1. 11 Apr, 2011 2 commits
    • Dan Rosenberg's avatar
      Bug 26982 – pkexec information disclosure vulnerability · 28e485ca
      Dan Rosenberg authored
      pkexec is vulnerable to a minor information disclosure vulnerability
      that allows an attacker to verify whether or not arbitrary files
      exist, violating directory permissions. I reproduced the issue on my
      Karmic installation as follows:
       $ mkdir secret
       $ sudo chown root:root secret
       $ sudo chmod 400 secret
       $ sudo touch secret/hidden
       $ pkexec /home/drosenbe/secret/hidden
       (password prompt)
       $ pkexec /home/drosenbe/secret/doesnotexist
       Error getting information about /home/drosenbe/secret/doesnotexist: No such
       file or directory
      I've attached my patch for the issue. I replaced the stat() call
      entirely with access() using F_OK, so rather than check that the
      target exists, pkexec now checks if the user has permission to verify
      the existence of the program. There might be another way of doing
      this, such as chdir()'ing to the parent directory of the target and
      calling lstat(), but this seemed like more code than necessary to
      prevent such a minor problem.  I see no reason to allow pkexec to
      execute targets that are not accessible to the executing user because
      of directory permissions. This is such a limited use case anyway that
      this doesn't really affect functionality.
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
    • David Zeuthen's avatar
      pkexec: Avoid TOCTTOU problems with parent process · 5d44f404
      David Zeuthen authored
      In a nutshell, the parent process may change its uid (either real- or
      effective uid) after launching pkexec. It can do this by exec()'ing
      e.g. a setuid root program.
      To avoid this problem, just use the uid the parent process had when it
      executed pkexec. This happens to be the same uid of the pkexec process
      Additionally, remove some dubious code that allowed pkexec to continue
      when the parent process died as there is no reason to support
      something like that. Also ensure that the pkexec process is killed if
      the parent process dies.
      This problem was pointed out by Neel Mehta <nmehta@google.com>.
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
  2. 15 Dec, 2009 6 commits
  3. 11 Dec, 2009 2 commits
  4. 11 Nov, 2009 1 commit
    • David Zeuthen's avatar
      Port lockdown from pklalockdown(1) to D-Bus methods · 8f7727e1
      David Zeuthen authored
      Also rename the action from org.freedesktop.policykit.localauthority.lockdown
      to org.freedesktop.policykit.lockdown since any authority implementation
      can now implement this.
      This changes only ABI/API used by e.g. polkit-gnome. This is fine
      since we're not at 1.0 yet.
  5. 21 Oct, 2009 1 commit
  6. 13 Sep, 2009 1 commit
  7. 12 Sep, 2009 1 commit
  8. 11 Sep, 2009 1 commit
  9. 12 Aug, 2009 2 commits
    • David Zeuthen's avatar
      Generate GI gir and typelibs for libpolkit-gobject-1 · a7aacbb5
      David Zeuthen authored
      This includes changing from POSIX types (uid_t, gid_t, pid_t) to
      gint. Won't affect much since the size is the same. And we want this
      anyway since it is needed to build the library on non-POSIX platforms.
    • Joe Clarke's avatar
      Bug 23093 – FreeBSD portability fixes · de9453f4
      Joe Clarke authored
      There are a few issues with building polkit-0.93 on FreeBSD:
       * No clearenv() function on FreeBSD
       * While FreeBSD has a /proc, it is deprecated, and kinfo_proc should
         be used instead.
       * FreeBSD's printf() functions do not support the %m notation.  This
         is only supported for syslog().
        * You can't call GINT_TO_POINTER() on a 64-bit value, as this will
          break on 64-bit OSes.
      The attached patch fixes these problems.  First, a check for
      clearenv() is added to configure.  Second, I moved the check for
      process uid to polkit/polkitunixprocess.c.  This may not be ideal, but
      it seems to fit, and reduces code duplication.  Third, I replaces all
      %m with %s ... g_strerror (errno).  Finally, I replaced
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
  10. 30 Jul, 2009 1 commit
  11. 28 Jul, 2009 1 commit
  12. 27 Jul, 2009 1 commit
  13. 15 Jul, 2009 1 commit
  14. 13 Jul, 2009 1 commit
  15. 17 Jun, 2009 1 commit
  16. 08 Jun, 2009 2 commits
  17. 03 Jun, 2009 1 commit
    • David Zeuthen's avatar
      Add pkaction(1) and nuke polkit-1(1) commands · 5e97355b
      David Zeuthen authored
      All the functionality of polkit-1(1), sans managing the local
      authority, is now available in pkaction(1) and pkcheck(1). In the
      future we might want to add something like pklamanage(1) to manage the
      local authority.
  18. 02 Jun, 2009 1 commit
  19. 29 May, 2009 1 commit
  20. 19 May, 2009 1 commit
  21. 15 May, 2009 2 commits
  22. 13 May, 2009 2 commits
  23. 09 Feb, 2009 3 commits
  24. 08 Feb, 2009 1 commit
  25. 01 Feb, 2009 2 commits
  26. 27 Jan, 2009 1 commit