1. 17 Jun, 2015 2 commits
    • Miloslav Trmač's avatar
      docs: Update for changes to uid binding/AuthenticationAgentResponse2 · fb5076b7
      Miloslav Trmač authored
       - Refer to PolkitAgentSession in general instead of to _response only
       - Revert to the original description of authentication cancellation, the
         agent really needs to return an error to the caller (in addition to dealing
         with the session if any).
       - Explicitly document the UID assumption; in the process fixing bug #69980.
       - Keep documenting that we need a sufficiently privileged caller.
       - Refer to the ...Response2 API in more places.
       - Also update docbook documentation.
       - Drop a paragraph suggesting non-PolkitAgentSession implementations are
         expected and commonplace.
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837Reviewed-by: Colin Walters's avatarColin Walters <walters@redhat.com>
      fb5076b7
    • Colin Walters's avatar
      CVE-2015-4625: Bind use of cookies to specific uids · 493aa5dc
      Colin Walters authored
      http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html
      
      The "cookie" value that Polkit hands out is global to all polkit
      users.  And when `AuthenticationAgentResponse` is invoked, we
      previously only received the cookie and *target* identity, and
      attempted to find an agent from that.
      
      The problem is that the current cookie is just an integer
      counter, and if it overflowed, it would be possible for
      an successful authorization in one session to trigger a response
      in another session.
      
      The overflow and ability to guess the cookie were fixed by the
      previous patch.
      
      This patch is conceptually further hardening on top of that.  Polkit
      currently treats uids as equivalent from a security domain
      perspective; there is no support for
      SELinux/AppArmor/etc. differentiation.
      
      We can retrieve the uid from `getuid()` in the setuid helper, which
      allows us to ensure the uid invoking `AuthenticationAgentResponse2`
      matches that of the agent.
      
      Then the authority only looks at authentication sessions matching the
      cookie that were created by a matching uid, thus removing the ability
      for different uids to interfere with each other entirely.
      
      Several fixes to this patch were contributed by:
      Miloslav Trmač <mitr@redhat.com>
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
      CVE: CVE-2015-4625
      Reported-by: default avatarTavis Ormandy <taviso@google.com>
      Reviewed-by: default avatarMiloslav Trmač <mitr@redhat.com>
      Signed-off-by: Colin Walters's avatarColin Walters <walters@redhat.com>
      493aa5dc
  2. 11 Nov, 2009 1 commit
  3. 29 Sep, 2009 1 commit
  4. 16 Sep, 2009 1 commit
  5. 12 Sep, 2009 1 commit
  6. 28 Jul, 2009 1 commit
  7. 27 Jul, 2009 1 commit
  8. 20 Jul, 2009 1 commit
  9. 08 Jun, 2009 1 commit
  10. 29 May, 2009 1 commit
  11. 15 May, 2009 1 commit
  12. 13 May, 2009 2 commits
  13. 09 Feb, 2009 1 commit
  14. 08 Feb, 2009 2 commits
  15. 07 Feb, 2009 1 commit
  16. 05 Feb, 2009 1 commit
  17. 04 Feb, 2009 1 commit
  18. 03 Feb, 2009 1 commit
  19. 01 Feb, 2009 1 commit
  20. 27 Jan, 2009 1 commit
  21. 21 Jan, 2009 1 commit
  22. 20 Jan, 2009 2 commits
  23. 19 Jan, 2009 2 commits
  24. 18 Jan, 2009 2 commits
  25. 16 Jan, 2009 2 commits
  26. 11 Jan, 2009 1 commit
  27. 07 Jan, 2009 2 commits
  28. 06 Jan, 2009 1 commit
  29. 07 Dec, 2008 4 commits