3diy
/
moonraker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

scripts: update set-policykit-rules.sh 

Check for the moonraker-admin Supplementary group
in the moonraker service file and add it if necessary.

For PolKit versions > 0.106 make sure that the process
is launched with the moonraker-admin group before
granting any polkit permissions.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Eric Callahan 2022-01-27 12:49:38 -05:00 committed by Eric Callahan
parent 468ea36bba
commit 7c8c0e715f
1 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
scripts/set-policykit-rules.sh
View File

@ -4,6 +4,22 @@
POLKIT_LEGACY_DIR="/etc/polkit-1/localauthority/50-local.d" POLKIT_LEGACY_DIR="/etc/polkit-1/localauthority/50-local.d"
POLKIT_DIR="/etc/polkit-1/rules.d" POLKIT_DIR="/etc/polkit-1/rules.d"
POLKIT_USR_DIR="/usr/share/polkit-1/rules.d" POLKIT_USR_DIR="/usr/share/polkit-1/rules.d"
MOONRAKER_UNIT="/etc/systemd/system/moonraker.service"
MOONRAKER_GID="-1"
check_moonraker_service()
{
# Force Add the moonraker-admin group
sudo groupadd -f moonraker-admin
[ ! -f $MOONRAKER_UNIT ] && return
# Make sure the unit file contains supplementary group
HAS_SUPP="$( grep -cm1 "SupplementaryGroups=moonraker-admin" $MOONRAKER_UNIT || true )"
[ "$HAS_SUPP" -eq 1 ] && return
report_status "Adding moonraker-admin supplementary group to $MOONRAKER_UNIT"
sudo sed -i "/^Type=simple$/a SupplementaryGroups=moonraker-admin" $MOONRAKER_UNIT
sudo systemctl daemon-reload
}
add_polkit_legacy_rules() add_polkit_legacy_rules()
{ {
@ -31,7 +47,7 @@ add_polkit_rules()
fi fi
POLKIT_VERSION="$( pkaction --version | grep -Po "(\d?\.\d+)" )" POLKIT_VERSION="$( pkaction --version | grep -Po "(\d?\.\d+)" )"
report_status "PolicyKit Version ${POLKIT_VERSION} Detected" report_status "PolicyKit Version ${POLKIT_VERSION} Detected"
if [ $POLKIT_VERSION = "0.105" ]; then if [ "$POLKIT_VERSION" = "0.105" ]; then
# install legacy pkla file # install legacy pkla file
add_polkit_legacy_rules add_polkit_legacy_rules
return return
@ -46,6 +62,7 @@ add_polkit_rules()
exit 1 exit 1
fi fi
report_status "Installing PolicyKit Rules to ${RULE_FILE}..." report_status "Installing PolicyKit Rules to ${RULE_FILE}..."
MOONRAKER_GID=$( getent group moonraker-admin | awk -F: '{printf "%d", $3}' )
sudo /bin/sh -c "cat > ${RULE_FILE}" << EOF sudo /bin/sh -c "cat > ${RULE_FILE}" << EOF
// Allow Moonraker User to manage systemd units, reboot and shutdown // Allow Moonraker User to manage systemd units, reboot and shutdown
// the system // the system
@ -57,7 +74,16 @@ polkit.addRule(function(action, subject) {
action.id == "org.freedesktop.login1.reboot-multiple-sessions" || action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id.startsWith("org.freedesktop.packagekit.")) && action.id.startsWith("org.freedesktop.packagekit.")) &&
subject.user == "$USER") { subject.user == "$USER") {
return polkit.Result.YES; // Only allow processes with the "moonraker-admin" supplementary group
// access
var regex = "^Groups:.+?\\\s$MOONRAKER_GID[\\\s\\\0]";
var cmdpath = "/proc/" + subject.pid.toString() + "/status";
try {
polkit.spawn(["grep", "-Po", regex, cmdpath]);
return polkit.Result.YES;
} catch (error) {
return polkit.Result.NOT_HANDLED;
}
} }
}); });
EOF EOF
@ -87,9 +113,12 @@ verify_ready()
CLEAR="$1" CLEAR="$1"
if [ $CLEAR = "--clear" ] || [ $CLEAR = "-c" ]; then if [ "$CLEAR" = "--clear" ] || [ "$CLEAR" = "-c" ]; then
clear_polkit_rules clear_polkit_rules
else else
set -e set -e
check_moonraker_service
add_polkit_rules add_polkit_rules
report_status "Restarting Moonraker..."
sudo systemctl restart moonraker
fi fi