| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
PIDs can be recycled, so when possible it is best to try and use PIDFDs,
which are pinned. Change polkitd's unixprocess class so that, if the
PIDFD syscall is available, it does not store a PID but only the PIDFD,
and gets the PID when required on the fly (which will intentionally fail
if the process has disappeared, so that we avoid recycling races).
In the future we will be able to get the PIDFD directly from D-Bus'
GetConnectionCredentials() call, but for now get the FD from the PID.
It does not completely close the window, but makes things significantly
better already.
|
|
As part of CVE-2013-4288, the D-Bus clients were allowed (and
encouraged) to submit the UID of the subject of authorization checks
to avoid races against UID changes (notably using executables
set-UID to root).
However, that also allowed any client to submit an arbitrary UID, and
that could be used to bypass "can only ask about / affect the same UID"
checks in CheckAuthorization / RegisterAuthenticationAgent /
UnregisterAuthenticationAgent. This allowed an attacker:
- With CheckAuthorization, to cause the registered authentication
agent in victim's session to pop up a dialog, or to determine whether
the victim currently has a temporary authorization to perform an
operation.
(In principle, the attacker can also determine whether JavaScript
rules allow the victim process to perform an operation; however,
usually rules base their decisions on information determined from
the supplied UID, so the attacker usually won't learn anything new.)
- With RegisterAuthenticationAgent, to prevent the victim's
authentication agent to work (for a specific victim process),
or to learn about which operations requiring authorization
the victim is attempting.
To fix this, expose internal _polkit_unix_process_get_owner() /
obsolete polkit_unix_process_get_owner() as a private
polkit_unix_process_get_racy_uid__() (being more explicit about the
dangers on relying on it), and use it in
polkit_backend_session_monitor_get_user_for_subject() to return
a boolean indicating whether the subject UID may be caller-chosen.
Then, in the permission checks that require the subject to be
equal to the caller, fail on caller-chosen UIDs (and continue
through the pre-existing code paths which allow root, or root-designated
server processes, to ask about arbitrary subjects.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
Instead of using sd_pid_get_session() then sd_session_is_active() to
determine whether the user is active, use sd_uid_get_state() directly.
This gets the maximum of the states of all the user’s sessions, rather
than the state of the session containing the subject process. Since the
user is the security boundary, this is fine.
This change is necessary for `systemd --user` sessions, where most user
code will be forked off user@.service, rather than running inside the
logind session (whether that be a foreground/active or background/online
session).
Policy-wise, the change is from checking whether the subject process is
in an active session; to checking whether the subject process is owned
by a user with at least one active session.
https://bugs.freedesktop.org/show_bug.cgi?id=76358
|
|
In the D-Bus "user bus" model, all sessions of a user share the same
D-Bus instance, a polkit requesting process might live outside the
login session which registered the user's polkit agent.
In case a polkit requesting process is not part of the user's login
session, we ask systemd-logind for the the user's "display" session
instead.
https://bugs.freedesktop.org/show_bug.cgi?id=78905
|
|
We had the code to go from pid -> session duplicated. If we have a
PolkitSystemBusName, convert it to a PolkitUnixProcess.
Then we can do PolkitUnixProcess -> pid -> session in one place.
This is just a code cleanup.
https://bugs.freedesktop.org/show_bug.cgi?id=69538
|
|
And change the duplicated code in the backend session monitors to use
it. This just a code cleanup resulting from review after
CVE-2013-4288. There's no security impact from this patch, it just
removes duplicated code.
https://bugs.freedesktop.org/show_bug.cgi?id=69538
|
|
When configured with --enable-systemd, this patch makes
polkit use systemd for session tracking instead of ConsoleKit.
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
