1. 17 Jun, 2015 2 commits
    • Miloslav Trmač's avatar
      docs: Update for changes to uid binding/AuthenticationAgentResponse2 · fb5076b7
      Miloslav Trmač authored
       - Refer to PolkitAgentSession in general instead of to _response only
       - Revert to the original description of authentication cancellation, the
         agent really needs to return an error to the caller (in addition to dealing
         with the session if any).
       - Explicitly document the UID assumption; in the process fixing bug #69980.
       - Keep documenting that we need a sufficiently privileged caller.
       - Refer to the ...Response2 API in more places.
       - Also update docbook documentation.
       - Drop a paragraph suggesting non-PolkitAgentSession implementations are
         expected and commonplace.
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837Reviewed-by: Colin Walters's avatarColin Walters <walters@redhat.com>
    • Colin Walters's avatar
      CVE-2015-4625: Bind use of cookies to specific uids · 493aa5dc
      Colin Walters authored
      The "cookie" value that Polkit hands out is global to all polkit
      users.  And when `AuthenticationAgentResponse` is invoked, we
      previously only received the cookie and *target* identity, and
      attempted to find an agent from that.
      The problem is that the current cookie is just an integer
      counter, and if it overflowed, it would be possible for
      an successful authorization in one session to trigger a response
      in another session.
      The overflow and ability to guess the cookie were fixed by the
      previous patch.
      This patch is conceptually further hardening on top of that.  Polkit
      currently treats uids as equivalent from a security domain
      perspective; there is no support for
      SELinux/AppArmor/etc. differentiation.
      We can retrieve the uid from `getuid()` in the setuid helper, which
      allows us to ensure the uid invoking `AuthenticationAgentResponse2`
      matches that of the agent.
      Then the authority only looks at authentication sessions matching the
      cookie that were created by a matching uid, thus removing the ability
      for different uids to interfere with each other entirely.
      Several fixes to this patch were contributed by:
      Miloslav Trmač <mitr@redhat.com>
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
      CVE: CVE-2015-4625
      Reported-by: default avatarTavis Ormandy <taviso@google.com>
      Reviewed-by: default avatarMiloslav Trmač <mitr@redhat.com>
      Signed-off-by: Colin Walters's avatarColin Walters <walters@redhat.com>
  2. 08 Jun, 2015 2 commits
  3. 03 Jun, 2015 1 commit
  4. 31 Mar, 2015 1 commit
  5. 12 Jan, 2015 1 commit
  6. 11 Nov, 2013 3 commits
    • Colin Walters's avatar
      Use G_GNUC_BEGIN_IGNORE_DEPRECATIONS to avoid warning spam · a4f1c2a5
      Colin Walters authored
      In these cases, we can't every drop use of our API which we deprecated
      for external callers; for example where a (deprecated) command line is
      invoking the deprecated API.
      This patch avoids having polkit developers get spammed by unfixable
    • Colin Walters's avatar
      Port internals non-deprecated PolkitProcess API where possible · 6d3d0a8f
      Colin Walters authored
      We can't port everything, but in PolkitPermission and these test
      cases, we can use _for_owner() with the right information.
    • Colin Walters's avatar
      PolkitSystemBusName: Retrieve both pid and uid · bfa5036b
      Colin Walters authored
      For polkit_system_bus_name_get_process_sync(), as pointed out by
      Miloslav Trmac, we can securely retrieve the owner uid as well from
      the system bus, rather than (racily) looking it up internally.
      This avoids use of a deprecated API.
      However, this is not a security fix because nothing in the polkit
      codebase itself actually retrieves the uid from the result of this API
      call.  But, it might be useful in the future.
  7. 07 Nov, 2013 1 commit
  8. 18 Sep, 2013 1 commit
    • Colin Walters's avatar
      polkitunixprocess: Deprecate racy APIs · 08291789
      Colin Walters authored
      It's only safe for processes to be created with their owning uid,
      (without kernel support, which we don't have).  Anything else is
      subject to clients exec()ing setuid binaries after the fact.
  9. 29 May, 2013 1 commit
  10. 18 Apr, 2013 1 commit
  11. 15 Apr, 2013 5 commits
  12. 13 Nov, 2012 1 commit
  13. 23 May, 2012 2 commits
  14. 12 Apr, 2012 1 commit
  15. 06 Feb, 2012 2 commits
  16. 10 Jan, 2012 1 commit
  17. 03 Jan, 2012 1 commit
  18. 22 Dec, 2011 1 commit
  19. 01 Aug, 2011 1 commit
  20. 01 Apr, 2011 1 commit
  21. 31 Mar, 2011 1 commit
  22. 11 Mar, 2011 1 commit
  23. 03 Mar, 2011 2 commits
    • David Zeuthen's avatar
    • David Zeuthen's avatar
      Deprecated PolkitBackendActionLookup · 02cebdb0
      David Zeuthen authored
      Instead, pass the untranslated message as polkit.message and set the
      gettext domain on polkit.gettext_domain. For printf()-style messages,
      occurences of the form $(name_of_key) in the translated version of
      polkit.message are expanded with the value of the property
      name_of_key. See the pkexec(1) mechanism for an example of how to use
      Additionally, the property polkit.icon_name can be set to the
      icon. Note that not all authentication agents use this - in
      particular, gnome-shell does not.
      It is no longer possible to set the details to be shown in the
      authentication dialog. It was never a good idea to hide information
      there anyway. Instead, the mechanism should format a meaningful
      Signed-off-by: default avatarDavid Zeuthen <davidz@redhat.com>
  24. 23 Feb, 2011 4 commits
  25. 22 Feb, 2011 1 commit
  26. 17 Feb, 2011 1 commit