I formerly added support for calling polkit-auth and/or polkit-grant to
get PolicyKit credentials. It turns out that polkit-grant is fundamentally
flawed & unusable, so this patch removes use of polkit-grant. This is not
a big issue, since polkit-auth is more functional and present in 0.7 or
later. Second, it removes use of virRun() and does a direct execve() since
we need to keep stdin & stdout open in all circumstances so the polkit-auth
can prompt for & accept passwords depending on config.
Dan.
Index: configure.in
===================================================================
RCS file: /data/cvs/libvirt/configure.in,v
retrieving revision 1.133
diff -u -p -r1.133 configure.in
--- configure.in 3 Mar 2008 14:42:37 -0000 1.133
+++ configure.in 9 Mar 2008 21:00:21 -0000
@@ -450,10 +450,6 @@ if test "x$with_polkit" = "xyes" -o "x$w
CFLAGS="$old_CFLAGS"
LDFLAGS="$old_LDFLAGS"
- AC_PATH_PROG(POLKIT_GRANT, polkit-grant)
- if test "x$POLKIT_GRANT" != "x"; then
- AC_DEFINE_UNQUOTED([POLKIT_GRANT],["$POLKIT_GRANT"],[Location of
polkit-grant program])
- fi
AC_PATH_PROG(POLKIT_AUTH, polkit-auth)
if test "x$POLKIT_AUTH" != "x"; then
AC_DEFINE_UNQUOTED([POLKIT_AUTH],["$POLKIT_AUTH"],[Location of
polkit-auth program])
Index: src/libvirt.c
===================================================================
RCS file: /data/cvs/libvirt/src/libvirt.c,v
retrieving revision 1.125
diff -u -p -r1.125 libvirt.c
--- src/libvirt.c 26 Feb 2008 07:06:48 -0000 1.125
+++ src/libvirt.c 9 Mar 2008 21:00:24 -0000
@@ -19,6 +19,7 @@
#include <sys/stat.h>
#include <unistd.h>
#include <assert.h>
+#include <sys/wait.h>
#include <libxml/parser.h>
#include <libxml/xpath.h>
@@ -66,6 +67,39 @@ static int initialized = 0;
int debugFlag = 0;
#endif
+#if defined(POLKIT_AUTH)
+static int virConnectAuthGainPolkit(const char *privilege) {
+ const char *const args[] = {
+ POLKIT_AUTH, "--obtain", privilege, NULL
+ };
+ int childpid, status, ret;
+
+ /* Root has all rights */
+ if (getuid() == 0)
+ return 0;
+
+ if ((childpid = fork()) < 0)
+ return -1;
+
+ if (!childpid) {
+ execvp(args[0], (char **)args);
+ _exit(-1);
+ }
+
+ while ((ret = waitpid(childpid, &status, 0) == -1) && errno == EINTR);
+ if (ret == -1) {
+ return -1;
+ }
+
+ if (!WIFEXITED(status) ||
+ (WEXITSTATUS(status) != 0 && WEXITSTATUS(status) != 1)) {
+ return -1;
+ }
+
+ return 0;
+}
+#endif
+
static int virConnectAuthCallbackDefault(virConnectCredentialPtr cred,
unsigned int ncred,
void *cbdata ATTRIBUTE_UNUSED) {
@@ -77,25 +111,15 @@ static int virConnectAuthCallbackDefault
size_t len;
switch (cred[i].type) {
-#if defined(POLKIT_GRANT) || defined(POLKIT_AUTH)
+#if defined(POLKIT_AUTH)
case VIR_CRED_EXTERNAL: {
int ret;
- const char *const args[] = {
-#if defined(POLKIT_GRANT)
- POLKIT_GRANT, "--gain", cred[i].prompt, NULL
-#else
- POLKIT_AUTH, "--obtain", cred[i].prompt, NULL
-#endif
- };
-
if (STRNEQ(cred[i].challenge, "PolicyKit"))
return -1;
- if (virRun(NULL, (char **) args, &ret) < 0)
- return -1;
- if (!WIFEXITED(ret) ||
- (WEXITSTATUS(ret) != 0 && WEXITSTATUS(ret) != 1))
+ if (virConnectAuthGainPolkit(cred[i].prompt) < 0)
return -1;
+
break;
}
#endif
@@ -158,7 +182,7 @@ static int virConnectCredTypeDefault[] =
VIR_CRED_REALM,
VIR_CRED_PASSPHRASE,
VIR_CRED_NOECHOPROMPT,
-#if defined(POLKIT_AUTH) || defined(POLKIT_GRANT)
+#if defined(POLKIT_AUTH)
VIR_CRED_EXTERNAL,
#endif
};
--
|: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
