From 7ef2621ab7adcedc099ed39acfb73c6fa835cbc3 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Sun, 15 May 2022 05:04:10 +0000 Subject: [PATCH] Make netgroup support optional On at least Linux/musl and Linux/uclibc, netgroup support is not available. PolKit fails to compile on these systems for that reason. This change makes netgroup support conditional on the presence of the setnetgrent(3) function which is required for the support to work. If that function is not available on the system, an error will be returned to the administrator if unix-netgroup: is specified in configuration. (sam: rebased for Meson and Duktape.) Closes: https://gitlab.freedesktop.org/polkit/polkit/-/issues/14 Closes: https://gitlab.freedesktop.org/polkit/polkit/-/issues/163 Closes: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/52 Signed-off-by: A. Wilcox Ported back the change in configure.ac (upstream removed autotools support). Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/b57deee8178190a7ecc75290fa13cf7daabc2c66] Signed-off-by: Marta Rybczynska --- configure.ac | 2 +- meson.build | 1 + src/polkit/polkitidentity.c | 17 +++++++++++++++++ src/polkit/polkitunixnetgroup.c | 3 +++ .../polkitbackendinteractiveauthority.c | 14 ++++++++------ src/polkitbackend/polkitbackendjsauthority.cpp | 2 ++ test/polkit/polkitidentitytest.c | 8 +++++++- test/polkit/polkitunixnetgrouptest.c | 2 ++ .../test-polkitbackendjsauthority.c | 2 ++ 9 files changed, 43 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index 59858df..5a7fc11 100644 --- a/configure.ac +++ b/configure.ac @@ -100,7 +100,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"], [AC_MSG_ERROR([Can't find expat library. Please install expat.])]) AC_SUBST(EXPAT_LIBS) -AC_CHECK_FUNCS(clearenv fdatasync) +AC_CHECK_FUNCS(clearenv fdatasync setnetgrent) if test "x$GCC" = "xyes"; then LDFLAGS="-Wl,--as-needed $LDFLAGS" diff --git a/meson.build b/meson.build index 733bbff..d840926 100644 --- a/meson.build +++ b/meson.build @@ -82,6 +82,7 @@ config_h.set('_GNU_SOURCE', true) check_functions = [ 'clearenv', 'fdatasync', + 'setnetgrent', ] foreach func: check_functions diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c index 3aa1f7f..793f17d 100644 --- a/src/polkit/polkitidentity.c +++ b/src/polkit/polkitidentity.c @@ -182,7 +182,15 @@ polkit_identity_from_string (const gchar *str, } else if (g_str_has_prefix (str, "unix-netgroup:")) { +#ifndef HAVE_SETNETGRENT + g_set_error (error, + POLKIT_ERROR, + POLKIT_ERROR_FAILED, + "Netgroups are not available on this machine ('%s')", + str); +#else identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1); +#endif } if (identity == NULL && (error != NULL && *error == NULL)) @@ -344,6 +352,14 @@ polkit_identity_new_for_gvariant (GVariant *variant, GVariant *v; const char *name; +#ifndef HAVE_SETNETGRENT + g_set_error (error, + POLKIT_ERROR, + POLKIT_ERROR_FAILED, + "Netgroups are not available on this machine"); + goto out; +#else + v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error); if (v == NULL) { @@ -353,6 +369,7 @@ polkit_identity_new_for_gvariant (GVariant *variant, name = g_variant_get_string (v, NULL); ret = polkit_unix_netgroup_new (name); g_variant_unref (v); +#endif } else { diff --git a/src/polkit/polkitunixnetgroup.c b/src/polkit/polkitunixnetgroup.c index 8a2b369..83f8d4a 100644 --- a/src/polkit/polkitunixnetgroup.c +++ b/src/polkit/polkitunixnetgroup.c @@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group, PolkitIdentity * polkit_unix_netgroup_new (const gchar *name) { +#ifndef HAVE_SETNETGRENT + g_assert_not_reached(); +#endif g_return_val_if_fail (name != NULL, NULL); return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP, "name", name, diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c index 056d9a8..36c2f3d 100644 --- a/src/polkitbackend/polkitbackendinteractiveauthority.c +++ b/src/polkitbackend/polkitbackendinteractiveauthority.c @@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity *group, GList *ret; ret = NULL; +#ifdef HAVE_SETNETGRENT name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group)); -#ifdef HAVE_SETNETGRENT_RETURN +# ifdef HAVE_SETNETGRENT_RETURN if (setnetgrent (name) == 0) { g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno)); goto out; } -#else +# else setnetgrent (name); -#endif +# endif /* HAVE_SETNETGRENT_RETURN */ for (;;) { -#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) +# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) const char *hostname, *username, *domainname; -#else +# else char *hostname, *username, *domainname; -#endif +# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */ PolkitIdentity *user; GError *error = NULL; @@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity *group, out: endnetgrent (); +#endif /* HAVE_SETNETGRENT */ return ret; } diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp index 5027815..bcb040c 100644 --- a/src/polkitbackend/polkitbackendjsauthority.cpp +++ b/src/polkitbackend/polkitbackendjsauthority.cpp @@ -1524,6 +1524,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, JS::CallArgs args = JS::CallArgsFromVp (argc, vp); +#ifdef HAVE_SETNETGRENT JS::RootedString usrstr (authority->priv->cx); usrstr = args[0].toString(); user = JS_EncodeStringToUTF8 (cx, usrstr); @@ -1538,6 +1539,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, { is_in_netgroup = true; } +#endif ret = true; diff --git a/test/polkit/polkitidentitytest.c b/test/polkit/polkitidentitytest.c index e91967b..2635c4c 100644 --- a/test/polkit/polkitidentitytest.c +++ b/test/polkit/polkitidentitytest.c @@ -145,11 +145,15 @@ struct ComparisonTestData comparison_test_data [] = { {"unix-group:root", "unix-group:jane", FALSE}, {"unix-group:jane", "unix-group:jane", TRUE}, +#ifdef HAVE_SETNETGRENT {"unix-netgroup:foo", "unix-netgroup:foo", TRUE}, {"unix-netgroup:foo", "unix-netgroup:bar", FALSE}, +#endif {"unix-user:root", "unix-group:root", FALSE}, +#ifdef HAVE_SETNETGRENT {"unix-user:jane", "unix-netgroup:foo", FALSE}, +#endif {NULL}, }; @@ -181,11 +185,13 @@ main (int argc, char *argv[]) g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string); g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string); +#ifdef HAVE_SETNETGRENT g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string); + g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant); +#endif g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant); g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant); - g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant); add_comparison_tests (); diff --git a/test/polkit/polkitunixnetgrouptest.c b/test/polkit/polkitunixnetgrouptest.c index 3701ba1..e1d211e 100644 --- a/test/polkit/polkitunixnetgrouptest.c +++ b/test/polkit/polkitunixnetgrouptest.c @@ -69,7 +69,9 @@ int main (int argc, char *argv[]) { g_test_init (&argc, &argv, NULL); +#ifdef HAVE_SETNETGRENT g_test_add_func ("/PolkitUnixNetgroup/new", test_new); g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name); +#endif return g_test_run (); } diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c index f97e0e0..fc52149 100644 --- a/test/polkitbackend/test-polkitbackendjsauthority.c +++ b/test/polkitbackend/test-polkitbackendjsauthority.c @@ -137,12 +137,14 @@ test_get_admin_identities (void) "unix-group:users" } }, +#ifdef HAVE_SETNETGRENT { "net.company.action3", { "unix-netgroup:foo" } }, +#endif }; guint n;