PolicyKit: Branch 'master'

[David Zeuthen]

 src/programs/pkexec.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

New commits:
commit 14bdfd816512a82b1ad258fa143ae5faa945df8a
Author: Dan Rosenberg <dan.j.rosenberg at gmail.com>
Date:   Wed Mar 10 12:46:19 2010 -0500

    Bug 26982 – pkexec information disclosure vulnerability
    
    pkexec is vulnerable to a minor information disclosure vulnerability
    that allows an attacker to verify whether or not arbitrary files
    exist, violating directory permissions. I reproduced the issue on my
    Karmic installation as follows:
    
     $ mkdir secret
     $ sudo chown root:root secret
     $ sudo chmod 400 secret
     $ sudo touch secret/hidden
     $ pkexec /home/drosenbe/secret/hidden
     (password prompt)
     $ pkexec /home/drosenbe/secret/doesnotexist
     Error getting information about /home/drosenbe/secret/doesnotexist: No such
     file or directory
    
    I've attached my patch for the issue. I replaced the stat() call
    entirely with access() using F_OK, so rather than check that the
    target exists, pkexec now checks if the user has permission to verify
    the existence of the program. There might be another way of doing
    this, such as chdir()'ing to the parent directory of the target and
    calling lstat(), but this seemed like more code than necessary to
    prevent such a minor problem.  I see no reason to allow pkexec to
    execute targets that are not accessible to the executing user because
    of directory permissions. This is such a limited use case anyway that
    this doesn't really affect functionality.
    
    http://bugs.freedesktop.org/show_bug.cgi?id=26982
    
    Signed-off-by: David Zeuthen <davidz at redhat.com>

diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 860e665..17c191e 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -411,7 +411,6 @@ main (int argc, char *argv[])
   gchar *opt_user;
   pid_t pid_of_caller;
   uid_t uid_of_caller;
-  struct stat statbuf;
 
   ret = 127;
   authority = NULL;
@@ -520,9 +519,9 @@ main (int argc, char *argv[])
       g_free (path);
       argv[n] = path = s;
     }
-  if (stat (path, &statbuf) != 0)
+  if (access (path, F_OK) != 0)
     {
-      g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
+      g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
       goto out;
     }
   command_line = g_strjoinv (" ", argv + n);