Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
P
polkit
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 100
    • Issues 100
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 23
    • Merge Requests 23
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • polkit
  • polkit
  • Merge Requests
  • !28

Open
Opened Mar 29, 2019 by Andrea Azzarone@azzaronea
  • Report abuse
Report abuse

Bind use of cookies to specific PolkitUnixSessions

  • Overview 4
  • Commits 1
  • Changes 3

Since 493aa5dc we are binding cookies to specific UIDs as a form of hardening. Uid binding is too strong and causes troubles with pkexec:

  • pkexec is started, with ruid=$non-zero euid=0
  • pkexec registers a local authentication agent.
  • polkitd looks up the agent's uid through polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation)) etc., ultimately calling DBus' GetConnectionUnixUser. This value is the EUID (0), necessarily, because AF_UNIX sockets only provide the EUID.
  • pkexec calls CheckAuthorization, which results in a callback to its agent.
  • The agent runs polkit-agent-helper-1, getting euid=0 and inheriting ruid=$non-zero
  • The agent calls AuthenticationAgentResponse2 with uid=$ruid=$non-zero
  • polkitd finds the cookie, but the response's uid=$non-zero doesn't match the agent's recorded uid=0.

This commit replaces UID binding with PolkitUnixSessions binding: the PolkitUnixSession of the agent helper should match the PolkitUnixSessions of the subject being authorized. Skip the check if the subject being authorized does not have a PolkitUnixSessions.

Closes: #17

Assignee
Assign to
Reviewer
Request review from
None
Milestone
None
Assign milestone
Time tracking
Reference: polkit/polkit!28
Source branch: fix-issue-17