• Dan Rosenberg's avatar
    Bug 26982 – pkexec information disclosure vulnerability · 28e485ca
    Dan Rosenberg authored
    pkexec is vulnerable to a minor information disclosure vulnerability
    that allows an attacker to verify whether or not arbitrary files
    exist, violating directory permissions. I reproduced the issue on my
    Karmic installation as follows:
    
     $ mkdir secret
     $ sudo chown root:root secret
     $ sudo chmod 400 secret
     $ sudo touch secret/hidden
     $ pkexec /home/drosenbe/secret/hidden
     (password prompt)
     $ pkexec /home/drosenbe/secret/doesnotexist
     Error getting information about /home/drosenbe/secret/doesnotexist: No such
     file or directory
    
    I've attached my patch for the issue. I replaced the stat() call
    entirely with access() using F_OK, so rather than check that the
    target exists, pkexec now checks if the user has permission to verify
    the existence of the program. There might be another way of doing
    this, such as chdir()'ing to the parent directory of the target and
    calling lstat(), but this seemed like more code than necessary to
    prevent such a minor problem.  I see no reason to allow pkexec to
    execute targets that are not accessible to the executing user because
    of directory permissions. This is such a limited use case anyway that
    this doesn't really affect functionality.
    
    http://bugs.freedesktop.org/show_bug.cgi?id=26982
    
    Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
    28e485ca
pkexec.c 21.3 KB