Package Search
 
Members: 353 | Topics: 767 | Posts: 3211
We welcome our newest member: ClintBarton
Info
» You aren't logged in, login or registerOnline: No members and 20 guests | Time: 21:23
Polkit Wrong defaults
paldo Support Forum    paldo    General Support
Reply Reply   Subscribe Topic Subscribe Topic
6 posts found.
 Polkit Wrong defaults
Senior Mitglied
 
 
 
Posts: 216
Registered: 2008-07-04
Polkit has problem in the defaults configurations.

In the default configuration from the paldo livecd installer... users don't have possibility through polkit to be asked for the root password to do some tasks like making a network configuration as a system configuration instead of local, or changing system clock

These actions should prompt the user for a root password ask dialog by default and then if they want they can use polkit-gnome-authorization to change that

Now the biggest problem is... if you use the polkit-gnome-authorization to authorize your user for doing these actions... your problem is solved... but because you have no permissions... the polkit wont let you change the configuration as it should... prompting for root password and than changing it...

I have no idea what is the right configuration for that on /etc/polkit-1/ but the ones that are there are not the best ones...
 
..............................
OSs: Paldo-testing x86_64 :: HP Pavilion dv9680ez
Profile   Private Message   E-Mail
Created: 2009-10-24 00:44
Highlight selected Text   Edit   Delete   Quote Reply
 Re: Polkit Authorizations Proble
Senior Mitglied
 
 
 
Posts: 216
Registered: 2008-07-04
UPDATE : This was a wrong information... forget this gnome-keyring fix... it is not correct assumption see post below for the right solution

######################################################
Hi everyone,

I Realized that there were a problem with PolicyKit... but couldn't understand why it were fixed if a user were actually manually authorized to do something.

So here is the problem... for polkit to work correctly on a user desktop, gnome-keyring needs to be called whenever a user not authorized requests for an action.

The whole problem relies on the fact that even though gnome-keyring is installed on the system, and it installs pam_module correctly, the /etc/pam.d/* files don't request for gnome_keyring.so, this means that pam actually don't have any specific line to send a gtk window for requesting the root password when the user tries, for example, to add a system connection with NetworkManager.

So live.gnome.org has a topic about gnome-keyring : http://live.gnome.org/GnomeKeyring/Pam

But I'm still testing options for seeing the best implementation of the line auth optional pam_gnome_keyring.so where the whole problem should get fixed.
 
..............................
OSs: Paldo-testing x86_64 :: HP Pavilion dv9680ez
Profile   Private Message   E-Mail
Created: 2009-11-17 10:05 | Modified: 2009-11-23 03:10 by diogo
Highlight selected Text   Edit   Delete   Quote Reply
 HUGE BUG with PolicyKit and Dbus [SOLUTION]
Senior Mitglied
 
 
 
Posts: 216
Registered: 2008-07-04
This is a really important post...

I've been for a long time trying to figure out why a user couldn't, for example, click on the nm-settings editor and edit a system connection or create a connection.

It's been more then a month since I've been tracking this bug

Now I got the solution

Please, I request the devels to apply the solution here listed as this problem is a coding problem from PolicyKit and form dbus-glib, and fedora, ubuntu, opensuse, gentoo, archlinux and my other distros have done this patching for making it work.

SOLUTION:

First it seems that the new dbus-glib, version 0.82, has dropped support for older introspection. But PolicyKit still uses the old introspection to write its .policy, .action and etc. The dbus devels later found better to release patches to add the compability with these older instrospection.

So the 1) step for this problem is patching dbus-glib-1. There are 3 patches

    Copy-object-registration-list-when-unregistering

Post Scriptum
From 90e2199ac99f5b8ab0cd5f45dcb398ecf9af03d9 Mon Sep 17 00:00:00 2001
From: Will Thompson <will.thompson@collabora.co.uk>
Date: Sat, 12 Sep 2009 11:58:22 +0100
Subject: [PATCH] Copy object registration list when unregistering.

Since the list of registrations on the object is modified when each path
is removed, iterating it directly is wrong: after the first pass of the
loop, 'iter' would point to a link which has been freed.
---
dbus/dbus-gobject.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/dbus/dbus-gobject.c b/dbus/dbus-gobject.c
index 85574c7..816194c 100644
--- a/dbus/dbus-gobject.c
+++ b/dbus/dbus-gobject.c
@@ -2117,7 +2117,10 @@ dbus_g_connection_unregister_g_object (DBusGConnection *connection,
{
GList *registrations, *iter;

- registrations = g_object_get_data (object, "dbus_glib_object_registrations");
+ /* Copy the list before iterating it: it will be modified in
+ * object_registration_free() each time an object path is unregistered.
+ */
+ registrations = g_list_copy (g_object_get_data (object, "dbus_glib_object_registrations"));

g_return_if_fail (registrations != NULL);

@@ -2127,6 +2130,9 @@ dbus_g_connection_unregister_g_object (DBusGConnection *connection,
dbus_connection_unregister_object_path (DBUS_CONNECTION_FROM_G_CONNECTION (o->connection),
o->object_path);
}
+
+ g_list_free (registrations);
+ g_assert (g_object_get_data (object, "dbus_glib_object_registrations") == NULL);
}

/**
--
1.6.3.3


    Only-re-set-registration-list-if-its-non-empty

Post Scriptum
From 39e2642e41b2293de7556fa15c57872f78ffcdc8 Mon Sep 17 00:00:00 2001
From: Will Thompson <will.thompson@collabora.co.uk>
Date: Sat, 12 Sep 2009 11:28:25 +0100
Subject: [PATCH] Only re-set registration list if it's non-empty

---
dbus/dbus-gobject.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/dbus/dbus-gobject.c b/dbus/dbus-gobject.c
index fb41168..85574c7 100644
--- a/dbus/dbus-gobject.c
+++ b/dbus/dbus-gobject.c
@@ -414,7 +414,9 @@ object_registration_free (ObjectRegistration *o)
*/
registrations = g_object_steal_data (o->object, "dbus_glib_object_registrations");
registrations = g_slist_remove (registrations, o);
- g_object_set_data (o->object, "dbus_glib_object_registrations", registrations);
+
+ if (registrations != NULL)
+ g_object_set_data (o->object, "dbus_glib_object_registrations", registrations);

g_object_weak_unref (o->object, object_registration_object_died, o);
}
--
1.6.3.3


    Support-duplicate-object-registrations

Post Scriptum
From 0263b72669de710e0adda419a520ae9f123a1be9 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 19 Aug 2009 13:27:53 -0400
Subject: [PATCH] Support duplicate object registrations

Before commit e869fda4, we semi-supported registering the
same object multiple times. We'd accept messages for both paths,
however when signals were emitted, they'd both use the first object
path.

That commit simply disallowed multiple registrations, which broke
backwards compatibility with some projects like PolicyKit which
had the same object registered with different paths.

With this commit, explicitly allow and support multiple registrations.
The primary change is that signals are now emitted once for each
registration path of an object, using the correct path.
---
dbus/dbus-gobject.c | 159 ++++++++++++++++++++++++++++-------------
test/core/test-dbus-glib.c | 41 +++++++++++
test/core/test-service-glib.c | 4 +
3 files changed, 154 insertions(+), 50 deletions(-)

diff --git a/dbus/dbus-gobject.c b/dbus/dbus-gobject.c
index f0c4df8..fb41168 100644
--- a/dbus/dbus-gobject.c
+++ b/dbus/dbus-gobject.c
@@ -407,9 +407,16 @@ object_registration_free (ObjectRegistration *o)
{
if (o->object != NULL)
{
+ GSList *registrations;
+
+ /* Ok, the object is still around; clear out this particular registration
+ * from the registrations list.
+ */
+ registrations = g_object_steal_data (o->object, "dbus_glib_object_registrations");
+ registrations = g_slist_remove (registrations, o);
+ g_object_set_data (o->object, "dbus_glib_object_registrations", registrations);
+
g_object_weak_unref (o->object, object_registration_object_died, o);
- g_object_steal_data (o->object, "dbus_glib_object_registration");
- o->object = NULL;
}

g_free (o->object_path);
@@ -1741,30 +1748,19 @@ dbus_g_signal_closure_finalize (gpointer data,
}

static void
-signal_emitter_marshaller (GClosure *closure,
- GValue *retval,
- guint n_param_values,
- const GValue *param_values,
- gpointer invocation_hint,
- gpointer marshal_data)
+emit_signal_for_registration (ObjectRegistration *o,
+ DBusGSignalClosure *sigclosure,
+ GValue *retval,
+ guint n_param_values,
+ const GValue *param_values)
{
- DBusGSignalClosure *sigclosure;
DBusMessage *signal;
DBusMessageIter iter;
guint i;
- const char *path;
-
- sigclosure = (DBusGSignalClosure *) closure;
-
- g_assert (retval == NULL);
-
- path = _dbus_gobject_get_path (sigclosure->object);

- g_assert (path != NULL);
-
- signal = dbus_message_new_signal (path,
- sigclosure->sigiface,
- sigclosure->signame);
+ signal = dbus_message_new_signal (o->object_path,
+ sigclosure->sigiface,
+ sigclosure->signame);
if (!signal)
{
g_error ("out of memory");
@@ -1777,20 +1773,45 @@ signal_emitter_marshaller (GClosure *closure,
for (i = 1; i < n_param_values; i++)
{
if (!_dbus_gvalue_marshal (&iter,
- (GValue *) (&(param_values))))
- {
- g_warning ("failed to marshal parameter %d for signal %s",
- i, sigclosure->signame);
- goto out;
- }
+ (GValue *) (&(param_values))))
+ {
+ g_warning ("failed to marshal parameter %d for signal %s",
+ i, sigclosure->signame);
+ goto out;
+ }
}
dbus_connection_send (DBUS_CONNECTION_FROM_G_CONNECTION (sigclosure->connection),
- signal, NULL);
- out:
+ signal, NULL);
+out:
dbus_message_unref (signal);
}

static void
+signal_emitter_marshaller (GClosure *closure,
+ GValue *retval,
+ guint n_param_values,
+ const GValue *param_values,
+ gpointer invocation_hint,
+ gpointer marshal_data)
+{
+ DBusGSignalClosure *sigclosure;
+ GSList *registrations, *iter;
+
+ sigclosure = (DBusGSignalClosure *) closure;
+
+ g_assert (retval == NULL);
+
+ registrations = g_object_get_data (sigclosure->object, "dbus_glib_object_registrations");
+
+ for (iter = registrations; iter; iter = iter->next)
+ {
+ ObjectRegistration *o = iter->data;
+
+ emit_signal_for_registration (o, sigclosure, retval, n_param_values, param_values);
+ }
+}
+
+static void
export_signals (DBusGConnection *connection, const GList *info_list, GObject *object)
{
GType gtype;
@@ -2092,14 +2113,18 @@ void
dbus_g_connection_unregister_g_object (DBusGConnection *connection,
GObject *object)
{
- ObjectRegistration *o;
+ GList *registrations, *iter;

- o = g_object_get_data (object, "dbus_glib_object_registration");
+ registrations = g_object_get_data (object, "dbus_glib_object_registrations");

- g_return_if_fail (o != NULL);
+ g_return_if_fail (registrations != NULL);

- dbus_connection_unregister_object_path (DBUS_CONNECTION_FROM_G_CONNECTION (o->connection),
- o->object_path);
+ for (iter = registrations; iter; iter = iter->next)
+ {
+ ObjectRegistration *o = iter->data;
+ dbus_connection_unregister_object_path (DBUS_CONNECTION_FROM_G_CONNECTION (o->connection),
+ o->object_path);
+ }
}

/**
@@ -2116,6 +2141,9 @@ dbus_g_connection_unregister_g_object (DBusGConnection *connection,
* The registration will be cancelled if either the #DBusConnection or
* the #GObject gets finalized, or if dbus_g_connection_unregister_g_object()
* is used.
+ *
+ * Note: If an object is registered multiple times, the first registration
+ * takes priority for cases such as turning an object into an object path.
*/
void
dbus_g_connection_register_g_object (DBusGConnection *connection,
@@ -2123,28 +2151,44 @@ dbus_g_connection_register_g_object (DBusGConnection *connection,
GObject *object)
{
GList *info_list;
+ GSList *registrations, *iter;
ObjectRegistration *o;
+ gboolean is_first_registration;

g_return_if_fail (connection != NULL);
g_return_if_fail (at_path != NULL);
g_return_if_fail (G_IS_OBJECT (object));

- info_list = lookup_object_info (object);
- if (info_list == NULL)
+ /* This is a GSList of ObjectRegistration* */
+ registrations = g_object_steal_data (object, "dbus_glib_object_registrations");
+
+ for (iter = registrations; iter; iter = iter->next)
{
- g_warning ("No introspection data registered for object class \"%s\"",
- g_type_name (G_TYPE_FROM_INSTANCE (object)));
- return;
+ o = iter->data;
+
+ /* Silently ignore duplicate registrations */
+ if (strcmp (o->object_path, at_path) == 0)
+ return;
}

- o = g_object_get_data (object, "dbus_glib_object_registration");
+ is_first_registration = registrations == NULL;

- if (o != NULL)
+ /* This is used to hook up signals below, but we do this check
+ * before trying to register the object to make sure we have
+ * introspection data for it.
+ */
+ if (is_first_registration)
{
- g_warning ("Object already registered at %s, can't re-register at %s",
- o->object_path, at_path);
- return;
+ info_list = lookup_object_info (object);
+ if (info_list == NULL)
+ {
+ g_warning ("No introspection data registered for object class \"%s\"",
+ g_type_name (G_TYPE_FROM_INSTANCE (object)));
+ return;
+ }
}
+ else
+ info_list = NULL;

o = object_registration_new (connection, at_path, object);

@@ -2155,12 +2199,22 @@ dbus_g_connection_register_g_object (DBusGConnection *connection,
{
g_error ("Failed to register GObject with DBusConnection");
object_registration_free (o);
+ g_list_free (info_list);
return;
}

- export_signals (connection, info_list, object);
- g_list_free (info_list);
- g_object_set_data (object, "dbus_glib_object_registration", o);
+ if (is_first_registration)
+ {
+ /* This adds a hook into every signal for the object. Only do this
+ * on the first registration, because inside the signal marshaller
+ * we emit a signal for each registration.
+ */
+ export_signals (connection, info_list, object);
+ g_list_free (info_list);
+ }
+
+ registrations = g_slist_append (registrations, o);
+ g_object_set_data (object, "dbus_glib_object_registrations", registrations);
}

/**
@@ -2539,15 +2593,20 @@ dbus_g_method_return_error (DBusGMethodInvocation *context, const GError *error)
g_free (context);
}

-const char * _dbus_gobject_get_path (GObject *obj)
+const char *
+_dbus_gobject_get_path (GObject *obj)
{
+ GSList *registrations;
ObjectRegistration *o;

- o = g_object_get_data (obj, "dbus_glib_object_registration");
+ registrations = g_object_get_data (obj, "dbus_glib_object_registrations");

- if (o == NULL)
+ if (registrations == NULL)
return NULL;

+ /* First one to have been registered wins */
+ o = registrations->data;
+
return o->object_path;
}

diff --git a/test/core/test-dbus-glib.c b/test/core/test-dbus-glib.c
index c6071a7..288606f 100644
--- a/test/core/test-dbus-glib.c
+++ b/test/core/test-dbus-glib.c
@@ -15,6 +15,7 @@ static const char *await_terminating_service = NULL;
static int n_times_foo_received = 0;
static int n_times_frobnicate_received = 0;
static int n_times_frobnicate_received_2 = 0;
+static int n_times_compat_frobnicate_received = 0;
static int n_times_sig0_received = 0;
static int n_times_sig1_received = 0;
static int n_times_sig2_received = 0;
@@ -139,6 +140,20 @@ frobnicate_signal_handler_2 (DBusGProxy *proxy,
}

static void
+frobnicate_signal_handler_compat (DBusGProxy *proxy,
+ int val,
+ void *user_data)
+{
+ n_times_compat_frobnicate_received += 1;
+
+ g_assert (val == 42);
+ g_print ("Got Frobnicate signal (compat)\n");
+
+ g_main_loop_quit (loop);
+ g_source_remove (exit_timeout);
+}
+
+static void
sig0_signal_handler (DBusGProxy *proxy,
const char *str0,
int val,
@@ -1886,6 +1901,32 @@ main (int argc, char **argv)

run_mainloop ();

+ /* Tests for a "compatibilty" object path. This is the same object as above, just
+ * at a different path.
+ */
+ proxy = dbus_g_proxy_new_for_name_owner (connection,
+ "org.freedesktop.DBus.GLib.TestService",
+ "/org/freedesktop/DBus/GLib/Tests/Compat/MyTestObjectCompat",
+ "org.freedesktop.DBus.GLib.Tests.MyObject",
+ &error);
+ dbus_g_proxy_add_signal (proxy, "Frobnicate", G_TYPE_INT, G_TYPE_INVALID);
+
+ dbus_g_proxy_connect_signal (proxy, "Frobnicate",
+ G_CALLBACK (frobnicate_signal_handler_compat),
+ NULL, NULL);
+
+ g_print ("Calling EmitFrobnicate (compat)\n");
+ if (!dbus_g_proxy_call (proxy, "EmitFrobnicate", &error,
+ G_TYPE_INVALID, G_TYPE_INVALID))
+ lose_gerror ("Failed to complete EmitFrobnicate call on compat proxy", error);
+
+ g_main_loop_run (loop);
+
+ if (n_times_compat_frobnicate_received != 1)
+ lose ("Frobnicate signal received %d times for compat proxy, should have been 1", n_times_compat_frobnicate_received);
+
+ g_object_unref (proxy);
+
/* Test introspection */
proxy = dbus_g_proxy_new_for_name_owner (connection,
"org.freedesktop.DBus.GLib.TestService",
diff --git a/test/core/test-service-glib.c b/test/core/test-service-glib.c
index 1cdb0ac..fad2473 100644
--- a/test/core/test-service-glib.c
+++ b/test/core/test-service-glib.c
@@ -66,6 +66,10 @@ main (int argc, char **argv)
dbus_g_connection_register_g_object (connection,
"/org/freedesktop/DBus/GLib/Tests/MyTestObject",
obj);
+ /* Register a second time; we want the object to also be reachable through this interface */
+ dbus_g_connection_register_g_object (connection,
+ "/org/freedesktop/DBus/GLib/Tests/Compat/MyTestObjectCompat",
+ obj);
dbus_g_connection_register_g_object (connection,
"/org/freedesktop/DBus/GLib/Tests/MyTestObject2",
obj2);
--
1.6.3.3


    The new spec for dbus-glib-1

Post Scriptum

<?xml version="1.0"?>
<package name="dbus-glib-1">
<description>GLib Bindings for D-Bus</description>
<releases>
<release version="0.82" revision="3" branch="stable">
<!-- as-needed breaks build -->
<deps>
<dep name="dbus-1"/>
<dep name="glib-2.0"/>
<dep name="libxml2"/>
<dep name="expat"/><!-- doesn't build with only libxml2 -->
</deps>
<build>
<script>
<archive name="dbus-glib-$VERSION">
<!-- Patches from https://bugs.freedesktop.org/show_bug.cgi?id=23297 -->
<patch name="Support-duplicate-object-registrations"/>
<patch name="Copy-object-registration-list-when-unregistering"/>
<patch name="Only-re-set-registration-list-if-its-non-empty"/>
<!-- add introspect file to avoid the need to have d-bus running when building -->
<!--install name="dbus-bus-introspect-20060726.xml" dest="./tools/dbus-bus-introspect.xml"/-->
<cmd>./configure --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc --localstatedir=/var --disable-static</cmd>
<cmd>make -j 2</cmd>
<cmd>make install</cmd>
</archive>
</script>
</build>
</release>
</releases>
</package>


So the 2) step is that there is a problem with PolicyKit-gnome that when you click on a gtk button to call for policykit auth it actually doesn't send signals so it needs a patch to fix these action buttons. Got this patch actually from ArchLinux Bugs http://bugs.archlinux.org/task/14610, even though this patch is actually originally from Ubuntu

    05-fix-actions

Post Scriptum
# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/policykit-gnome/+bug/332343
# Upstream: http://bugzilla.gnome.org/show_bug.cgi?id=572878
# Patch: http://bugzilla.gnome.org/attachment.cgi?id=129353&action=view
# Description: When "clicked" is blocked as the user is not authorized
# it should emit "auth-start" so that the user can authenticate. Makes
# it work with widgets that don't emit "activate", e.g. buttons.
--- ./polkit-gnome/polkit-gnome-action.c.old 2009-02-06 17:31:46.000000000 +0000
+++ ./polkit-gnome/polkit-gnome-action.c 2009-02-06 17:32:03.000000000 +0000
@@ -2062,6 +2062,8 @@ _button_clicked (GtkButton *button, PolK
case POLKIT_RESULT_ONLY_VIA_SELF_AUTH_KEEP_ALWAYS:
/* g_debug ("blocking clicked"); */
g_signal_stop_emission_by_name (button, "clicked");
+ if (action->priv->polkit_action != NULL)
+ g_signal_emit (action, signals [AUTH_START_SIGNAL], 0);
break;

default:


    The new spec for PolicyKit-gnome

Post Scriptum
<?xml version="1.0"?>
<package name="PolicyKit-gnome">
<description>PolicyKit add-on library for GNOME</description>
<releases>
<release version="0.9" revision="3" branch="stable">
<deps>
<dep name="dbus-1"/>
<dep name="dbus-glib-1"/>
<dep name="gconf-2.0"/>
<dep name="gnome-vfs-2.0"/>
<dep name="gtk+-2.0"/>
<dep name="libsexy"/>
<dep name="PolicyKit"/>
</deps>
<build>
<script>
<archive name="PolicyKit-gnome-$VERSION">
<patch name="05-fix-actions"/>
<cmd>./configure --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc --disable-static</cmd>
<cmd>make -j 2</cmd>
<cmd>make install</cmd>
</archive>
</script>
</build>
</release>
</releases>
</package>


Now the system is correctly set and you will be able even if not granted from policykit to enter the root password for doing system networks, and for granting or revoke users on polkit-gnome-authorization, and others from the GUI



One advise... It will be a good practice if after the modifications the packages directly related get rebuild against these new lib. I mean the packages: PolicyKit , polkit-1 and polkit-gnome

I said it was a HUGE BUG, which meant a HUGE TEXT, and a HUGE TIME to find out how to fix it without degrading the system

Enjoy PolicyKit correctly !!!

UPDATE: this solution fixes another bug pointed out by frafra, after doing this patchings, when you click on the suspend button of the keyboard, it actually suspends, aparently, policykit wasn't granting the user to suspend through the FN-Keys
 
..............................
OSs: Paldo-testing x86_64 :: HP Pavilion dv9680ez
Profile   Private Message   E-Mail
Created: 2009-11-23 02:35 | Modified: 2009-11-23 09:47 by diogo
Highlight selected Text   Edit   Delete   Quote Reply
 Re: Polkit Wrong defaults
Mitglied
 
 
 
Posts: 73
Registered: 2009-07-15
Well done. !!!

It's very good to see that there's always someone who cares about Paldo and their users, as that's a guaranty that it's alive and healthy.

The quality of this project deserves that it survives to serve us for many years.
Profile   Private Message
Created: 2009-11-23 19:43
Highlight selected Text   Edit   Delete   Quote Reply
 Re: Polkit Wrong defaults
Administrator
 
 
 
Posts: 426
Registered: 2004-09-09
Thanks a lot for your work. This has been added to testing now.
Profile   Private Message   Web
Created: 2009-11-26 00:36
Highlight selected Text   Edit   Delete   Quote Reply
 Re: Polkit Wrong defaults
Senior Mitglied
 
 
 
Posts: 216
Registered: 2008-07-04
hi everyone,

I'm here to announce that these patches may be removed from dbus-glib once we upgrade to version 0.84 or 0.86

Please consider the upgrade and remove the patches as they fix lots of other bugs.


 
..............................
OSs: Paldo-testing x86_64 :: HP Pavilion dv9680ez
Profile   Private Message   E-Mail
Created: 2010-05-11 00:29
Highlight selected Text   Edit   Delete   Quote Reply
Subscribe Topic Subscribe Topic
powered by bitron board 1.23a