PolicyKit: Branch 'master' - 3 commits
Miloslav Trmac
mitr at kemper.freedesktop.org
Wed Sep 18 10:15:12 PDT 2013
NEWS | 33 +++++++++++++++++++++++++++++----
data/polkit-gobject-1.pc.in | 3 +++
docs/man/pkcheck.xml | 29 ++++++++++++++++++++---------
src/polkit/polkitunixprocess.h | 2 ++
src/programs/pkcheck.c | 9 +++++++--
5 files changed, 61 insertions(+), 15 deletions(-)
New commits:
commit 979b6651f0876b1be07a6d848c30bd1a74f96a70
Author: Miloslav TrmaÄ <mitr at redhat.com>
Date: Wed Sep 18 18:40:48 2013 +0200
Update NEWS for release
Signed-off-by: Miloslav TrmaÄ <mitr at redhat.com>
diff --git a/NEWS b/NEWS
index 830c8f3..4262392 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@
polkit 0.112
--------------
+NOTE: This release is an important security update, see below.
+
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
@@ -9,7 +11,18 @@ some security review. Use at your own risk.
This is polkit 0.112.
Highlights:
- TODO
+ This release fixes CVE-2013-4288: Race condition with process subjects that do
+ not have securely determined uid.
+
+ pkcheck(1) now supports a new format for the --process argument; all
+ applications need to use the new format to avoid a race condition (or use
+ --system-bus-name to identify the process instead).
+
+ Similarly, applications using the API should always use
+ polkit_unix_process_new_for_owner(). polkit_unix_process_new() and
+ polkit_unix_process_new_full() are unsafe and have been deprecated.
+
+ Thanks to Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Build requirements
@@ -21,12 +34,24 @@ Build requirements
Changes since polkit 0.111:
- TODO
+Colin Walters (2):
+ polkitunixprocess: Deprecate racy APIs
+ pkcheck: Support --process=pid,start-time,uid syntax too
+
+Miloslav TrmaÄ (1):
+ Post-release version bump to 0.112
+
+Tomas Bzatek (1):
+ Use GOnce for interface type registration
+
+Tomas Chvatal (2):
+ Add czech translation po file to distribution.
+ Update the czech once more with newest pot file.
Thanks to our contributors.
-Miloslav TrmaÄ,
-$DATE
+Colin Walters and Miloslav TrmaÄ,
+September 18, 2013
--------------
polkit 0.111
commit 3968411b0c7ba193f9b9276ec911692aec248608
Author: Colin Walters <walters at verbum.org>
Date: Mon Aug 19 12:16:11 2013 -0400
pkcheck: Support --process=pid,start-time,uid syntax too
The uid is a new addition; this allows callers such as libvirt to
close a race condition in reading the uid of the process talking to
them. They can read it via getsockopt(SO_PEERCRED) or equivalent,
rather than having pkcheck look at /proc later after the fact.
Programs which invoke pkcheck but need to know beforehand (i.e. at
compile time) whether or not it supports passing the uid can
use:
pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
test x$pkcheck_supports_uid = xyes
diff --git a/data/polkit-gobject-1.pc.in b/data/polkit-gobject-1.pc.in
index c39677d..5c4c620 100644
--- a/data/polkit-gobject-1.pc.in
+++ b/data/polkit-gobject-1.pc.in
@@ -11,3 +11,6 @@ Version: @VERSION@
Libs: -L${libdir} -lpolkit-gobject-1
Cflags: -I${includedir}/polkit-1
Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18
+# Programs using pkcheck can use this to determine
+# whether or not it can be passed a uid.
+pkcheck_supports_uid=true
diff --git a/docs/man/pkcheck.xml b/docs/man/pkcheck.xml
index fc54054..c856ca4 100644
--- a/docs/man/pkcheck.xml
+++ b/docs/man/pkcheck.xml
@@ -55,6 +55,9 @@
<arg choice="plain">
<replaceable>pid,pid-start-time</replaceable>
</arg>
+ <arg choice="plain">
+ <replaceable>pid,pid-start-time,uid</replaceable>
+ </arg>
</group>
</arg>
<arg choice="plain">
@@ -90,7 +93,7 @@
<title>DESCRIPTION</title>
<para>
<command>pkcheck</command> is used to check whether a process, specified by
- either <option>--process</option> or <option>--system-bus-name</option>,
+ either <option>--process</option> (see below) or <option>--system-bus-name</option>,
is authorized for <replaceable>action</replaceable>. The <option>--detail</option>
option can be used zero or more times to pass details about <replaceable>action</replaceable>.
If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks
@@ -160,15 +163,23 @@ KEY3=VALUE3
<refsect1 id="pkcheck-notes">
<title>NOTES</title>
<para>
- Since process identifiers can be recycled, the caller should always use
- <replaceable>pid,pid-start-time</replaceable> to specify the process
- to check for authorization when using the <option>--process</option> option.
- The value of <replaceable>pid-start-time</replaceable>
- can be determined by consulting e.g. the
+ Do not use either the bare <replaceable>pid</replaceable> or
+ <replaceable>pid,start-time</replaceable> syntax forms for
+ <option>--process</option>. There are race conditions in both.
+ New code should always use
+ <replaceable>pid,pid-start-time,uid</replaceable>. The value of
+ <replaceable>start-time</replaceable> can be determined by
+ consulting e.g. the
<citerefentry><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- file system depending on the operating system. If only <replaceable>pid</replaceable>
- is passed to the <option>--process</option> option, then <command>pkcheck</command>
- will look up the start time itself but note that this may be racy.
+ file system depending on the operating system. If fewer than 3
+ arguments are passed, <command>pkcheck</command> will attempt to
+ look up them up internally, but note that this may be racy.
+ </para>
+ <para>
+ If your program is a daemon with e.g. a custom Unix domain
+ socket, you should determine the <replaceable>uid</replaceable>
+ parameter via operating system mechanisms such as
+ <literal>PEERCRED</literal>.
</para>
</refsect1>
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index 9076693..11b2e26 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -44,7 +44,7 @@ help (void)
" -d, --details=KEY VALUE Add (KEY, VALUE) to information about the action\n"
" --enable-internal-agent Use an internal authentication agent if necessary\n"
" --list-temp List temporary authorizations for current session\n"
-" -p, --process=PID[,START_TIME] Check authorization of specified process\n"
+" -p, --process=PID[,START_TIME,UID] Check authorization of specified process\n"
" --revoke-temp Revoke all temporary authorizations for current session\n"
" -s, --system-bus-name=BUS_NAME Check authorization of owner of BUS_NAME\n"
" --version Show version\n"
@@ -382,6 +382,7 @@ main (int argc, char *argv[])
else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0)
{
gint pid;
+ guint uid;
guint64 pid_start_time;
n++;
@@ -392,7 +393,11 @@ main (int argc, char *argv[])
goto out;
}
- if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
+ if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3)
+ {
+ subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid);
+ }
+ else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
{
subject = polkit_unix_process_new_full (pid, pid_start_time);
}
commit 08291789a1f99d4ab29c74c39344304bcca43023
Author: Colin Walters <walters at verbum.org>
Date: Tue Aug 20 15:15:31 2013 -0400
polkitunixprocess: Deprecate racy APIs
It's only safe for processes to be created with their owning uid,
(without kernel support, which we don't have). Anything else is
subject to clients exec()ing setuid binaries after the fact.
diff --git a/src/polkit/polkitunixprocess.h b/src/polkit/polkitunixprocess.h
index 531a57d..f5ed1a7 100644
--- a/src/polkit/polkitunixprocess.h
+++ b/src/polkit/polkitunixprocess.h
@@ -47,7 +47,9 @@ typedef struct _PolkitUnixProcess PolkitUnixProcess;
typedef struct _PolkitUnixProcessClass PolkitUnixProcessClass;
GType polkit_unix_process_get_type (void) G_GNUC_CONST;
+G_GNUC_DEPRECATED_FOR(polkit_unix_process_new_for_owner)
PolkitSubject *polkit_unix_process_new (gint pid);
+G_GNUC_DEPRECATED_FOR(polkit_unix_process_new_for_owner)
PolkitSubject *polkit_unix_process_new_full (gint pid,
guint64 start_time);
PolkitSubject *polkit_unix_process_new_for_owner (gint pid,
More information about the hal-commit
mailing list