1. 06 Dec, 2018 1 commit
  2. 04 Dec, 2018 2 commits
    • Zbigniew Jędrzejewski-Szmek's avatar
      b534a107
    • Zbigniew Jędrzejewski-Szmek's avatar
      Allow negative uids/gids in PolkitUnixUser and Group objects · 2cb40c4d
      Zbigniew Jędrzejewski-Szmek authored
      (uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
      there should be no users with such number, see
      https://systemd.io/UIDS-GIDS#special-linux-uids.
      
      (uid_t) -1 is used as the default value in class initialization.
      
      When a user or group above INT32_MAX is created, the numeric uid or
      gid wraps around to negative when the value is assigned to gint, and
      polkit gets confused. Let's accept such gids, except for -1.
      
      A nicer fix would be to change the underlying type to e.g. uint32 to
      not have negative values. But this cannot be done without breaking the
      API, so likely new functions will have to be added (a
      polkit_unix_user_new variant that takes a unsigned, and the same for
      _group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
      require a bigger patch.
      
      Fixes #74.
      2cb40c4d
  3. 03 Dec, 2018 1 commit
  4. 02 Dec, 2018 1 commit
  5. 30 Nov, 2018 1 commit
  6. 29 Nov, 2018 1 commit
  7. 06 Nov, 2018 5 commits
  8. 25 Sep, 2018 1 commit
  9. 12 Sep, 2018 3 commits
  10. 23 Aug, 2018 4 commits
  11. 16 Aug, 2018 1 commit
  12. 15 Aug, 2018 1 commit
    • Jan Rybar's avatar
      Leaking zombie child processes · 8638ec5c
      Jan Rybar authored
      Resolves: bz#106021
      
      Subject: [PATCH] polkitd: fix zombie not reaped when js spawned process timed
       out
      
      The child watch source attached to thread context didn't work due
      to the release of it's main loop and context outside. So we attach
      the source to the global default main context to make it work and
      avoid zombies.
      8638ec5c
  13. 09 Aug, 2018 1 commit
  14. 10 Jul, 2018 1 commit
  15. 03 Jul, 2018 2 commits
    • Miloslav Trmač's avatar
      Update NEWS for release · b0a5d0f1
      Miloslav Trmač authored
      b0a5d0f1
    • Miloslav Trmač's avatar
      Fix CVE-2018-1116: Trusting client-supplied UID · bc7ffad5
      Miloslav Trmač authored
      As part of CVE-2013-4288, the D-Bus clients were allowed (and
      encouraged) to submit the UID of the subject of authorization checks
      to avoid races against UID changes (notably using executables
      set-UID to root).
      
      However, that also allowed any client to submit an arbitrary UID, and
      that could be used to bypass "can only ask about / affect the same UID"
      checks in CheckAuthorization / RegisterAuthenticationAgent /
      UnregisterAuthenticationAgent.  This allowed an attacker:
      
      - With CheckAuthorization, to cause the registered authentication
        agent in victim's session to pop up a dialog, or to determine whether
        the victim currently has a temporary authorization to perform an
        operation.
      
        (In principle, the attacker can also determine whether JavaScript
        rules allow the victim process to perform an operation; however,
        usually rules base their decisions on information determined from
        the supplied UID, so the attacker usually won't learn anything new.)
      
      - With RegisterAuthenticationAgent, to prevent the victim's
        authentication agent to work (for a specific victim process),
        or to learn about which operations requiring authorization
        the victim is attempting.
      
      To fix this, expose internal _polkit_unix_process_get_owner() /
      obsolete polkit_unix_process_get_owner() as a private
      polkit_unix_process_get_racy_uid__() (being more explicit about the
      dangers on relying on it), and use it in
      polkit_backend_session_monitor_get_user_for_subject() to return
      a boolean indicating whether the subject UID may be caller-chosen.
      
      Then, in the permission checks that require the subject to be
      equal to the caller, fail on caller-chosen UIDs (and continue
      through the pre-existing code paths which allow root, or root-designated
      server processes, to ask about arbitrary subjects.)
      Signed-off-by: 's avatarMiloslav Trmač <mitr@redhat.com>
      bc7ffad5
  16. 03 Apr, 2018 14 commits