Hello community,
here is the log from the commit of package hal for openSUSE:Factory
checked in at Thu Mar 11 19:15:17 CET 2010.
--------
--- hal/hal-doc.changes 2009-12-21 14:12:18.000000000 +0100
+++ /mounts/work_src_done/STABLE/hal/hal-doc.changes 2010-03-11 19:14:57.643101000 +0100
@@ -1,0 +2,11 @@
+Wed Mar 10 10:13:44 CET 2010 - kay.sievers@novell.com
+
+- allow only root to mount fixed storage devices.
+
+-------------------------------------------------------------------
+Wed Feb 17 19:59:21 CET 2010 - kay.sievers@novell.com
+
+- disable PolicyKit and ConsoleKit support
+- lock down access to "at_console" users
+
+-------------------------------------------------------------------
hal.changes: same change
calling whatdependson for head-i586
New:
----
hal-nonpolkit-mount-policy.patch
hal-use-at-console.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ hal-doc.spec ++++++
--- /var/tmp/diff_new_pack.tXK7k7/_old 2010-03-11 19:15:02.000000000 +0100
+++ /var/tmp/diff_new_pack.tXK7k7/_new 2010-03-11 19:15:02.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package hal-doc (Version 0.5.14)
#
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,13 +28,13 @@
%define dbus_release 1
%define hal_info_version 20091130
Version: 0.5.14
-Release: 2
+Release: 3
Url: http://freedesktop.org/Software/hal
License: GPLv2+ ; AFL2.0 or GPLv2.0
Group: System/Daemons
AutoReqProv: on
BuildRequires: fdupes pkg-config
-BuildRequires: ConsoleKit-devel PolicyKit-devel dbus-1-glib-devel glib2-devel gperf intltool
+BuildRequires: dbus-1-glib-devel glib2-devel gperf intltool
BuildRequires: libblkid-devel libexpat-devel libusb-devel pciutils-devel
BuildRequires: libselinux-devel perl-XML-Parser popt-devel update-desktop-files
#
@@ -44,7 +44,7 @@
PreReq: /usr/sbin/groupadd /usr/sbin/useradd /etc/init.d/boot.localfs
PreReq: %insserv_prereq
Requires: dbus-1 >= %{dbus_version}-%{dbus_release}, dbus-1-glib >= %{dbus_version}-%{dbus_release}
-Requires: PolicyKit, ConsoleKit, pm-utils
+Requires: pm-utils
Requires: udev >= 143
Requires: util-linux >= 2.16
%ifarch %ix86 x86_64
@@ -63,6 +63,8 @@
Patch0: hal-fix537452.diff
Patch1: hal-computeudi.diff
Patch2: hal-path_max.diff
+Patch3: hal-use-at-console.patch
+Patch4: hal-nonpolkit-mount-policy.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
@@ -109,6 +111,8 @@
%patch0 -p1
%patch1
%patch2
+%patch3 -p1
+%patch4 -p1
chmod 644 tools/hal-functions
pushd hal-info-%{hal_info_version}
popd
@@ -118,7 +122,7 @@
autoreconf -fi
%configure \
--libexecdir=%{_prefix}/lib/hal \
- --with-init-scripts=suse \
+ --with-os-type=suse \
--with-hwdata=/usr/share \
--with-pid-file=/var/run/hald/haldaemon.pid \
--with-dbus-sys=/etc/dbus-1/system.d \
@@ -127,11 +131,13 @@
--with-udev-prefix=/lib \
--docdir=%{_datadir}/doc/packages/hal \
--with-eject=/bin/eject \
- --enable-policy-kit \
- --enable-console-kit \
--disable-pmu \
--without-keymaps \
--disable-acpi-proc \
+ --disable-console-kit \
+ --disable-policy-kit \
+ --disable-acl-management \
+ --disable-smbios \
--disable-static \
--with-pic \
%ifarch ppc ppc64 %sparc
@@ -181,7 +187,6 @@
rm -rf $RPM_BUILD_ROOT/%{_includedir}
rm -rf $RPM_BUILD_ROOT/%{_datadir}/hal
rm -rf $RPM_BUILD_ROOT/%{_datadir}/locale
-rm -rf $RPM_BUILD_ROOT/%{_datadir}/PolicyKit
rm -rf $RPM_BUILD_ROOT/%{_localstatedir}
rm -rf $RPM_BUILD_ROOT/%{_prefix}/lib/hal
rm -rf $RPM_BUILD_ROOT/lib/udev/rules.d/90-hal.rules
@@ -265,7 +270,6 @@
%{_sysconfdir}/hal/*
%{_bindir}/*
%{_datadir}/hal/fdi/*
-%{_datadir}/PolicyKit/policy/*
%{_libdir}/*hal*.so.*
%{_prefix}/lib/hal/*
%{_mandir}/man1/*
hal.spec: same change
++++++ hal-nonpolkit-mount-policy.patch ++++++
--- hal-0.5.13.orig/tools/hal-storage-mount.c 2009-05-27 15:26:03.000000000 -0500
+++ hal-0.5.13/tools/hal-storage-mount.c 2009-11-19 10:52:30.979682802 -0600
@@ -92,6 +92,14 @@
}
static void
+permission_denied_uid (const char *device, const char *uid)
+{
+ fprintf (stderr, "org.freedesktop.Hal.Device.Volume.PermissionDenied\n");
+ fprintf (stderr, "Refusing to mount device %s for uid=%s.\n", device, uid);
+ exit (1);
+}
+
+static void
already_mounted (const char *device)
{
fprintf (stderr, "org.freedesktop.Hal.Device.Volume.AlreadyMounted\n");
@@ -856,6 +864,13 @@
}
libhal_free_string (polkit_result);
}
+#else
+ /* root can do everything; only allow handling removable devices
+ * without uid change to non-root users */
+ if (!invoked_by_uid || strcmp(invoked_by_uid, "0"))
+ if (!action || strcmp (action, "org.freedesktop.hal.storage.mount-removable"))
+ permission_denied_uid (device, invoked_by_uid);
+
#endif
#ifdef DEBUG
++++++ hal-use-at-console.patch ++++++
diff -up hal-0.5.13/hal.conf.in.drop-polkit hal-0.5.13/hal.conf.in
--- hal-0.5.13/hal.conf.in.drop-polkit 2009-02-04 17:07:23.000000000 -0500
+++ hal-0.5.13/hal.conf.in 2009-07-29 23:15:16.866766074 -0400
@@ -25,7 +25,41 @@
send_interface="org.freedesktop.Hal.Device"/>
<allow send_destination="org.freedesktop.Hal"
send_interface="org.freedesktop.Hal.Manager"/>
+ </policy>
+
+ <!-- Only allow users at the local console to manipulate devices -->
+ <policy at_console="true">
+