• Miloslav Trmač's avatar
    Fix CVE-2018-1116: Trusting client-supplied UID · bc7ffad5
    Miloslav Trmač authored
    As part of CVE-2013-4288, the D-Bus clients were allowed (and
    encouraged) to submit the UID of the subject of authorization checks
    to avoid races against UID changes (notably using executables
    set-UID to root).
    
    However, that also allowed any client to submit an arbitrary UID, and
    that could be used to bypass "can only ask about / affect the same UID"
    checks in CheckAuthorization / RegisterAuthenticationAgent /
    UnregisterAuthenticationAgent.  This allowed an attacker:
    
    - With CheckAuthorization, to cause the registered authentication
      agent in victim's session to pop up a dialog, or to determine whether
      the victim currently has a temporary authorization to perform an
      operation.
    
      (In principle, the attacker can also determine whether JavaScript
      rules allow the victim process to perform an operation; however,
      usually rules base their decisions on information determined from
      the supplied UID, so the attacker usually won't learn anything new.)
    
    - With RegisterAuthenticationAgent, to prevent the victim's
      authentication agent to work (for a specific victim process),
      or to learn about which operations requiring authorization
      the victim is attempting.
    
    To fix this, expose internal _polkit_unix_process_get_owner() /
    obsolete polkit_unix_process_get_owner() as a private
    polkit_unix_process_get_racy_uid__() (being more explicit about the
    dangers on relying on it), and use it in
    polkit_backend_session_monitor_get_user_for_subject() to return
    a boolean indicating whether the subject UID may be caller-chosen.
    
    Then, in the permission checks that require the subject to be
    equal to the caller, fail on caller-chosen UIDs (and continue
    through the pre-existing code paths which allow root, or root-designated
    server processes, to ask about arbitrary subjects.)
    Signed-off-by: default avatarMiloslav Trmač <mitr@redhat.com>
    bc7ffad5
Name
Last commit
Last update
..
Makefile.am Loading commit data...
polkit.h Loading commit data...
polkitactiondescription.c Loading commit data...
polkitactiondescription.h Loading commit data...
polkitauthority.c Loading commit data...
polkitauthority.h Loading commit data...
polkitauthorityfeatures.c Loading commit data...
polkitauthorityfeatures.h Loading commit data...
polkitauthorizationresult.c Loading commit data...
polkitauthorizationresult.h Loading commit data...
polkitcheckauthorizationflags.c Loading commit data...
polkitcheckauthorizationflags.h Loading commit data...
polkitdetails.c Loading commit data...
polkitdetails.h Loading commit data...
polkitenumtypes.c.template Loading commit data...
polkitenumtypes.h.template Loading commit data...
polkiterror.c Loading commit data...
polkiterror.h Loading commit data...
polkitidentity.c Loading commit data...
polkitidentity.h Loading commit data...
polkitimplicitauthorization.c Loading commit data...
polkitimplicitauthorization.h Loading commit data...
polkitpermission.c Loading commit data...
polkitpermission.h Loading commit data...
polkitprivate.h Loading commit data...
polkitsubject.c Loading commit data...
polkitsubject.h Loading commit data...
polkitsystembusname.c Loading commit data...
polkitsystembusname.h Loading commit data...
polkittemporaryauthorization.c Loading commit data...
polkittemporaryauthorization.h Loading commit data...
polkittypes.h Loading commit data...
polkitunixgroup.c Loading commit data...
polkitunixgroup.h Loading commit data...
polkitunixnetgroup.c Loading commit data...
polkitunixnetgroup.h Loading commit data...
polkitunixprocess.c Loading commit data...
polkitunixprocess.h Loading commit data...
polkitunixsession-systemd.c Loading commit data...
polkitunixsession.c Loading commit data...
polkitunixsession.h Loading commit data...
polkitunixuser.c Loading commit data...
polkitunixuser.h Loading commit data...