diff options
Diffstat (limited to 'user/polkit')
-rw-r--r-- | user/polkit/0001-make-netgroup-support-optional.patch | 278 | ||||
-rw-r--r-- | user/polkit/APKBUILD | 10 | ||||
-rw-r--r-- | user/polkit/CVE-2018-19788.patch | 183 |
3 files changed, 28 insertions, 443 deletions
diff --git a/user/polkit/0001-make-netgroup-support-optional.patch b/user/polkit/0001-make-netgroup-support-optional.patch index 1a7716c45..6387974be 100644 --- a/user/polkit/0001-make-netgroup-support-optional.patch +++ b/user/polkit/0001-make-netgroup-support-optional.patch @@ -1,4 +1,4 @@ -From aafb9fd0e79775146186ee1d7ffef1f76cdbc1bb Mon Sep 17 00:00:00 2001 +From 778bb45e0e0cbabe2b04adf67a500af1dab09768 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" <AWilcox@Wilcox-Tech.com> Date: Wed, 11 Jul 2018 04:54:26 -0500 Subject: [PATCH] make netgroup support optional @@ -12,253 +12,23 @@ that function is not available on the system, an error will be returned to the administrator if unix-netgroup: is specified in configuration. Fixes bug 50145. + +Closes polkit/polkit#14. + +Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com> --- - 0001-make-netgroup-support-optional.patch | 226 ++++++++++++++++++ - configure.ac | 2 +- - src/polkit/polkitidentity.c | 16 ++ - src/polkit/polkitunixnetgroup.c | 3 + - .../polkitbackendinteractiveauthority.c | 14 +- - .../polkitbackendjsauthority.cpp | 2 + - test/polkit/polkitidentitytest.c | 9 +- - test/polkit/polkitunixnetgrouptest.c | 3 + - .../test-polkitbackendjsauthority.c | 2 + - 9 files changed, 269 insertions(+), 8 deletions(-) - create mode 100644 0001-make-netgroup-support-optional.patch + configure.ac | 2 +- + src/polkit/polkitidentity.c | 16 ++++++++++++++++ + src/polkit/polkitunixnetgroup.c | 3 +++ + .../polkitbackendinteractiveauthority.c | 14 ++++++++------ + src/polkitbackend/polkitbackendjsauthority.cpp | 2 ++ + test/polkit/polkitidentitytest.c | 9 ++++++++- + test/polkit/polkitunixnetgrouptest.c | 3 +++ + .../test-polkitbackendjsauthority.c | 2 ++ + 8 files changed, 43 insertions(+), 8 deletions(-) -diff --git a/0001-make-netgroup-support-optional.patch b/0001-make-netgroup-support-optional.patch -new file mode 100644 -index 0000000..dedc5f7 ---- /dev/null -+++ b/0001-make-netgroup-support-optional.patch -@@ -0,0 +1,226 @@ -+From 73eada88dd344333cc1d1f9c5c35413fcee1dd67 Mon Sep 17 00:00:00 2001 -+From: "A. Wilcox" <AWilcox@Wilcox-Tech.com> -+Date: Wed, 11 Jul 2018 04:54:26 -0500 -+Subject: [PATCH] make netgroup support optional -+ -+On at least Linux/musl and Linux/uclibc, netgroup support is not -+available. PolKit fails to compile on these systems for that reason. -+ -+This change makes netgroup support conditional on the presence of the -+setnetgrent(3) function which is required for the support to work. If -+that function is not available on the system, an error will be returned -+to the administrator if unix-netgroup: is specified in configuration. -+ -+Fixes bug 50145. -+--- -+ configure.ac | 2 +- -+ src/polkit/polkitidentity.c | 16 ++++++++++++++++ -+ src/polkit/polkitunixnetgroup.c | 3 +++ -+ .../polkitbackendinteractiveauthority.c | 14 ++++++++------ -+ src/polkitbackend/polkitbackendjsauthority.cpp | 2 ++ -+ test/polkit/polkitidentitytest.c | 9 ++++++++- -+ test/polkit/polkitunixnetgrouptest.c | 3 +++ -+ 7 files changed, 41 insertions(+), 8 deletions(-) -+ -+diff --git a/configure.ac b/configure.ac -+index bfa87dd..cb86ac7 100644 -+--- a/configure.ac -++++ b/configure.ac -+@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"], -+ [AC_MSG_ERROR([Can't find expat library. Please install expat.])]) -+ AC_SUBST(EXPAT_LIBS) -+ -+-AC_CHECK_FUNCS(clearenv fdatasync) -++AC_CHECK_FUNCS(clearenv fdatasync setnetgrent) -+ -+ if test "x$GCC" = "xyes"; then -+ LDFLAGS="-Wl,--as-needed $LDFLAGS" -+diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c -+index 3aa1f7f..10e9c17 100644 -+--- a/src/polkit/polkitidentity.c -++++ b/src/polkit/polkitidentity.c -+@@ -182,7 +182,15 @@ polkit_identity_from_string (const gchar *str, -+ } -+ else if (g_str_has_prefix (str, "unix-netgroup:")) -+ { -++#ifndef HAVE_SETNETGRENT -++ g_set_error (error, -++ POLKIT_ERROR, -++ POLKIT_ERROR_FAILED, -++ "Netgroups are not available on this machine ('%s')", -++ str); -++#else -+ identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1); -++#endif -+ } -+ -+ if (identity == NULL && (error != NULL && *error == NULL)) -+@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVariant *variant, -+ GVariant *v; -+ const char *name; -+ -++#ifndef HAVE_SETNETGRENT -++ g_set_error (error, -++ POLKIT_ERROR, -++ POLKIT_ERROR_FAILED, -++ "Netgroups are not available on this machine"); -++ goto out; -++#else -+ v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error); -+ if (v == NULL) -+ { -+@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVariant *variant, -+ name = g_variant_get_string (v, NULL); -+ ret = polkit_unix_netgroup_new (name); -+ g_variant_unref (v); -++#endif -+ } -+ else -+ { -+diff --git a/src/polkit/polkitunixnetgroup.c b/src/polkit/polkitunixnetgroup.c -+index 8a2b369..83f8d4a 100644 -+--- a/src/polkit/polkitunixnetgroup.c -++++ b/src/polkit/polkitunixnetgroup.c -+@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group, -+ PolkitIdentity * -+ polkit_unix_netgroup_new (const gchar *name) -+ { -++#ifndef HAVE_SETNETGRENT -++ g_assert_not_reached(); -++#endif -+ g_return_val_if_fail (name != NULL, NULL); -+ return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP, -+ "name", name, -+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c -+index cb6fdab..ab47a98 100644 -+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c -++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c -+@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity *group, -+ GList *ret; -+ -+ ret = NULL; -++#ifdef HAVE_SETNETGRENT -+ name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group)); -+ -+-#ifdef HAVE_SETNETGRENT_RETURN -++# ifdef HAVE_SETNETGRENT_RETURN -+ if (setnetgrent (name) == 0) -+ { -+ g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno)); -+ goto out; -+ } -+-#else -++# else -+ setnetgrent (name); -+-#endif -++# endif /* HAVE_SETNETGRENT_RETURN */ -+ -+ for (;;) -+ { -+-#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) -++# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) -+ const char *hostname, *username, *domainname; -+-#else -++# else -+ char *hostname, *username, *domainname; -+-#endif -++# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */ -+ PolkitIdentity *user; -+ GError *error = NULL; -+ -+@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity *group, -+ -+ out: -+ endnetgrent (); -++#endif /* HAVE_SETNETGRENT */ -+ return ret; -+ } -+ -+diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp -+index 517f3c6..45b0378 100644 -+--- a/src/polkitbackend/polkitbackendjsauthority.cpp -++++ b/src/polkitbackend/polkitbackendjsauthority.cpp -+@@ -1499,6 +1499,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, -+ -+ JS::CallArgs args = JS::CallArgsFromVp (argc, vp); -+ -++#ifdef HAVE_SETNETGRENT -+ user = JS_EncodeString (cx, args[0].toString()); -+ netgroup = JS_EncodeString (cx, args[1].toString()); -+ -+@@ -1512,6 +1513,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, -+ -+ JS_free (cx, netgroup); -+ JS_free (cx, user); -++#endif -+ -+ ret = true; -+ -+diff --git a/test/polkit/polkitidentitytest.c b/test/polkit/polkitidentitytest.c -+index e91967b..e829aaa 100644 -+--- a/test/polkit/polkitidentitytest.c -++++ b/test/polkit/polkitidentitytest.c -+@@ -19,6 +19,7 @@ -+ * Author: Nikki VonHollen <vonhollen@google.com> -+ */ -+ -++#include "config.h" -+ #include "glib.h" -+ #include <polkit/polkit.h> -+ #include <polkit/polkitprivate.h> -+@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_test_data [] = { -+ {"unix-group:root", "unix-group:jane", FALSE}, -+ {"unix-group:jane", "unix-group:jane", TRUE}, -+ -++#ifdef HAVE_SETNETGRENT -+ {"unix-netgroup:foo", "unix-netgroup:foo", TRUE}, -+ {"unix-netgroup:foo", "unix-netgroup:bar", FALSE}, -++#endif -+ -+ {"unix-user:root", "unix-group:root", FALSE}, -++#ifdef HAVE_SETNETGRENT -+ {"unix-user:jane", "unix-netgroup:foo", FALSE}, -++#endif -+ -+ {NULL}, -+ }; -+@@ -181,11 +186,13 @@ main (int argc, char *argv[]) -+ g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string); -+ g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string); -+ -++#ifdef HAVE_SETNETGRENT -+ g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string); -++ g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant); -++#endif -+ -+ g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant); -+ g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant); -+- g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant); -+ -+ add_comparison_tests (); -+ -+diff --git a/test/polkit/polkitunixnetgrouptest.c b/test/polkit/polkitunixnetgrouptest.c -+index 3701ba1..e3352eb 100644 -+--- a/test/polkit/polkitunixnetgrouptest.c -++++ b/test/polkit/polkitunixnetgrouptest.c -+@@ -19,6 +19,7 @@ -+ * Author: Nikki VonHollen <vonhollen@google.com> -+ */ -+ -++#include "config.h" -+ #include "glib.h" -+ #include <polkit/polkit.h> -+ #include <string.h> -+@@ -69,7 +70,9 @@ int -+ main (int argc, char *argv[]) -+ { -+ g_test_init (&argc, &argv, NULL); -++#ifdef HAVE_SETNETGRENT -+ g_test_add_func ("/PolkitUnixNetgroup/new", test_new); -+ g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name); -++#endif -+ return g_test_run (); -+ } -+-- -+2.17.1 -+ diff --git a/configure.ac b/configure.ac -index bfa87dd..cb86ac7 100644 +index 5cedb4e..87aa0ad 100644 --- a/configure.ac +++ b/configure.ac @@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"], @@ -327,7 +97,7 @@ index 8a2b369..83f8d4a 100644 return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP, "name", name, diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c -index cb6fdab..ab47a98 100644 +index 056d9a8..36c2f3d 100644 --- a/src/polkitbackend/polkitbackendinteractiveauthority.c +++ b/src/polkitbackend/polkitbackendinteractiveauthority.c @@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity *group, @@ -372,18 +142,18 @@ index cb6fdab..ab47a98 100644 } diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp -index 517f3c6..45b0378 100644 +index 9b752d1..09b2878 100644 --- a/src/polkitbackend/polkitbackendjsauthority.cpp +++ b/src/polkitbackend/polkitbackendjsauthority.cpp -@@ -1499,6 +1499,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, +@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, JS::CallArgs args = JS::CallArgsFromVp (argc, vp); +#ifdef HAVE_SETNETGRENT - user = JS_EncodeString (cx, args[0].toString()); - netgroup = JS_EncodeString (cx, args[1].toString()); - -@@ -1512,6 +1513,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, + JS::RootedString usrstr (authority->priv->cx); + usrstr = args[0].toString(); + user = JS_EncodeStringToUTF8 (cx, usrstr); +@@ -1519,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, JS_free (cx, netgroup); JS_free (cx, user); @@ -457,7 +227,7 @@ index 3701ba1..e3352eb 100644 return g_test_run (); } diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c -index b484a26..01e4907 100644 +index 71aad23..fdd28f3 100644 --- a/test/polkitbackend/test-polkitbackendjsauthority.c +++ b/test/polkitbackend/test-polkitbackendjsauthority.c @@ -137,12 +137,14 @@ test_get_admin_identities (void) @@ -476,5 +246,5 @@ index b484a26..01e4907 100644 guint n; -- -2.17.1 +2.21.0 diff --git a/user/polkit/APKBUILD b/user/polkit/APKBUILD index 5b5dfdacd..54ecc7f98 100644 --- a/user/polkit/APKBUILD +++ b/user/polkit/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Carlo Landmeter # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=polkit -pkgver=0.115 -pkgrel=3 +pkgver=0.116 +pkgrel=0 pkgdesc="Toolkit for controlling system-wide privileges" url="https://www.freedesktop.org/wiki/Software/polkit/" arch="all" @@ -17,7 +17,6 @@ pkggroups="polkitd" install="$pkgname.pre-install $pkgname.pre-upgrade" source="https://www.freedesktop.org/software/polkit/releases/polkit-$pkgver.tar.gz 0001-make-netgroup-support-optional.patch - CVE-2018-19788.patch fix-consolekit-db-stat.patch fix-test-fgetpwent.patch " @@ -66,8 +65,7 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="1153011fa93145b2c184e6b3446d3ca21b38918641aeccd8fac3985ac3e30ec6bc75be6973985fde90f2a24236592f1595be259155061c2d33358dd17c4ee4fc polkit-0.115.tar.gz -6d68d90e6dc9594175631c99699d4d949fba6d2d1ad66680897f9a17e9dc3c17b44f2bc06ed4f6149931e17a96baaf481981fb0698aace7c81a67c06c2806c29 0001-make-netgroup-support-optional.patch -4a2a11c1de8ef11def9c32b4b595fd45066aeaeb0cb42665846e3c7b8c6f5b7d3a782d722a25889afdb6a4414abed0837a359692342baaeb770d0e9712818ce1 CVE-2018-19788.patch +sha512sums="b66b01cc2bb4349de70147f41f161f0f6f41e7230b581dfb054058b48969ec57041ab05b51787c749ccfc36aa5f317952d7e7ba337b4f6f6c0a923ed5866c2d5 polkit-0.116.tar.gz +f13a350a040a80b705d28e2ce3fac183409f593dc360879ce1bc9ec85faa7796cf0f4e054098b737fb816369de6c9d598449f6908316484aac99a44a68102ae6 0001-make-netgroup-support-optional.patch 95493ef842b46ce9e724933a5d86083589075fb452435057b8f629643cac7c7eff67a24fd188087987e98057f0130757fad546d0c090767da3d71ebaf8485a24 fix-consolekit-db-stat.patch 966825aded565432f4fda9e54113a773b514ebf7ee7faa83bcb8b97d218ae84a8707d6747bbc3cb8a828638d692fdef34c05038f150ad38e02a29f2c782aba5b fix-test-fgetpwent.patch" diff --git a/user/polkit/CVE-2018-19788.patch b/user/polkit/CVE-2018-19788.patch deleted file mode 100644 index 6a2845aca..000000000 --- a/user/polkit/CVE-2018-19788.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 35af308b530f36c1a0a912387106a59b3ab92027 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> -Date: Mon, 3 Dec 2018 10:28:58 +0100 -Subject: [PATCH 1/2] Use default of -1 for uid/gid in class initialization - -This doesn't seem to change anything in polkitd behaviour, but it -seems cleaner to default to -1 which here means "unset". ---- - src/polkit/polkitunixgroup.c | 4 ++-- - src/polkit/polkitunixuser.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c -index c57a1aa..095cca0 100644 ---- a/src/polkit/polkitunixgroup.c -+++ b/src/polkit/polkitunixgroup.c -@@ -131,9 +131,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass) - g_param_spec_int ("gid", - "Group ID", - "The UNIX group ID", -- 0, -+ -1, - G_MAXINT, -- 0, -+ -1, - G_PARAM_CONSTRUCT | - G_PARAM_READWRITE | - G_PARAM_STATIC_NAME | -diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c -index 8bfd3a1..a5285f4 100644 ---- a/src/polkit/polkitunixuser.c -+++ b/src/polkit/polkitunixuser.c -@@ -144,9 +144,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass) - g_param_spec_int ("uid", - "User ID", - "The UNIX user ID", -- 0, -+ -1, - G_MAXINT, -- 0, -+ -1, - G_PARAM_CONSTRUCT | - G_PARAM_READWRITE | - G_PARAM_STATIC_NAME | --- -2.18.1 - - -From fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> -Date: Mon, 3 Dec 2018 12:51:26 +0100 -Subject: [PATCH 2/2] Check gid and uid initalization in PolkitUnixUser and - Group objects - -When a user or group above INT32_MAX is created, the numeric uid or -gid wraps around to negative when the value is assigned to gint, and -polkit gets confused. Let's refuse such uids and gids. - -This patch just refuses to initialize uid and gid values to negative. -A nicer fix is to change the underlying type to e.g. gint64 to allow -the full range of values in uid_t and gid_t to be represented. But -this cannot be done without breaking the API, so likely new functions -will have to be added (a polkit_unix_user_new variant that takes a -gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid, -_get_gid, etc.). This will require a bigger patch. - -Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74. - -Example sessions from uid=4000000000: - -Dec 03 14:35:08 krowka polkitd[21432]: system-bus-name::1.41869 is inquiring whether system-bus-name::1.79432 is authorized for org.freedesktop.systemd1.manage-units -Dec 03 14:35:08 krowka polkitd[21432]: user of caller is unix-user:root -Dec 03 14:35:08 krowka polkitd[21432]: polkit_unix_user_new: assertion 'uid >= 0' failed -Dec 03 14:35:08 krowka polkitd[21432]: polkit_identity_to_string: assertion 'POLKIT_IS_IDENTITY (identity)' failed -Dec 03 14:35:08 krowka polkitd[21432]: user of subject is (null) -Dec 03 14:35:08 krowka polkitd[21432]: polkit_identity_equal: assertion 'POLKIT_IS_IDENTITY (b)' failed -Dec 03 14:35:08 krowka polkitd[21432]: checking whether system-bus-name::1.79432 is authorized for org.freedesktop.systemd1.manage-units -Dec 03 14:35:08 krowka polkitd[21432]: polkit_unix_user_new: assertion 'uid >= 0' failed -Dec 03 14:35:08 krowka polkitd[21432]: -Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_challenge: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed -Dec 03 14:35:08 krowka polkitd[21432]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed -Dec 03 14:35:08 krowka polkitd[21432]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed -Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_details: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed -Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_challenge: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed -Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_authorized: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed -Dec 03 14:35:08 krowka polkitd[21432]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed -Dec 03 14:35:08 krowka polkitd[21432]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed ---- - src/polkit/polkitunixgroup.c | 9 ++++++++- - src/polkit/polkitunixuser.c | 7 +++++++ - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c -index 095cca0..53db862 100644 ---- a/src/polkit/polkitunixgroup.c -+++ b/src/polkit/polkitunixgroup.c -@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT, - static void - polkit_unix_group_init (PolkitUnixGroup *unix_group) - { -+ unix_group->gid = -1; - } - - static void -@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object, - GParamSpec *pspec) - { - PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); -+ gint val; - - switch (prop_id) - { - case PROP_GID: -- unix_group->gid = g_value_get_int (value); -+ val = g_value_get_int (value); -+ g_return_if_fail (val >= 0); -+ unix_group->gid = val; - break; - - default: -@@ -169,6 +173,7 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, - gint gid) - { - g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); -+ g_return_if_fail (gid >= 0); - group->gid = gid; - } - -@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, - PolkitIdentity * - polkit_unix_group_new (gint gid) - { -+ g_return_val_if_fail (gid >= 0, NULL); -+ - return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, - "gid", gid, - NULL)); -diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c -index a5285f4..ef6403e 100644 ---- a/src/polkit/polkitunixuser.c -+++ b/src/polkit/polkitunixuser.c -@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT, - static void - polkit_unix_user_init (PolkitUnixUser *unix_user) - { -+ unix_user->uid = -1; - unix_user->name = NULL; - } - -@@ -112,10 +113,13 @@ polkit_unix_user_set_property (GObject *object, - GParamSpec *pspec) - { - PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); -+ gint val; - - switch (prop_id) - { - case PROP_UID: -+ val = g_value_get_int (value); -+ g_return_if_fail (val >= 0); - unix_user->uid = g_value_get_int (value); - break; - -@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, - gint uid) - { - g_return_if_fail (POLKIT_IS_UNIX_USER (user)); -+ g_return_if_fail (uid >= 0); - user->uid = uid; - } - -@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, - PolkitIdentity * - polkit_unix_user_new (gint uid) - { -+ g_return_val_if_fail (uid >= 0, NULL); -+ - return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, - "uid", uid, - NULL)); --- -2.18.1 - |