Allow specifying an UID in the --process option of pkcheck(1)
Resolves: #1009538, CVE-2013-4288
This commit is contained in:
parent
5f3df8c3fd
commit
b1480cde74
100
polkit-0.107-CVE-2013-4288.patch
Normal file
100
polkit-0.107-CVE-2013-4288.patch
Normal file
@ -0,0 +1,100 @@
|
||||
The uid is a new addition; this allows callers such as libvirt to
|
||||
close a race condition in reading the uid of the process talking to
|
||||
them. They can read it via getsockopt(SO_PEERCRED) or equivalent,
|
||||
rather than having pkcheck look at /proc later after the fact.
|
||||
|
||||
Programs which invoke pkcheck but need to know beforehand (i.e. at
|
||||
compile time) whether or not it supports passing the uid can
|
||||
use:
|
||||
|
||||
pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
|
||||
test x$pkcheck_supports_uid = xyes
|
||||
|
||||
diff -urN polkit/data/polkit-gobject-1.pc.in polkit-0.107/data/polkit-gobject-1.pc.in
|
||||
--- polkit/data/polkit-gobject-1.pc.in 2012-04-24 18:05:34.000000000 +0200
|
||||
+++ polkit-0.107/data/polkit-gobject-1.pc.in 2013-09-18 20:33:16.451783171 +0200
|
||||
@@ -11,3 +11,6 @@
|
||||
Libs: -L${libdir} -lpolkit-gobject-1
|
||||
Cflags: -I${includedir}/polkit-1
|
||||
Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18
|
||||
+# Programs using pkcheck can use this to determine
|
||||
+# whether or not it can be passed a uid.
|
||||
+pkcheck_supports_uid=true
|
||||
diff -urN polkit/docs/man/pkcheck.xml polkit-0.107/docs/man/pkcheck.xml
|
||||
--- polkit/docs/man/pkcheck.xml 2012-06-04 19:47:39.000000000 +0200
|
||||
+++ polkit-0.107/docs/man/pkcheck.xml 2013-09-18 20:33:16.451783171 +0200
|
||||
@@ -55,6 +55,9 @@
|
||||
<arg choice="plain">
|
||||
<replaceable>pid,pid-start-time</replaceable>
|
||||
</arg>
|
||||
+ <arg choice="plain">
|
||||
+ <replaceable>pid,pid-start-time,uid</replaceable>
|
||||
+ </arg>
|
||||
</group>
|
||||
</arg>
|
||||
<arg choice="plain">
|
||||
@@ -90,7 +93,7 @@
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
<command>pkcheck</command> is used to check whether a process, specified by
|
||||
- either <option>--process</option> or <option>--system-bus-name</option>,
|
||||
+ either <option>--process</option> (see below) or <option>--system-bus-name</option>,
|
||||
is authorized for <replaceable>action</replaceable>. The <option>--detail</option>
|
||||
option can be used zero or more times to pass details about <replaceable>action</replaceable>.
|
||||
If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks
|
||||
@@ -160,15 +163,23 @@
|
||||
<refsect1 id="pkcheck-notes">
|
||||
<title>NOTES</title>
|
||||
<para>
|
||||
- Since process identifiers can be recycled, the caller should always use
|
||||
- <replaceable>pid,pid-start-time</replaceable> to specify the process
|
||||
- to check for authorization when using the <option>--process</option> option.
|
||||
- The value of <replaceable>pid-start-time</replaceable>
|
||||
- can be determined by consulting e.g. the
|
||||
+ Do not use either the bare <replaceable>pid</replaceable> or
|
||||
+ <replaceable>pid,start-time</replaceable> syntax forms for
|
||||
+ <option>--process</option>. There are race conditions in both.
|
||||
+ New code should always use
|
||||
+ <replaceable>pid,pid-start-time,uid</replaceable>. The value of
|
||||
+ <replaceable>start-time</replaceable> can be determined by
|
||||
+ consulting e.g. the
|
||||
<citerefentry><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
- file system depending on the operating system. If only <replaceable>pid</replaceable>
|
||||
- is passed to the <option>--process</option> option, then <command>pkcheck</command>
|
||||
- will look up the start time itself but note that this may be racy.
|
||||
+ file system depending on the operating system. If fewer than 3
|
||||
+ arguments are passed, <command>pkcheck</command> will attempt to
|
||||
+ look up them up internally, but note that this may be racy.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ If your program is a daemon with e.g. a custom Unix domain
|
||||
+ socket, you should determine the <replaceable>uid</replaceable>
|
||||
+ parameter via operating system mechanisms such as
|
||||
+ <literal>PEERCRED</literal>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
diff -urN polkit/src/programs/pkcheck.c polkit-0.107/src/programs/pkcheck.c
|
||||
--- polkit/src/programs/pkcheck.c 2012-04-24 18:05:34.000000000 +0200
|
||||
+++ polkit-0.107/src/programs/pkcheck.c 2013-09-18 20:33:16.452783171 +0200
|
||||
@@ -372,6 +372,7 @@
|
||||
else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0)
|
||||
{
|
||||
gint pid;
|
||||
+ guint uid;
|
||||
guint64 pid_start_time;
|
||||
|
||||
n++;
|
||||
@@ -381,7 +382,11 @@
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
|
||||
+ if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3)
|
||||
+ {
|
||||
+ subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid);
|
||||
+ }
|
||||
+ else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
|
||||
{
|
||||
subject = polkit_unix_process_new_full (pid, pid_start_time);
|
||||
}
|
10
polkit.spec
10
polkit.spec
@ -1,7 +1,7 @@
|
||||
Summary: polkit Authorization Framework
|
||||
Name: polkit
|
||||
Version: 0.107
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: LGPLv2+
|
||||
URL: http://www.freedesktop.org/wiki/Software/polkit
|
||||
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
|
||||
@ -36,6 +36,9 @@ Patch1: polkit-0.107-avoid-crashing-if-initializing-the-server-object-fails.patc
|
||||
# Use GOnce for interface type registration
|
||||
Patch2: polkit-0.112-gobject-interface-type-registration-race.patch
|
||||
|
||||
# Upstream commit 3968411b0c7ba193f9b9276ec911692aec248608
|
||||
Patch3: polkit-0.107-CVE-2013-4288.patch
|
||||
|
||||
%description
|
||||
polkit is a toolkit for defining and handling authorizations. It is
|
||||
used for allowing unprivileged processes to speak to privileged
|
||||
@ -69,6 +72,7 @@ Development documentation for polkit.
|
||||
%patch0 -p1 -b .fall-back-to-uid-0
|
||||
%patch1 -p1 -b .crash-fix
|
||||
%patch2 -p1 -b .gtype-race
|
||||
%patch3 -p1 -b .CVE-2013-4288
|
||||
|
||||
%build
|
||||
%configure --enable-gtk-doc \
|
||||
@ -137,6 +141,10 @@ exit 0
|
||||
%{_datadir}/gtk-doc
|
||||
|
||||
%changelog
|
||||
* Wed Sep 18 2013 Miloslav Trmač <mitr@redhat.com> - 0.107-6
|
||||
- Allow specifying an UID in the --process option of pkcheck(1)
|
||||
Resolves: #1009538, CVE-2013-4288
|
||||
|
||||
* Wed May 29 2013 Tomas Bzatek <tbzatek@redhat.com> 0.107-5
|
||||
- Fix a race on PolkitSubject type registration (#866718)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user