Bind use of cookies to specific PolkitUnixSessions
Since 493aa5dc we are binding cookies to specific UIDs as a form of hardening. Uid binding is too strong and causes troubles with pkexec:
- pkexec is started, with ruid=$non-zero euid=0
- pkexec registers a local authentication agent.
- polkitd looks up the agent's uid through polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation)) etc., ultimately calling DBus' GetConnectionUnixUser. This value is the EUID (0), necessarily, because AF_UNIX sockets only provide the EUID.
- pkexec calls CheckAuthorization, which results in a callback to its agent.
- The agent runs polkit-agent-helper-1, getting euid=0 and inheriting ruid=$non-zero
- The agent calls AuthenticationAgentResponse2 with uid=
ruid=
non-zero - polkitd finds the cookie, but the response's uid=$non-zero doesn't match the agent's recorded uid=0.
This commit replaces UID binding with PolkitUnixSessions binding: the PolkitUnixSession of the agent helper should match the PolkitUnixSessions of the subject being authorized. Skip the check if the subject being authorized does not have a PolkitUnixSessions.
Closes: #17