• Miloslav Trmač's avatar
    Fix CVE-2018-1116: Trusting client-supplied UID · bc7ffad5
    Miloslav Trmač authored
    As part of CVE-2013-4288, the D-Bus clients were allowed (and
    encouraged) to submit the UID of the subject of authorization checks
    to avoid races against UID changes (notably using executables
    set-UID to root).
    
    However, that also allowed any client to submit an arbitrary UID, and
    that could be used to bypass "can only ask about / affect the same UID"
    checks in CheckAuthorization / RegisterAuthenticationAgent /
    UnregisterAuthenticationAgent.  This allowed an attacker:
    
    - With CheckAuthorization, to cause the registered authentication
      agent in victim's session to pop up a dialog, or to determine whether
      the victim currently has a temporary authorization to perform an
      operation.
    
      (In principle, the attacker can also determine whether JavaScript
      rules allow the victim process to perform an operation; however,
      usually rules base their decisions on information determined from
      the supplied UID, so the attacker usually won't learn anything new.)
    
    - With RegisterAuthenticationAgent, to prevent the victim's
      authentication agent to work (for a specific victim process),
      or to learn about which operations requiring authorization
      the victim is attempting.
    
    To fix this, expose internal _polkit_unix_process_get_owner() /
    obsolete polkit_unix_process_get_owner() as a private
    polkit_unix_process_get_racy_uid__() (being more explicit about the
    dangers on relying on it), and use it in
    polkit_backend_session_monitor_get_user_for_subject() to return
    a boolean indicating whether the subject UID may be caller-chosen.
    
    Then, in the permission checks that require the subject to be
    equal to the caller, fail on caller-chosen UIDs (and continue
    through the pre-existing code paths which allow root, or root-designated
    server processes, to ask about arbitrary subjects.)
    Signed-off-by: 's avatarMiloslav Trmač <mitr@redhat.com>
    bc7ffad5