Skip to content

GitLab

P
polkit
Switch branch/tag
  1. 30 Nov, 2018 1 commit
  3. 29 Nov, 2018 1 commit
  5. 06 Nov, 2018 5 commits
  7. 25 Sep, 2018 1 commit
  9. 12 Sep, 2018 3 commits
  11. 23 Aug, 2018 4 commits
  13. 16 Aug, 2018 1 commit
  15. 15 Aug, 2018 1 commit
    • Jan Rybar's avatar
      Leaking zombie child processes · 8638ec5c
      Jan Rybar authored 
      Resolves: bz#106021

Subject: [PATCH] polkitd: fix zombie not reaped when js spawned process timed
 out

The child watch source attached to thread context didn't work due
to the release of it's main loop and context outside. So we attach
the source to the global default main context to make it work and
avoid zombies.
      8638ec5c
  17. 09 Aug, 2018 1 commit
  19. 10 Jul, 2018 1 commit
  21. 03 Jul, 2018 2 commits
    • Miloslav Trmač's avatar
      Update NEWS for release · b0a5d0f1
      Miloslav Trmač authored
      b0a5d0f1
    • Miloslav Trmač's avatar
      Fix CVE-2018-1116: Trusting client-supplied UID · bc7ffad5
      Miloslav Trmač authored 
      As part of CVE-2013-4288, the D-Bus clients were allowed (and
encouraged) to submit the UID of the subject of authorization checks
to avoid races against UID changes (notably using executables
set-UID to root).

However, that also allowed any client to submit an arbitrary UID, and
that could be used to bypass "can only ask about / affect the same UID"
checks in CheckAuthorization / RegisterAuthenticationAgent /
UnregisterAuthenticationAgent.  This allowed an attacker:

- With CheckAuthorization, to cause the registered authentication
  agent in victim's session to pop up a dialog, or to determine whether
  the victim currently has a temporary authorization to perform an
  operation.

  (In principle, the attacker can also determine whether JavaScript
  rules allow the victim process to perform an operation; however,
  usually rules base their decisions on information determined from
  the supplied UID, so the attacker usually won't learn anything new.)

- With RegisterAuthenticationAgent, to prevent the victim's
  authentication agent to work (for a specific victim process),
  or to learn about which operations requiring authorization
  the victim is attempting.

To fix this, expose internal _polkit_unix_process_get_owner() /
obsolete polkit_unix_process_get_owner() as a private
polkit_unix_process_get_racy_uid__() (being more explicit about the
dangers on relying on it), and use it in
polkit_backend_session_monitor_get_user_for_subject() to return
a boolean indicating whether the subject UID may be caller-chosen.

Then, in the permission checks that require the subject to be
equal to the caller, fail on caller-chosen UIDs (and continue
through the pre-existing code paths which allow root, or root-designated
server processes, to ask about arbitrary subjects.)
Signed-off-by: default avatarMiloslav Trmač <mitr@redhat.com>
      bc7ffad5
  23. 03 Apr, 2018 19 commits