rpms
/
polkit
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow specifying an UID in the --process option of pkcheck(1) 

Resolves: #1009538, CVE-2013-4288
This commit is contained in:
Miloslav Trmač 2013-09-18 20:41:48 +02:00
parent 5f3df8c3fd
commit b1480cde74
2 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
polkit-0.107-CVE-2013-4288.patch Normal file
View File

@ -0,0 +1,100 @@
The uid is a new addition; this allows callers such as libvirt to
close a race condition in reading the uid of the process talking to
them. They can read it via getsockopt(SO_PEERCRED) or equivalent,
rather than having pkcheck look at /proc later after the fact.
Programs which invoke pkcheck but need to know beforehand (i.e. at
compile time) whether or not it supports passing the uid can
use:
pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
test x$pkcheck_supports_uid = xyes
diff -urN polkit/data/polkit-gobject-1.pc.in polkit-0.107/data/polkit-gobject-1.pc.in
--- polkit/data/polkit-gobject-1.pc.in 2012-04-24 18:05:34.000000000 +0200
+++ polkit-0.107/data/polkit-gobject-1.pc.in 2013-09-18 20:33:16.451783171 +0200
@@ -11,3 +11,6 @@
Libs: -L${libdir} -lpolkit-gobject-1
Cflags: -I${includedir}/polkit-1
Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18
+# Programs using pkcheck can use this to determine
+# whether or not it can be passed a uid.
+pkcheck_supports_uid=true
diff -urN polkit/docs/man/pkcheck.xml polkit-0.107/docs/man/pkcheck.xml
--- polkit/docs/man/pkcheck.xml 2012-06-04 19:47:39.000000000 +0200
+++ polkit-0.107/docs/man/pkcheck.xml 2013-09-18 20:33:16.451783171 +0200
@@ -55,6 +55,9 @@
<arg choice="plain">
<replaceable>pid,pid-start-time</replaceable>
</arg>
+ <arg choice="plain">
+ <replaceable>pid,pid-start-time,uid</replaceable>
+ </arg>
</group>
</arg>
<arg choice="plain">
@@ -90,7 +93,7 @@
<title>DESCRIPTION</title>
<para>
<command>pkcheck</command> is used to check whether a process, specified by
- either <option>--process</option> or <option>--system-bus-name</option>,
+ either <option>--process</option> (see below) or <option>--system-bus-name</option>,
is authorized for <replaceable>action</replaceable>. The <option>--detail</option>
option can be used zero or more times to pass details about <replaceable>action</replaceable>.
If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks
@@ -160,15 +163,23 @@
<refsect1 id="pkcheck-notes">
<title>NOTES</title>
<para>
- Since process identifiers can be recycled, the caller should always use
- <replaceable>pid,pid-start-time</replaceable> to specify the process
- to check for authorization when using the <option>--process</option> option.
- The value of <replaceable>pid-start-time</replaceable>
- can be determined by consulting e.g. the
+ Do not use either the bare <replaceable>pid</replaceable> or
+ <replaceable>pid,start-time</replaceable> syntax forms for
+ <option>--process</option>. There are race conditions in both.
+ New code should always use
+ <replaceable>pid,pid-start-time,uid</replaceable>. The value of
+ <replaceable>start-time</replaceable> can be determined by
+ consulting e.g. the
<citerefentry><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- file system depending on the operating system. If only <replaceable>pid</replaceable>
- is passed to the <option>--process</option> option, then <command>pkcheck</command>
- will look up the start time itself but note that this may be racy.
+ file system depending on the operating system. If fewer than 3
+ arguments are passed, <command>pkcheck</command> will attempt to
+ look up them up internally, but note that this may be racy.
+ </para>
+ <para>
+ If your program is a daemon with e.g. a custom Unix domain
+ socket, you should determine the <replaceable>uid</replaceable>
+ parameter via operating system mechanisms such as
+ <literal>PEERCRED</literal>.
</para>
</refsect1>
diff -urN polkit/src/programs/pkcheck.c polkit-0.107/src/programs/pkcheck.c
--- polkit/src/programs/pkcheck.c 2012-04-24 18:05:34.000000000 +0200
+++ polkit-0.107/src/programs/pkcheck.c 2013-09-18 20:33:16.452783171 +0200
@@ -372,6 +372,7 @@
else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0)
{
gint pid;
+ guint uid;
guint64 pid_start_time;
n++;
@@ -381,7 +382,11 @@
goto out;
}
- if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
+ if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3)
+ {
+ subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid);
+ }
+ else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
{
subject = polkit_unix_process_new_full (pid, pid_start_time);
}

10
polkit.spec
View File

@ -1,7 +1,7 @@
Summary: polkit Authorization Framework
Name: polkit
Version: 0.107
Release: 5%{?dist}
Release: 6%{?dist}
License: LGPLv2+
URL: http://www.freedesktop.org/wiki/Software/polkit
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
@ -36,6 +36,9 @@ Patch1: polkit-0.107-avoid-crashing-if-initializing-the-server-object-fails.patc
# Use GOnce for interface type registration
Patch2: polkit-0.112-gobject-interface-type-registration-race.patch
# Upstream commit 3968411b0c7ba193f9b9276ec911692aec248608
Patch3: polkit-0.107-CVE-2013-4288.patch
%description
polkit is a toolkit for defining and handling authorizations. It is
used for allowing unprivileged processes to speak to privileged
@ -69,6 +72,7 @@ Development documentation for polkit.
%patch0 -p1 -b .fall-back-to-uid-0
%patch1 -p1 -b .crash-fix
%patch2 -p1 -b .gtype-race
%patch3 -p1 -b .CVE-2013-4288
%build
%configure --enable-gtk-doc \
@ -137,6 +141,10 @@ exit 0
%{_datadir}/gtk-doc
%changelog
* Wed Sep 18 2013 Miloslav Trmač <mitr@redhat.com> - 0.107-6
- Allow specifying an UID in the --process option of pkcheck(1)
Resolves: #1009538, CVE-2013-4288
* Wed May 29 2013 Tomas Bzatek <tbzatek@redhat.com> 0.107-5
- Fix a race on PolkitSubject type registration (#866718)