Bind use of cookies to specific PolkitUnixSessions (!28) · Merge requests · polkit / polkit

Andrea Azzarone requested to merge azzaronea/polkit:fix-issue-17 into master Mar 29, 2019

Since 493aa5dc we are binding cookies to specific UIDs as a form of hardening. Uid binding is too strong and causes troubles with pkexec:

pkexec is started, with ruid=$non-zero euid=0
pkexec registers a local authentication agent.
polkitd looks up the agent's uid through polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation)) etc., ultimately calling DBus' GetConnectionUnixUser. This value is the EUID (0), necessarily, because AF_UNIX sockets only provide the EUID.
pkexec calls CheckAuthorization, which results in a callback to its agent.
The agent runs polkit-agent-helper-1, getting euid=0 and inheriting ruid=$non-zero
The agent calls AuthenticationAgentResponse2 with uid=ruid=non-zero
polkitd finds the cookie, but the response's uid=$non-zero doesn't match the agent's recorded uid=0.

This commit replaces UID binding with PolkitUnixSessions binding: the PolkitUnixSession of the agent helper should match the PolkitUnixSessions of the subject being authorized. Skip the check if the subject being authorized does not have a PolkitUnixSessions.

Closes: #17

Bind use of cookies to specific PolkitUnixSessions

Merge request reports