Author: Colin Walters From: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4326 Description: Pass uid of caller to polkit Otherwise, we force polkit to look up the uid itself in /proc, which is racy if they execve() a setuid binary. --- rtkit-daemon.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- rtkit.orig/rtkit-daemon.c +++ rtkit/rtkit-daemon.c @@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection DBusMessage *m = NULL, *r = NULL; const char *unix_process = "unix-process"; const char *pid = "pid"; + const char *uid = "uid"; const char *start_time = "start-time"; const char *cancel_id = ""; uint32_t flags = 0; uint32_t pid_u32 = p->pid; - uint64_t start_time_u64 = p->starttime; + uint32_t uid_u32 = (uint32_t)u->uid; DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant; + uint64_t start_time_u64 = p->starttime; int ret; dbus_bool_t authorized = FALSE; @@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); + assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict)); + assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid)); + assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant)); + assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32)); + assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); + assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); + assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array)); assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));