GitLab

Since 493aa5dc we are binding cookies to specific UIDs as a form of hardening. Uid binding is too strong and causes troubles with pkexec:

• pkexec is started, with ruid=$non-zero euid=0
• pkexec registers a local authentication agent.
• polkitd looks up the agent's uid through polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation)) etc., ultimately calling DBus' GetConnectionUnixUser. This value is the EUID (0), necessarily, because AF_UNIX sockets only provide the EUID.
• pkexec calls CheckAuthorization, which results in a callback to its agent.
• The agent runs polkit-agent-helper-1, getting euid=0 and inheriting ruid=$non-zero
• The agent calls AuthenticationAgentResponse2 with uid=$ruid=$non-zero
• polkitd finds the cookie, but the response's uid=$non-zero doesn't match the agent's recorded uid=0.

This commit replaces UID binding with PolkitUnixSessions binding: the PolkitUnixSession of the agent helper should match the PolkitUnixSessions of the subject being authorized. Skip the check if the subject being authorized does not have a PolkitUnixSessions.

Closes: #17