Set has_data to true after the data is loaded to prevent excessive
reloading of config files.
Signed-off-by: David Zeuthen <davidz@redhat.com>

pkexec is vulnerable to a minor information disclosure vulnerability
that allows an attacker to verify whether or not arbitrary files
exist, violating directory permissions. I reproduced the issue on my
Karmic installation as follows:

 $ mkdir secret
 $ sudo chown root:root secret
 $ sudo chmod 400 secret
 $ sudo touch secret/hidden
 $ pkexec /home/drosenbe/secret/hidden
 (password prompt)
 $ pkexec /home/drosenbe/secret/doesnotexist
 Error getting information about /home/drosenbe/secret/doesnotexist: No such
 file or directory

I've attached my patch for the issue. I replaced the stat() call
entirely with access() using F_OK, so rather than check that the
target exists, pkexec now checks if the user has permission to verify
the existence of the program. There might be another way of doing
this, such as chdir()'ing to the parent directory of the target and
calling lstat(), but this seemed like more code than necessary to
prevent such a minor problem.  I see no reason to allow pkexec to
execute targets that are not accessible to the executing user because
of directory permissions. This is such a limited use case anyway that
this doesn't really affect functionality.

http://bugs.freedesktop.org/show_bug.cgi?id=26982

Signed-off-by: David Zeuthen <davidz@redhat.com>

In a nutshell, the parent process may change its uid (either real- or
effective uid) after launching pkexec. It can do this by exec()'ing
e.g. a setuid root program.

To avoid this problem, just use the uid the parent process had when it
executed pkexec. This happens to be the same uid of the pkexec process
itself.

Additionally, remove some dubious code that allowed pkexec to continue
when the parent process died as there is no reason to support
something like that. Also ensure that the pkexec process is killed if
the parent process dies.

This problem was pointed out by Neel Mehta <nmehta@google.com>.
Signed-off-by: David Zeuthen <davidz@redhat.com>

This avoids a TOCTTOU problem.
Signed-off-by: David Zeuthen <davidz@redhat.com>

This is needed to avoid possible TOCTTOU issues since a process can
change both its real uid and effective uid.
Signed-off-by: David Zeuthen <davidz@redhat.com>

On Linux, also switch to parsing /proc/<pid>/status instead of relying
on the st_uid returned by stat(2) to be the uid we want.

This was pointed out by Neel Mehta <nmehta@google.com>. Thanks!
Signed-off-by: David Zeuthen <davidz@redhat.com>

It's a little too verbose to do this. See

 http://lists.freedesktop.org/archives/polkit-devel/2009-December/000283.html

for the rationale.

Signed-off-by: David Zeuthen <davidz@redhat.com>

Dec 15 13:48:05 localhost pkexec[29065]: davidz: Executing command [USER=root] [TTY=/dev/pts/8] [CWD=/root] [COMMAND=/usr/bin/pk-example-frobnicate]

Dec 15 13:49:30 localhost pkexec[29080]: davidz: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/5] [CWD=/home/davidz] [COMMAND=/bin/bash]

Dec 15 13:49:45 localhost pkexec[29082]: davidz: The value for environment variable LC_ALL contains suscipious content [USER=root] [TTY=/dev/pts/5] [CWD=/home/davidz] [COMMAND=/bin/bash]

Dec 15 13:50:03 localhost pkexec[29086]: davidz: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/5] [CWD=/home/davidz] [COMMAND=/bin/bash]
Signed-off-by: David Zeuthen <davidz@redhat.com>

Suggested here

 http://lists.freedesktop.org/archives/polkit-devel/2009-December/000279.html

Signed-off-by: David Zeuthen <davidz@redhat.com>

Signed-off-by: David Zeuthen <davidz@redhat.com>

Pointed out by Kay Sievers - thanks!
Signed-off-by: David Zeuthen <davidz@redhat.com>

Signed-off-by: David Zeuthen <davidz@redhat.com>

For now we log the following events

1. Daemon startup -> /var/log/messages
--------------------------------------

Dec 11 15:12:56 localhost polkitd[3035]: started daemon version 0.95 using authority implementation `local' version `0.95'

2. Authentication agent -> /var/log/secure
------------------------------------------

Dec 11 15:14:00 localhost polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.903 [./polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Dec 11 15:16:18 localhost polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.903, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

3. Authorization checks
-----------------------

Dec 11 15:17:57 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.905 [pkexec /usr/bin/pk-example-frobnicate])

Dec 11 15:18:10 localhost polkitd(authority=local): ALLOWING action org.freedesktop.udisks.filesystem-mount-system-internal for system-bus-name::1.902 [palimpsest] owned by unix-user:davidz (check requested by system-bus-name::1.380 [/usr/libexec/udisks-daemon])

4. Authorizations through authentication (both success and
   failures) -> /var/log/secure
----------------------------------------------------------

Dec 11 15:19:01 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:davidz to gain TEMPORARY authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
Dec 11 15:19:01 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.906 [pkexec /usr/bin/pk-example-frobnicate])

Dec 11 15:19:10 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:davidz to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
Dec 11 15:19:10 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.908 [pkexec bash])

Dec 11 15:19:10 localhost pkexec: pam_unix(polkit-1:session): session opened for user root by davidz(uid=500)
Dec 11 15:19:22 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
Dec 11 15:19:22 localhost polkitd(authority=local): DENYING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.910 [pkexec bash])

Dec 11 15:20:06 localhost polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session1 successfully authenticated as unix-user:bateman to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] (owned by unix-user:davidz)
Dec 11 15:20:06 localhost polkitd(authority=local): ALLOWING action org.freedesktop.policykit.exec for unix-process:2517:25785526 [bash] owned by unix-user:davidz (check requested by system-bus-name::1.913 [pkexec bash])
Signed-off-by: David Zeuthen <davidz@redhat.com>

Signed-off-by: David Zeuthen <davidz@redhat.com>

This was pointed out in

http://lists.freedesktop.org/archives/polkit-devel/2009-December/000276.html



We already run the authentication and acct_mgmt parts in the
authentication agent.
Signed-off-by: David Zeuthen <davidz@redhat.com>

Signed-off-by: David Zeuthen <davidz@redhat.com>

Turns out some people would rather edit local files in /etc rather
than shipping them in a package (as e.g. Fedora does with the
polkit-desktop-policy RPM).

This also drops the hard-coded list of directory names such as
10-vendor.d, 20-org.d - we now monitor the
/var/lib/polkit-1/localauthority and /etc/polkit-1/localauthority
directories for changes - whenever we see a subdirectory in any of
these directories, we create an AuthorizationStore object that looks
for .pkla files.
Signed-off-by: David Zeuthen <davidz@redhat.com>

Suggestions from

 https://bugzilla.redhat.com/show_bug.cgi?id=534140

Thanks.

See 6a35bf61
4a3cdac6 and
784236e9

Also rename the action from org.freedesktop.policykit.localauthority.lockdown
to org.freedesktop.policykit.lockdown since any authority implementation
can now implement this.

This changes only ABI/API used by e.g. polkit-gnome. This is fine
since we're not at 1.0 yet.

Now to implement this in the interactive authority...

Signed-off-by: David Zeuthen <davidz@redhat.com>

polkit-agent-helper calls pam_end on pam_h without setting pam_h to
NULL. This causes the error handler to call pam_end on the stale
handler if the send_dbus_message procedure fails, which in turn
generates a SIGSEGV.
Signed-off-by: David Zeuthen <davidz@redhat.com>

Signed-off-by: David Zeuthen <davidz@redhat.com>

http://bugs.freedesktop.org/show_bug.cgi?id=24566

Signed-off-by: David Zeuthen <davidz@redhat.com>

PATH_MAX, which hurd-i386 doesn't define since it doesn't have such
arbitrary limitation.  The attached patch fixes it by just using
glibc's get_current_dir_name() extension when available.
Signed-off-by: Michael Biebl <mbiebl@gmail.com>
Signed-off-by: David Zeuthen <davidz@redhat.com>

See https://bugzilla.redhat.com/show_bug.cgi?id=526053 for more details.

Also bump requirement on EggDBus to 0.6 (to be released later) for a
bug-fix with flag properties.

When using polkit_unix_process_new_full() the start-time
wasn't being set from the process' PID if it wasn't
passed to the function.
Signed-off-by: David Zeuthen <davidz@redhat.com>

Also handle 64-bit jiffies (rather than 63-bit) for maximum
correctness.

Without this, builds with --enable-introspection fails in the Fedora
buildsystem.