Starttime verification is not sufficient on linux
Hey
Polkit currently uses pid+starttime verification to remember whether a process is authenticated or not. We got a report from google, where they successfully started several successive processes with the same PID+starttime. They did this by forking several times, but stalling inside the fork() system call in the kernel after the process starttime was recorded, but before the PID was allocated. I will skip the details here, as it is quite elaborate. Ask me, if you are interested.
This means, they succeeded in creating several consequetive processes that were considered equal by polkit. They used the first such process to execve(2) a setuid program and authenticate with polkit. Then this setuid process exited and they used their subsequent processes to use the authentication of the setuid process.
While I believe this to be an issue in the kernel (there really should not be a reliable way to stall between starttime-recording and pid-allocation), the correct thing for polkit to do, I believe, is keep an FD to /proc//stat whenever a process-authentication is tracked. A read(2) call on such an FD will fail with ENSRCH if the underlying process died. Unlike the starttime-comparison, this is a reliable way to track a process, and cannot be forged.
Comments?
I tried looking at implementing this, but failed horribly. If someone has more insights on the GObject-style code-base, I would gladly discuss the implementation details.
Thanks David