deserves that it survives to serve us for many years.
|
|
|
|
|
|
Re: Polkit Wrong defaults | |
|
|
Administrator Posts: 426 Registered: 2004-09-09 | Thanks a lot for your work. This has been added to testing now. |
|
|
|
|
|
Re: Polkit Wrong defaults | |
|
|
Senior Mitglied Posts: 216 Registered: 2008-07-04 | hi everyone,
I'm here to announce that these patches may be removed from dbus-glib once we upgrade to version 0.84 or 0.86
Please consider the upgrade and remove the patches as they fix lots of other bugs.
.............................. OSs: Paldo-testing x86_64 :: HP Pavilion dv9680ez |
|
|
|
|
|
| |