Agent Authentication Question
Colin Walters
walters at verbum.org
Thu Jun 4 12:58:42 PDT 2015
On Thu, Jun 4, 2015, at 09:20 AM, Colin Walters wrote:
>
> But I'd be most comforatable if we did *both* "uid binding" and "secret cookie".
Ok, updated patches are in:
https://bugs.freedesktop.org/show_bug.cgi?id=90837
https://bugs.freedesktop.org/show_bug.cgi?id=90832
I wouldn't call these final, but I'd say they're good to review.
It seems like we agree there's a vulnerability here, so unless I hear
any objections I'll ask for another CVE tomorrow.
I'm still working on actually attempting to exploit a synthetic
cookie collision the patch from
https://bugs.freedesktop.org/show_bug.cgi?id=90837#c1
One thing that became clear to me is you need a custom
agent to do this; a normal agent won't understand that
the request was authenticated "behind its back".
So I'm working on:
https://github.com/cgwalters/polkit-otherauth-wait-text-agent
More information about the polkit-devel
mailing list