Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 239231 - sys-auth/policykit-0.9 must check that /var/lib/PolicyKit has correct permissions
Summary: sys-auth/policykit-0.9 must check that /var/lib/PolicyKit has correct permiss...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] GNOME (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Linux Gnome Desktop Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-01 08:00 UTC by Alexandre Rostovtsev (RETIRED)
Modified: 2008-10-29 10:42 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2008-10-01 08:00:45 UTC
/var/lib/PolicyKit must have mode 770 and be owned by root:policykit (this is because normal users must only read and write to it via a specific setgid binary, /usr/libexec/polkit-grant-helper). And indeed, this is how the /var/lib/PolicyKit directory is created on a first install of policykit-0.9

Unfortunately, earlier versions of policykit installed /var/lib/PolicyKit directory as owned by polkituser:polkituser, mode 755. When upgrading from an earlier version of policykit to 0.9, the ebuild check that the group and mode for the directory are valid, which leads to authorization failure because polkit-grant-helper can no longer save authorization info for users.

At the minimum, the ebuild should check the group and permissions of /var/lib/PolicyKit print an ewarn if they are incorrect.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2008-10-01 08:03:42 UTC
> /var/lib/PolicyKit must have mode 770 and be owned by root:policykit

Typo, I meant must have mode 770 and be owned by root:polkituser
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2008-10-01 08:21:51 UTC
Additionally, the ebuild should check that /var/run/PolicyKit is mode 770, owned by root:polkituser (again, older versions of policykit had /var/run/PolicyKit as mode 755, which leads to authorization failures after upgrading to policykit-0.9),
Comment 3 Gilles Dartiguelongue gentoo-dev 2008-10-02 22:04:19 UTC
ok I've pushed something to the overlay, without a bump. It should do the right thing if user had a <0.9 release installed. Please tell me if everything looks ok to you and reopen if it's not.
Comment 4 Andrew D. Keyser (aka Legoguy) 2008-10-29 06:23:25 UTC
Ebuild fails with this new check; it uses braces inside quotes, expecting the shell to expand the braces (when it doesn't.)

chmod 0770 "${ROOT}var/{lib,run}/PolicyKit" || die "chmod failed"
                       ^       ^

chgrp -R polkituser "${ROOT}var/{lib,run}/PolicyKit" || die "chgrp failed"
                                ^       ^

Removing the quotes works fine, though I'm not sure if it's exactly proper...
Comment 5 Nirbheek Chauhan (RETIRED) gentoo-dev 2008-10-29 10:42:28 UTC
(In reply to comment #4)
> Ebuild fails with this new check; it uses braces inside quotes, expecting the
> shell to expand the braces (when it doesn't.)

Fixed in the overlay without a bump (not sure if there _should've_ been a bump :p)