Agent Authentication Question

Tavis Ormandy taviso at google.com
Fri May 29 11:00:08 PDT 2015


Hello, I've been browsing the reference code and have a question about
how the session cookies are maintained. It looks like the cookie
generator can wrap and two identical cookies could exist
simultaneously in the active sessions list.

static gchar * authentication_agent_new_cookie (AuthenticationAgent *agent)
{
    static gint counter = 0;
    return g_strdup_printf ("cookie%d", counter++);
}

You can imagine how one client gets a cookie but just waits and
doesn't arrange for AuthenticationAgentResponse to be called. It's my
understanding that sessions never timeout, they're just cleaned up
when D-Bus indicates a client disconnects. Therefore another process
can generate 2^32 authentication sessions and just disconnect
immediately. The counter gets incremented but the cookies never get
removed from the list, until eventually counter wraps and a second
cookie is minted.

My question is, what are the implications of that? Is it a security
vulnerability?

I guess the first matching cookie will be used when
AuthenticationAgentResponse is called for the second cookie, so
someone might see a different action displayed by the agent than they
thought they were authenticating? Is that the worst possible outcome?

I also noticed a crash while implementing an agent, which would also
allow the same cookie to be issued twice (cookie0 => crash =>
cookie0). I'll post the bug report in another mail, but does it make
sense for the cookies to be larger (perhaps 64bit, like D-Bus unique
addresses) and include the pid:start-time of polkitd?

Thanks, Tavis.


More information about the polkit-devel mailing list