1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
|
Description: polkit CheckAuthorization: fix race condition in privilege authorization
The unix-process authorization subject is deprecated:
https://www.freedesktop.org/software/polkit/docs/latest/PolkitUnixProcess.html#polkit-unix-process-new
as it is subject to a race condition. A client process requesting
authorization can replace itself by a suid or otherwise root owned
executable, thus granting the original non-privileged request
privileges.
See also:
https://bugzilla.redhat.com/show_bug.cgi?id=1002375
https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2011/CVE-2011-1485/polkit-pwnage.c
Polkit uses the real-uid of the process by now, thus mitigating the
exploit using suid binaries. It is still possible, however, to exit the
client process and try to get a root program to get the same PID.
In worst case this would allow an unauthenticated user to get backintime
or some other program to be executed via udev rules as root user.
Origin: https://github.com/bit-team/backintime/commit/358b45890575c382076bb3b1e91d9064c6a56cf5
Applied-Upstream: 1.1.20
Last-Update: 2017-04-22
--- backintime-1.1.12.orig/qt4/serviceHelper.py
+++ backintime-1.1.12/qt4/serviceHelper.py
@@ -216,18 +216,12 @@
# bus, and it does not make sense to restrict operations here
return
- info = SenderInfo(sender, conn)
-
- # get peer PID
- pid = info.connectionPid()
-
# query PolicyKit
self._initPolkit()
try:
# we don't need is_challenge return here, since we call with AllowUserInteraction
(is_auth, _, details) = self.polkit.CheckAuthorization(
- ('unix-process', {'pid': dbus.UInt32(pid, variant_level=1),
- 'start-time': dbus.UInt64(0, variant_level=1)}),
+ ('system-bus-name', {'name': dbus.String(sender, variant_level=1)}),
privilege, {'': ''}, dbus.UInt32(1), '', timeout=3000)
except dbus.DBusException as e:
if e._dbus_error_name == 'org.freedesktop.DBus.Error.ServiceUnknown':
|