linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-02-09 19:57:18 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
60caf48d89
glfs/postlfs/security/polkit.xml
Xi Ruoyao 60caf48d89
polkit: use archive tarball and enable tests 
Normally we perfer release tarballs than archives.  But for polkit, we
are using meson so the generated configure script is not needed.  And,
the release tarball lacks test support files and prevents us from
running tests.

For such a "security related" package, skipping test seems not good...
(That being said, we'd been busying fix CVEs not found by the test. :( )
2022-03-06 16:45:02 +08:00

489 lines
15 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY polkit-download-http "https://gitlab.freedesktop.org/polkit/polkit/-/archive/&polkit-version;/polkit-&polkit-version;.tar.gz">
<!ENTITY polkit-download-ftp " ">
<!ENTITY polkit-md5sum "5687b19e9ca9a0225957b8967d8f4458">
<!ENTITY polkit-size "740 KB">
<!ENTITY polkit-buildsize "8.9 MB (with tests)">
<!ENTITY polkit-time "0.2 SBU (with tests, using parallelism=4)">
]>
<sect1 id="polkit" xreflabel="Polkit-&polkit-version;">
<?dbhtml filename="polkit.html"?>
<sect1info>
<date>$Date$</date>
</sect1info>
<title>Polkit-&polkit-version;</title>
<indexterm zone="polkit">
<primary sortas="a-Polkit">Polkit</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to Polkit</title>
<para>
<application>Polkit</application> is a toolkit for defining and handling
authorizations. It is used for allowing unprivileged processes to
communicate with privileged processes.
</para>
&lfs111_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>
Download (HTTP): <ulink url="&polkit-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&polkit-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &polkit-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &polkit-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &polkit-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &polkit-time;
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">Additional Downloads</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>
Required patch:
<ulink url="&patch-root;/polkit-&polkit-version;-security_fixes-1.patch"/>
</para>
</listitem>
<listitem>
<para>
Required patch:
<ulink url="&patch-root;/polkit-&polkit-version;-js91-1.patch"/>
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">Polkit Dependencies</bridgehead>
<bridgehead renderas="sect4">Required</bridgehead>
<para role="required">
<xref linkend="glib2"/> and
<xref linkend="js91"/>
</para>
<bridgehead renderas="sect4">Recommended</bridgehead>
<para role="recommended">
<xref linkend="gobject-introspection"/>,
<xref linkend="libxslt"/>,
<xref linkend="linux-pam"/>
<phrase revision="sysv">
and <xref role="first" linkend="elogind"/>
</phrase>
</para>
<note>
<para>
Since <phrase revision="sysv"><command>elogind</command></phrase>
<phrase revision="systemd"><command>systemd-logind</command></phrase>
uses PAM to register user sessions, it is a good idea to build
<application>Polkit</application> with PAM support so
<phrase revision="sysv"><command>elogind</command></phrase>
<phrase revision="systemd"><command>systemd-logind</command></phrase>
can track <application>Polkit</application> sessions.
</para>
</note>
<!-- Due to the fact that meson will not autodetect g-i and
has it set to required unless you pass an option, and the likelihood
of users ignoring a command explanation and then sending in mails
regarding KDE or GNOME not working after installing polkit, let's move
it to recommended. See #15640 for logic
<bridgehead renderas="sect4">Optional (Required if building GNOME)</bridgehead>
<para role="optional">
<xref linkend="gobject-introspection"/>
</para>
-->
<bridgehead renderas="sect4">Optional</bridgehead>
<para role="optional">
<!--<xref linkend="dbus-python"/> and
<xref linkend="python-dbusmock"/> (for tests), and - no more tests -->
<!--<xref linkend="DocBook"/>, (Part of libxslt's chain)
<xref linkend="docbook-xsl"/>,-->
<xref linkend="gtk-doc"/>
</para>
<bridgehead renderas="sect4" revision="systemd">Required Runtime Dependencies</bridgehead>
<para role="required" revision="systemd">
<xref role="runtime" linkend="systemd"/>
</para>
<bridgehead renderas="sect4" id="polkit-agent" xreflabel="Polkit Authentication Agent">
Optional Runtime Dependencies
</bridgehead>
<para role="optional">
One polkit authentication agent for using polkit in the graphical
environment:
<application>polkit-kde-agent</application> in
<xref role="runtime" linkend="plasma5-build"/> for KDE,
the agent built in
<xref role="runtime" linkend="gnome-shell"/> for GNOME3,
<xref role="runtime" linkend="polkit-gnome"/> for XFCE, and
<application>lxpolkit</application> in
<xref role="runtime" linkend="lxsession"/> for LXDE.
</para>
<note>
<para>
If <xref linkend="libxslt"/> is installed,
then <xref linkend="DocBook"/> and <xref linkend="docbook-xsl"/> are
required. If you have installed <xref linkend="libxslt"/>, but you do
not want to install any of the DocBook packages mentioned, you will
need to use <option>-Dman=false</option> in the instructions
below.
</para>
</note>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/polkit"/>
</para>
</sect2>
<sect2 role="installation">
<title>Installation of Polkit</title>
<para>
There should be a dedicated user and group to take control
of the <command>polkitd</command> daemon after it is
started. Issue the following commands as the
<systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>groupadd -fg 27 polkitd &amp;&amp;
useradd -c "PolicyKit Daemon Owner" -d /etc/polkit-1 -u 27 \
-g polkitd -s /bin/false polkitd</userinput></screen>
<para>
First, fix problems with setting permissions during installation and with
meson-0.60.0:
</para>
<screen><userinput remap="pre">sed '/0,/s/^/#/' -i meson_post_install.py &amp;&amp;
sed '/policy,/d' -i actions/meson.build \
-i src/examples/meson.build</userinput></screen>
<para>
Apply a patch to fix two security issues:
</para>
<screen><userinput remap="pre">patch -Np1 -i ../polkit-&polkit-version;-security_fixes-1.patch</userinput></screen>
<para>
Port this package to use JS-91:
</para>
<screen><userinput remap="pre">patch -Np1 -i ../polkit-&polkit-version;-js91-1.patch</userinput></screen>
<para>
Install <application>Polkit</application> by running the following
commands:
</para>
<screen revision="systemd"><userinput>mkdir build &amp;&amp;
cd build &amp;&amp;
meson --prefix=/usr \
--buildtype=release \
-Dman=true \
-Dsession_tracking=libsystemd-login \
-Dtests=true \
.. &amp;&amp;
ninja</userinput></screen>
<screen revision="sysv"><userinput>mkdir build &amp;&amp;
cd build &amp;&amp;
meson --prefix=/usr \
--buildtype=release \
-Dman=true \
-Dsession_tracking=libelogind \
-Dsystemdsystemunitdir=/tmp \
-Dtests=true \
.. &amp;&amp;
ninja</userinput></screen>
<!--
"-t3" for raising the timeout to 90s, i. e. 3x the default:
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/107
-->
<para>
To test the results, first ensure that the system
<application>D-Bus</application> daemon is running.
Then run <command>meson test -t3</command>.
</para>
<para>
Now, as the <systemitem class="username">root</systemitem> user:
</para>
<screen role="root" revision="systemd"><userinput>ninja install</userinput></screen>
<screen role="root" revision="sysv"><userinput>ninja install &amp;&amp;
rm -v /tmp/*.service</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../xincludes/meson-buildtype-release.xml"/>
<!--
<para revision="sysv">
<parameter>- -disable-libsystemd-login</parameter>: This switch forces
polkit to build with elogind support (if available) rather than
systemd-logind.
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../xincludes/static-libraries.xml"/>
-->
<para>
<option>-Dauthfw=shadow</option>: This switch enables the
package to use the <application>Shadow</application> rather than the
<application>Linux PAM</application> Authentication framework. Use it
if you have not installed <application>Linux PAM</application>.
</para>
<!--
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../xincludes/gtk-doc-rebuild.xml"/>
-->
<para>
<option>-Dintrospection=false</option>: Use this option if you are certain
that you do not need gobject-introspection files for polkit, or do not have
gobject-introspection installed.
</para>
<para>
<option>-Dman=false</option>: Use this option to disable generating and
installing manual pages. This is useful if libxslt is not installed.
</para>
<para>
<option>-Dexamples=true</option>: Use this option to build the example
programs.
</para>
<para>
<option>-Dgtk_doc=true</option>: Use this option to enable building and
installing the API documentation.
</para>
</sect2>
<sect2 role="configuration">
<title>Configuring Polkit</title>
<sect3>
<title>PAM Configuration</title>
<note>
<para>
If you did not build <application>Polkit</application> with
<application>Linux PAM</application> support, you can skip this
section.
</para>
</note>
<para>
If you have built <application>Polkit</application> with
<application>Linux PAM</application> support, you need to modify
the default PAM configuration file which was installed by default to get
<application>Polkit</application> to work correctly with BLFS. Issue the
following commands as the <systemitem class="username">root</systemitem>
user to create the configuration file for <application>Linux PAM</application>:
</para>
<screen role="root"><userinput>cat &gt; /etc/pam.d/polkit-1 &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/polkit-1
auth include system-auth
account include system-account
password include system-password
session include system-session
# End /etc/pam.d/polkit-1</literal>
EOF</userinput></screen>
</sect3>
</sect2>
<sect2 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>
pkaction, pkcheck, <!--pk-example-frobnicate,--> pkexec,
pkttyagent and polkitd
</seg>
<seg>
libpolkit-agent-1.so and
libpolkit-gobject-1.so
</seg>
<seg>
/etc/polkit-1,
/usr/include/polkit-1,
/usr/lib/polkit-1,
/usr/share/gtk-doc/html/polkit-1 and
/usr/share/polkit-1
</seg>
</seglistitem>
</segmentedlist>
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
<varlistentry id="pkaction">
<term><command>pkaction</command></term>
<listitem>
<para>
is used to obtain information about registered PolicyKit actions
</para>
<indexterm zone="polkit pkaction">
<primary sortas="b-pkaction">pkaction</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="pkcheck">
<term><command>pkcheck</command></term>
<listitem>
<para>
is used to check whether a process is authorized for action
</para>
<indexterm zone="polkit pkcheck">
<primary sortas="b-pkcheck">pkcheck</primary>
</indexterm>
</listitem>
</varlistentry>
<!--
<varlistentry id="pk-example-frobnicate">
<term><command>pk-example-frobnicate</command></term>
<listitem>
<para>
is an example program to test the <command>pkexec</command>
command
</para>
<indexterm zone="polkit pk-example-frobnicate">
<primary sortas="b-pk-example-frobnicate">pk-example-frobnicate</primary>
</indexterm>
</listitem>
</varlistentry>
-->
<varlistentry id="pkexec">
<term><command>pkexec</command></term>
<listitem>
<para>
allows an authorized user to execute a command as another user
</para>
<indexterm zone="polkit pkexec">
<primary sortas="b-pkexec">pkexec</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="pkttyagent">
<term><command>pkttyagent</command></term>
<listitem>
<para>
is used to start a textual authentication agent for the subject
</para>
<indexterm zone="polkit pkttyagent">
<primary sortas="b-pkttyagent">pkttyagent</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="polkitd">
<term><command>polkitd</command></term>
<listitem>
<para>
provides the org.freedesktop.PolicyKit1 <application>D-Bus</application>
service on the system message bus
</para>
<indexterm zone="polkit polkitd">
<primary sortas="b-polkitd">polkitd</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="libpolkit-agent-1">
<term><filename class="libraryfile">libpolkit-agent-1.so</filename></term>
<listitem>
<para>
contains the <application>Polkit</application> authentication
agent API functions
</para>
<indexterm zone="polkit libpolkit-agent-1">
<primary sortas="c-libpolkit-agent-1">libpolkit-agent-1.so</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="libpolkit-gobject-1">
<term><filename class="libraryfile">libpolkit-gobject-1.so</filename></term>
<listitem>
<para>
contains the <application>Polkit</application> authorization API functions
</para>
<indexterm zone="polkit libpolkit-gobject-1">
<primary sortas="c-libpolkit-gobject-1">libpolkit-gobject-1.so</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>
Reference in New Issue View Git Blame Copy Permalink