1. 09 Oct, 2017 1 commit
  2. 21 Oct, 2015 1 commit
  3. 17 Jun, 2015 2 commits
    • Miloslav Trmač's avatar
      docs: Update for changes to uid binding/AuthenticationAgentResponse2 · fb5076b7
      Miloslav Trmač authored
       - Refer to PolkitAgentSession in general instead of to _response only
       - Revert to the original description of authentication cancellation, the
         agent really needs to return an error to the caller (in addition to dealing
         with the session if any).
       - Explicitly document the UID assumption; in the process fixing bug #69980.
       - Keep documenting that we need a sufficiently privileged caller.
       - Refer to the ...Response2 API in more places.
       - Also update docbook documentation.
       - Drop a paragraph suggesting non-PolkitAgentSession implementations are
         expected and commonplace.
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837Reviewed-by: Colin Walters's avatarColin Walters <walters@redhat.com>
    • Colin Walters's avatar
      CVE-2015-4625: Bind use of cookies to specific uids · 493aa5dc
      Colin Walters authored
      The "cookie" value that Polkit hands out is global to all polkit
      users.  And when `AuthenticationAgentResponse` is invoked, we
      previously only received the cookie and *target* identity, and
      attempted to find an agent from that.
      The problem is that the current cookie is just an integer
      counter, and if it overflowed, it would be possible for
      an successful authorization in one session to trigger a response
      in another session.
      The overflow and ability to guess the cookie were fixed by the
      previous patch.
      This patch is conceptually further hardening on top of that.  Polkit
      currently treats uids as equivalent from a security domain
      perspective; there is no support for
      SELinux/AppArmor/etc. differentiation.
      We can retrieve the uid from `getuid()` in the setuid helper, which
      allows us to ensure the uid invoking `AuthenticationAgentResponse2`
      matches that of the agent.
      Then the authority only looks at authentication sessions matching the
      cookie that were created by a matching uid, thus removing the ability
      for different uids to interfere with each other entirely.
      Several fixes to this patch were contributed by:
      Miloslav Trmač <mitr@redhat.com>
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
      CVE: CVE-2015-4625
      Reported-by: 's avatarTavis Ormandy <taviso@google.com>
      Reviewed-by: 's avatarMiloslav Trmač <mitr@redhat.com>
      Signed-off-by: Colin Walters's avatarColin Walters <walters@redhat.com>
  4. 08 Jun, 2015 1 commit
  5. 03 Jun, 2015 1 commit
  6. 18 Feb, 2014 1 commit
  7. 18 Sep, 2013 1 commit
    • Colin Walters's avatar
      pkcheck: Support --process=pid,start-time,uid syntax too · 3968411b
      Colin Walters authored
      The uid is a new addition; this allows callers such as libvirt to
      close a race condition in reading the uid of the process talking to
      them.  They can read it via getsockopt(SO_PEERCRED) or equivalent,
      rather than having pkcheck look at /proc later after the fact.
      Programs which invoke pkcheck but need to know beforehand (i.e.  at
      compile time) whether or not it supports passing the uid can
      pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
      test x$pkcheck_supports_uid = xyes
  8. 15 May, 2013 1 commit
  9. 06 May, 2013 3 commits
  10. 15 Apr, 2013 6 commits
  11. 12 Apr, 2013 2 commits
  12. 14 Nov, 2012 1 commit
  13. 11 Jul, 2012 1 commit
  14. 06 Jul, 2012 1 commit
  15. 08 Jun, 2012 1 commit
  16. 07 Jun, 2012 2 commits
  17. 04 Jun, 2012 4 commits
  18. 25 May, 2012 3 commits
  19. 24 May, 2012 3 commits
  20. 23 May, 2012 4 commits