1. 11 Apr, 2011 5 commits
    • Dan Rosenberg's avatar
      Bug 26982 – pkexec information disclosure vulnerability · 28e485ca
      Dan Rosenberg authored
      pkexec is vulnerable to a minor information disclosure vulnerability
      that allows an attacker to verify whether or not arbitrary files
      exist, violating directory permissions. I reproduced the issue on my
      Karmic installation as follows:
      
       $ mkdir secret
       $ sudo chown root:root secret
       $ sudo chmod 400 secret
       $ sudo touch secret/hidden
       $ pkexec /home/drosenbe/secret/hidden
       (password prompt)
       $ pkexec /home/drosenbe/secret/doesnotexist
       Error getting information about /home/drosenbe/secret/doesnotexist: No such
       file or directory
      
      I've attached my patch for the issue. I replaced the stat() call
      entirely with access() using F_OK, so rather than check that the
      target exists, pkexec now checks if the user has permission to verify
      the existence of the program. There might be another way of doing
      this, such as chdir()'ing to the parent directory of the target and
      calling lstat(), but this seemed like more code than necessary to
      prevent such a minor problem.  I see no reason to allow pkexec to
      execute targets that are not accessible to the executing user because
      of directory permissions. This is such a limited use case anyway that
      this doesn't really affect functionality.
      
      http://bugs.freedesktop.org/show_bug.cgi?id=26982
      
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      28e485ca
    • David Zeuthen's avatar
      pkexec: Avoid TOCTTOU problems with parent process · 5d44f404
      David Zeuthen authored
      
      
      In a nutshell, the parent process may change its uid (either real- or
      effective uid) after launching pkexec. It can do this by exec()'ing
      e.g. a setuid root program.
      
      To avoid this problem, just use the uid the parent process had when it
      executed pkexec. This happens to be the same uid of the pkexec process
      itself.
      
      Additionally, remove some dubious code that allowed pkexec to continue
      when the parent process died as there is no reason to support
      something like that. Also ensure that the pkexec process is killed if
      the parent process dies.
      
      This problem was pointed out by Neel Mehta <nmehta@google.com>.
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      5d44f404
    • David Zeuthen's avatar
      Use polkit_unix_process_get_uid() to get the owner of a process · 55e6f92e
      David Zeuthen authored
      
      
      This avoids a TOCTTOU problem.
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      55e6f92e
    • David Zeuthen's avatar
      Make PolkitUnixProcess also record the uid of the process · 9a44af8a
      David Zeuthen authored
      
      
      This is needed to avoid possible TOCTTOU issues since a process can
      change both its real uid and effective uid.
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      9a44af8a
    • David Zeuthen's avatar
      PolkitUnixProcess: Clarify that the real uid is returned, not the effective one · 83a65f12
      David Zeuthen authored
      
      
      On Linux, also switch to parsing /proc/<pid>/status instead of relying
      on the st_uid returned by stat(2) to be the uid we want.
      
      This was pointed out by Neel Mehta <nmehta@google.com>. Thanks!
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      83a65f12
  2. 15 Jan, 2010 3 commits
  3. 15 Dec, 2009 7 commits
  4. 11 Dec, 2009 4 commits
    • David Zeuthen's avatar
      Bug 25594 – System logging · c93407fa
      David Zeuthen authored
      
      
      For now we log the following events
      
      1. Daemon startup -> /var/log/messages
      --------------------------------------
      
      Dec 11 15:12:56 localhost polkitd[3035]: started daemon version 0.95 using authority implementation `local' version `0.95'
      
      2. Authentication agent -> /var/log/secure
      ------------------------------------------
      
      Dec 11 15:14:00 localhost polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.903 [./polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
      
      Dec 11 15:16:18 localhost polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.903, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
      
      3. Authorization checks
      -----------------------
      
      Dec 11 15:17:57 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.905 [pkexec /usr/bin/pk-example-frobnicate])
      
      Dec 11 15:18:10 localhost polkitd(authority=local): ALLOWING action org.freedesktop.udisks.filesystem-mount-system-internal for system-bus-name::1.902 [palimpsest] owned by unix-user:davidz (check requested by system-bus-name::1.380 [/usr/libexec/udisks-daemon])
      
      4. Authorizations through authentication (both success and
         failures) -> /var/log/secure
      ----------------------------------------------------------
      
      Dec 11 15:19:01 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:davidz to gain TEMPORARY authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
      Dec 11 15:19:01 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.906 [pkexec /usr/bin/pk-example-frobnicate])
      
      Dec 11 15:19:10 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:davidz to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
      Dec 11 15:19:10 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.908 [pkexec bash])
      
      Dec 11 15:19:10 localhost pkexec: pam_unix(polkit-1:session): session opened for user root by davidz(uid=500)
      Dec 11 15:19:22 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
      Dec 11 15:19:22 localhost polkitd(authority=local): DENYING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.910 [pkexec bash])
      
      Dec 11 15:20:06 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:bateman to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
      Dec 11 15:20:06 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.913 [pkexec bash])
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      c93407fa
    • David Zeuthen's avatar
      Fix up last comment · 8b6bd9c6
      David Zeuthen authored
      
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      8b6bd9c6
    • David Zeuthen's avatar
      Run the open_session part of the PAM stack in pkexec(1) · 84958d37
      David Zeuthen authored
      This was pointed out in
      
      http://lists.freedesktop.org/archives/polkit-devel/2009-December/000276.html
      
      
      
      We already run the authentication and acct_mgmt parts in the
      authentication agent.
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      84958d37
    • David Zeuthen's avatar
      Fix logic error in pk-example-frobnicate · 3e82e172
      David Zeuthen authored
      
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      3e82e172
  5. 10 Dec, 2009 1 commit
    • David Zeuthen's avatar
      Bug 25367 — Also read local authority configuration data from /etc · 8e0b9b47
      David Zeuthen authored
      
      
      Turns out some people would rather edit local files in /etc rather
      than shipping them in a package (as e.g. Fedora does with the
      polkit-desktop-policy RPM).
      
      This also drops the hard-coded list of directory names such as
      10-vendor.d, 20-org.d - we now monitor the
      /var/lib/polkit-1/localauthority and /etc/polkit-1/localauthority
      directories for changes - whenever we see a subdirectory in any of
      these directories, we create an AuthorizationStore object that looks
      for .pkla files.
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
      8e0b9b47
  6. 13 Nov, 2009 4 commits
  7. 12 Nov, 2009 1 commit
  8. 11 Nov, 2009 4 commits
  9. 21 Oct, 2009 3 commits
  10. 16 Oct, 2009 1 commit
  11. 15 Oct, 2009 1 commit
  12. 29 Sep, 2009 1 commit
  13. 16 Sep, 2009 1 commit
  14. 14 Sep, 2009 2 commits
  15. 13 Sep, 2009 2 commits