Package: policykit-1 / 0.105-26

Metadata

Package Version Patches format
policykit-1 0.105-26 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0.106/agenthelper pam Fix newline trimming code.patch | (download)

src/polkitagent/polkitagenthelper-pam.c | 11 8 + 3 - 0 !
1 file changed, 8 insertions(+), 3 deletions(-)

 agenthelper-pam: fix newline-trimming code

First, we were using == instead of =, as the author probably intended.
But after changing that, we're now assigning to const memory.  Fix
that by writing to a temporary string buffer.

Signed-off-by: David Zeuthen <zeuthen@gmail.com>
0.108/build Fix .gir generation for parallel make.patch | (download)

src/polkit/Makefile.am | 2 2 + 0 - 0 !
src/polkitagent/Makefile.am | 2 2 + 0 - 0 !
2 files changed, 4 insertions(+)

 build: fix .gir generation for parallel make

As per the intructions in the introspection Makefile, we should have a
line declaring a dependency between the .gir and .la files.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=57077
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
Bug-Debian: https://bugs.debian.org/894205

0.108/PolkitAgent Avoid crashing if initializing the server obj.patch | (download)

src/polkitagent/polkitagentlistener.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 polkitagent: avoid crashing if initializing the server object fails

Note that otherwise we return a freed server object.  Since later in
polkit_agent_listener_register_with_options we check against NULL to
determine failure, this makes for sad times later when we call
server_free() on it again.

Signed-off-by: David Zeuthen <zeuthen@gmail.com>
0.110/07_set XAUTHORITY environment variable if unset.patch | (download)

src/programs/pkexec.c | 22 22 + 0 - 0 !
1 file changed, 22 insertions(+)

 set xauthority environment variable if is unset

The way it works is that if XAUTHORITY is unset, then its default
value is $HOME/.Xauthority. But since we're changing user identity
this will not work since $HOME will now change. Therefore, if
XAUTHORITY is unset, just set its default value before changing
identity. This bug only affected login managers using X Window
Authorization but not explicitly setting the XAUTHORITY variable.

You can argue that XAUTHORITY is broken since it forces uid-changing
apps like pkexec(1) to do more work - and get involved in intimate
details of how X works and so on - but that doesn't change how things
work.

Based on a patch from Peter Wu <lekensteyn@gmail.com>.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=51623
Signed-off-by: David Zeuthen <zeuthen@gmail.com>
0.110/04_get_cwd.patch | (download)

src/programs/pkexec.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 fix build on gnu hurd

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=35685
0.111/09_pam_environment.patch | (download)

src/programs/pkexec.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 pkexec: set process environment from pam_getenvlist()

Various pam modules provide environment variables that are intended to be set
in the environment of the pam session.  pkexec needs to process the output of
pam_getenvlist() to get these.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=62016
0.111/Add a FIXME to polkitprivate.h.patch | (download)

src/polkit/polkitprivate.h | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 add a fixme to polkitprivate.h

See discussion in https://bugs.freedesktop.org/show_bug.cgi?id=63573 .

0.111/Fix a memory leak.patch | (download)

src/polkitagent/polkitagenthelper-pam.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix a memory leak

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=64336
0.112/00git_type_registration.patch | (download)

src/polkit/polkitidentity.c | 10 6 + 4 - 0 !
src/polkit/polkitsubject.c | 10 6 + 4 - 0 !
src/polkitbackend/polkitbackendactionlookup.c | 10 6 + 4 - 0 !
3 files changed, 18 insertions(+), 12 deletions(-)

 use gonce for interface type registration

Static local variable may not be enough since it doesn't provide locking.

Related to these udisksd warnings:
  GLib-GObject-WARNING **: cannot register existing type `PolkitSubject'

Thanks to Hans de Goede for spotting this!

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=65130
0.112/08_deprecate_racy_APIs.patch | (download)

src/polkit/polkitunixprocess.h | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 polkitunixprocess: deprecate racy apis

It's only safe for processes to be created with their owning uid,
(without kernel support, which we don't have).  Anything else is
subject to clients exec()ing setuid binaries after the fact.

0.112/cve 2013 4288.patch | (download)

data/polkit-gobject-1.pc.in | 3 3 + 0 - 0 !
docs/man/pkcheck.xml | 29 20 + 9 - 0 !
src/programs/pkcheck.c | 7 6 + 1 - 0 !
3 files changed, 29 insertions(+), 10 deletions(-)

 pkcheck: support --process=pid,start-time,uid syntax too

The uid is a new addition; this allows callers such as libvirt to
close a race condition in reading the uid of the process talking to
them.  They can read it via getsockopt(SO_PEERCRED) or equivalent,
rather than having pkcheck look at /proc later after the fact.

Programs which invoke pkcheck but need to know beforehand (i.e.  at
compile time) whether or not it supports passing the uid can
use:

pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
test x$pkcheck_supports_uid = xyes

0.114/polkitpermission Fix a memory leak on authority changes.patch | (download)

src/polkit/polkitpermission.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 polkitpermission: fix a memory leak on authority changes

Signed-off-by: Rui Matos <tiagomatos@gmail.com>

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99741
0.113/Port internals non deprecated PolkitProcess API wher.patch | (download)

src/polkit/polkitpermission.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 port internals non-deprecated polkitprocess api where possible

We can't port everything, but in PolkitPermission and these test
cases, we can use _for_owner() with the right information.

[smcv: drop the part that touches
test/polkitbackend/test-polkitbackendjsauthority.c which is not
in this branch]

0.113/pkexec Work around systemd injecting broken XDG_RUNT.patch | (download)

src/programs/pkexec.c | 33 30 + 3 - 0 !
1 file changed, 30 insertions(+), 3 deletions(-)

 pkexec: work around systemd injecting broken xdg_runtime_dir

This workaround isn't too much code, and it's often better to fix bugs
in two places anyways.

For more information:

See https://bugzilla.redhat.com/show_bug.cgi?id=753882
See http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html

0.113/03_PolkitAgentSession fix race between child and io wat.patch | (download)

src/polkitagent/polkitagentsession.c | 47 11 + 36 - 0 !
1 file changed, 11 insertions(+), 36 deletions(-)

 polkitagentsession: fix race between child and io watches

The helper flushes and fdatasyncs stdout and stderr before terminating
but this doesn't guarantee that our io watch is called before our
child watch. This means that we can end up with a successful return
from the helper which we still report as a failure.

If we add G_IO_HUP and G_IO_ERR to the conditions we look for in the
io watch and the child terminates we still run the io watch handler
which will complete the session.

This means that the child watch is in fact needless and we can remove
it.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=60847
0.113/polkitd Fix problem with removing non existent sourc.patch | (download)

src/polkitd/main.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 polkitd: fix problem with removing non-existent source

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=77167
0.113/PolkitSystemBusName Add public API to retrieve Unix .patch | (download)

src/polkit/polkitsystembusname.c | 56 56 + 0 - 0 !
src/polkit/polkitsystembusname.h | 4 4 + 0 - 0 !
src/polkitbackend/polkitbackendsessionmonitor-systemd.c | 20 1 + 19 - 0 !
src/polkitbackend/polkitbackendsessionmonitor.c | 20 1 + 19 - 0 !
4 files changed, 62 insertions(+), 38 deletions(-)

 polkitsystembusname: add public api to retrieve unix user

And change the duplicated code in the backend session monitors to use
it.  This just a code cleanup resulting from review after
CVE-2013-4288.  There's no security impact from this patch, it just
removes duplicated code.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69538
0.113/Fixed compilation problem in the backend.patch | (download)

src/polkitbackend/polkitbackendsessionmonitor.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fixed compilation problem in the backend

0.113/Don t discard error data returned by polkit_system_b.patch | (download)

src/polkitbackend/polkitbackendsessionmonitor.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 don't discard error data returned by
 polkit_system_bus_name_get_user_sync

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=71458
0.113/sessionmonitor systemd Deduplicate code paths.patch | (download)

src/polkitbackend/polkitbackendsessionmonitor-systemd.c | 63 22 + 41 - 0 !
1 file changed, 22 insertions(+), 41 deletions(-)

 sessionmonitor-systemd: deduplicate code paths

We had the code to go from pid -> session duplicated.  If we have a
PolkitSystemBusName, convert it to a PolkitUnixProcess.
Then we can do PolkitUnixProcess -> pid -> session in one place.

This is just a code cleanup.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69538
0.113/PolkitSystemBusName Retrieve both pid and uid.patch | (download)

src/polkit/polkitsystembusname.c | 171 118 + 53 - 0 !
1 file changed, 118 insertions(+), 53 deletions(-)

 polkitsystembusname: retrieve both pid and uid

For polkit_system_bus_name_get_process_sync(), as pointed out by
Miloslav Trmac, we can securely retrieve the owner uid as well from
the system bus, rather than (racily) looking it up internally.

This avoids use of a deprecated API.

However, this is not a security fix because nothing in the polkit
codebase itself actually retrieves the uid from the result of this API
call.  But, it might be useful in the future.

0.113/sessionmonitor systemd prepare for D Bus user bus mo.patch | (download)

configure.ac | 4 4 + 0 - 0 !
src/polkitbackend/polkitbackendsessionmonitor-systemd.c | 29 24 + 5 - 0 !
2 files changed, 28 insertions(+), 5 deletions(-)

 sessionmonitor-systemd: prepare for d-bus "user bus" model

In the D-Bus "user bus" model, all sessions of a user share the same
D-Bus instance, a polkit requesting process might live outside the
login session which registered the user's polkit agent.

In case a polkit requesting process is not part of the user's login
session, we ask systemd-logind for the user's "display" session
instead.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78905
Bug-Debian: https://bugs.debian.org/779988
0.113/Refuse duplicate user arguments to pkexec.patch | (download)

src/programs/pkexec.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 refuse duplicate --user arguments to pkexec

This usage is clearly erroneous, so we should tell the users they are
making a mistake.

Besides, this allows an attacker to cause a high number of heap
allocations with attacker-controlled sizes (
http://googleprojectzero.blogspot.cz/2014/08/the-poisoned-nul-byte-2014-edition.html
), making some exploits easier.

(To be clear, this is not a pkexec vulnerability, and we will not
refuse attacker-affected malloc() usage as a matter of policy; but this
commit is both user-friendly and adding some hardening.)

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83093
0.113/00git_fix_memleak.patch | (download)

src/polkit/polkitauthority.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 authority: fix memory leak in enumerateactions call results handler

Policykit-1 doesn't release reference counters of GVariant data for
org.freedesktop.PolicyKit1.Authority.EnumerateActions dbus call.  This
patch fixed reference counting and following memory leak.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88288
0.113/00git_invalid_object_paths.patch | (download)

src/polkitbackend/polkitbackendinteractiveauthority.c | 53 30 + 23 - 0 !
1 file changed, 30 insertions(+), 23 deletions(-)

 cve-2015-3218: backend: handle invalid object paths in
 RegisterAuthenticationAgent
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Properly propagate the error, otherwise we dereference a `NULL`
pointer.  This is a local, authenticated DoS.

`RegisterAuthenticationAgentWithOptions` and
`UnregisterAuthentication` have been validated to not need changes for
this.

http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90829
Bug-Debian: https://bugs.debian.org/787932
Reported-by: Tavis Ormandy <taviso@google.com>
0.113/sessionmonitor systemd Use sd_uid_get_state to check.patch | (download)

src/polkitbackend/polkitbackendsessionmonitor-systemd.c | 33 32 + 1 - 0 !
1 file changed, 32 insertions(+), 1 deletion(-)

 sessionmonitor-systemd: use sd_uid_get_state() to check session
 activity
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Instead of using sd_pid_get_session() then sd_session_is_active() to
determine whether the user is active, use sd_uid_get_state() directly.
This gets the maximum of the states of all the user’s sessions, rather
than the state of the session containing the subject process. Since the
user is the security boundary, this is fine.

This change is necessary for `systemd --user` sessions, where most user
code will be forked off user@.service, rather than running inside the
logind session (whether that be a foreground/active or background/online
session).

Policy-wise, the change is from checking whether the subject process is
in an active session; to checking whether the subject process is owned
by a user with at least one active session.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=76358
0.113/Fix a possible NULL dereference.patch | (download)

src/polkitbackend/polkitbackendinteractiveauthority.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 fix a possible null dereference.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

polkit_backend_session_monitor_get_user_for_subject() may return NULL
(and because it is using external processes, we can’t really rule it
out).  The code was already anticipating NULL in the cleanup section, so
handle it also when actually using the value.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80767
0.113/Remove a redundant assignment.patch | (download)

src/polkitagent/polkitagenthelper-pam.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 remove a redundant assignment.

Instead of a nonsensical (data = data), use the more customary
((void)data) to silence the warning about an unused parameter.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80767
0.113/Fix duplicate GError use when uid is missing.patch | (download)

src/polkit/polkitsubject.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix duplicate gerror use when "uid" is missing

Some GLib versions complain loudly about this.

To reproduce, call e.g. RegisterAuthenticationAgent with the following
parameters:
("unix-process", {"pid": __import__('gi.repository.GLib', globals(),
locals(), ['Variant']).Variant("u", 1), "start-time":
__import__('gi.repository.GLib', globals(), locals(),
['Variant']).Variant("t", 1)}), "cs", "/"

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90877
0.113/Fix a crash when two authentication requests are in .patch | (download)

src/polkitagent/polkitagenttextlistener.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 fix a crash when two authentication requests are in flight.

To reproduce:
1. pkttyagent -p $$ # or another suitable PID
2. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u
3. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u
4. Then, in the pkttyagent prompt, press Enter.

polkit_agent_text_listener_initiate_authentication was already setting
an appropriate error code, so the g_assert was unnecessary.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90879
0.113/CVE 2015 4625 Use unpredictable cookie values keep t.patch | (download)

configure.ac | 2 1 + 1 - 0 !
src/polkitagent/polkitagenthelper-pam.c | 12 9 + 3 - 0 !
src/polkitagent/polkitagenthelper-shadow.c | 12 9 + 3 - 0 !
src/polkitagent/polkitagenthelperprivate.c | 33 33 + 0 - 0 !
src/polkitagent/polkitagenthelperprivate.h | 2 2 + 0 - 0 !
src/polkitagent/polkitagentsession.c | 30 16 + 14 - 0 !
src/polkitbackend/polkitbackendinteractiveauthority.c | 99 80 + 19 - 0 !
7 files changed, 150 insertions(+), 40 deletions(-)

 cve-2015-4625: use unpredictable cookie values, keep them secret
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Tavis noted that it'd be possible with a 32 bit counter for someone to
cause the cookie to wrap by creating Authentication requests in a
loop.

Something important to note here is that wrapping of signed integers
is undefined behavior in C, so we definitely want to fix that.  All
counter integers used in this patch are unsigned.

See the comment above `authentication_agent_generate_cookie` for
details, but basically we're now using a cookie of the form:

```
        <agent serial> - <agent random id> - <session serial> - <session
random id>
```

Which has multiple 64 bit counters, plus unpredictable random 128 bit
integer ids (effectively UUIDs, but we're not calling them that
because we don't need to be globally unique.

We further ensure that the cookies are not visible to other processes
by changing the setuid helper to accept them over standard input.  This
means that an attacker would have to guess both ids.

In any case, the security hole here is better fixed with the other
change to bind user id (uid) of the agent with cookie lookups, making
cookie guessing worthless.

Nevertheless, I think it's worth doing this change too, for defense in
depth.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90832
CVE: CVE-2015-4625
Reported-by: Tavis Ormandy <taviso@google.com>
0.113/CVE 2015 4625 Bind use of cookies to specific uids.patch | (download)

data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml | 14 13 + 1 - 0 !
data/org.freedesktop.PolicyKit1.Authority.xml | 24 23 + 1 - 0 !
docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml | 46 45 + 1 - 0 !
docs/polkit/overview.xml | 18 10 + 8 - 0 !
src/polkit/polkitauthority.c | 13 11 + 2 - 0 !
src/polkitbackend/polkitbackendauthority.c | 61 60 + 1 - 0 !
src/polkitbackend/polkitbackendauthority.h | 2 2 + 0 - 0 !
src/polkitbackend/polkitbackendinteractiveauthority.c | 39 34 + 5 - 0 !
8 files changed, 198 insertions(+), 19 deletions(-)

 cve-2015-4625: bind use of cookies to specific uids
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html

The "cookie" value that Polkit hands out is global to all polkit
users.  And when `AuthenticationAgentResponse` is invoked, we
previously only received the cookie and *target* identity, and
attempted to find an agent from that.

The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.

The overflow and ability to guess the cookie were fixed by the
previous patch.

This patch is conceptually further hardening on top of that.  Polkit
currently treats uids as equivalent from a security domain
perspective; there is no support for
0.113/docs Update for changes to uid binding Authenticatio.patch | (download)

data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml | 6 3 + 3 - 0 !
data/org.freedesktop.PolicyKit1.Authority.xml | 11 7 + 4 - 0 !
docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml | 7 5 + 2 - 0 !
docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml | 12 8 + 4 - 0 !
docs/polkit/overview.xml | 8 4 + 4 - 0 !
src/polkit/polkitauthority.c | 24 22 + 2 - 0 !
src/polkitagent/polkitagentlistener.c | 5 1 + 4 - 0 !
src/polkitbackend/polkitbackendauthority.c | 1 1 + 0 - 0 !
8 files changed, 51 insertions(+), 23 deletions(-)

 docs: update for changes to uid binding/authenticationagentresponse2

 - Refer to PolkitAgentSession in general instead of to _response only
 - Revert to the original description of authentication cancellation, the
   agent really needs to return an error to the caller (in addition to dealing
   with the session if any).
 - Explicitly document the UID assumption; in the process fixing bug #69980.
 - Keep documenting that we need a sufficiently privileged caller.
 - Refer to the ...Response2 API in more places.
 - Also update docbook documentation.
 - Drop a paragraph suggesting non-PolkitAgentSession implementations are
   expected and commonplace.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
0.113/Fix a per authorization memory leak.patch | (download)

src/polkitbackend/polkitbackendauthority.c | 1 1 + 0 - 0 !
src/polkitbackend/polkitbackendinteractiveauthority.c | 5 4 + 1 - 0 !
2 files changed, 5 insertions(+), 1 deletion(-)

 fix a per-authorization memory leak

We were leaking PolkitAuthorizationResult on every request, primarily on
the success path, but also on various error paths as well.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69501
0.113/Fix a memory leak when registering an authentication.patch | (download)

src/polkitbackend/polkitbackendauthority.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix a memory leak when registering an authentication agent

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69501
0.113/CVE 2015 3255 Fix GHashTable usage.patch | (download)

src/polkitbackend/polkitbackendactionpool.c | 8 3 + 5 - 0 !
1 file changed, 3 insertions(+), 5 deletions(-)

 cve-2015-3255 fix ghashtable usage.

Don't assume that the hash table with free both the key and the value
at the same time, supply proper deallocation functions for the key
and value separately.

Then drop ParsedAction::action_id which is no longer used for anything.

https://bugs.freedesktop.org/show_bug.cgi?id=69501
and
https://bugs.freedesktop.org/show_bug.cgi?id=83590

CVE: CVE-2015-3255
0.113/Fix use after free in polkitagentsession.c.patch | (download)

src/polkitagent/polkitagentsession.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 fix use-after-free in polkitagentsession.c

PolkitAgentTextListener's "completed" handler drops the last reference
to the session; in fact this is explicitly recommended in the signal's
documentation.  So we must not access any members of session after
emitting the signal.

Found while dealing with
https://bugs.freedesktop.org/show_bug.cgi?id=69501

0.113/README Note to send security reports via DBus s mech.patch | (download)

README | 18 17 + 1 - 0 !
1 file changed, 17 insertions(+), 1 deletion(-)

 readme: note to send security reports via dbus's mechanism

This avoids duplicating effort.

0.114/Fix multi line pam text info.patch | (download)

src/polkitagent/polkitagenthelper-pam.c | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 fix multi-line pam text info.

There are pam modules (e.g. pam_vas) that may attempt to display multi-line
PAM_TEXT_INFO messages. Polkit was interpreting the lines after the first one
as a separate message that was not recognized causing the authorization
to fail. Escaping these strings and unescaping them fixes the issue.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92886
0.114/Refactor send_to_helper usage.patch | (download)

src/polkitagent/polkitagenthelper-pam.c | 81 26 + 55 - 0 !
1 file changed, 26 insertions(+), 55 deletions(-)

 refactor send_to_helper usage

There were duplicated pieces of code detecting EOLs and escaping the code.
Those actions has been delegated to already-existing send_to_helper function.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92886
0.114/Add gettext support for .policy files.patch | (download)

data/Makefile.am | 5 5 + 0 - 0 !
data/polkit.its | 7 7 + 0 - 0 !
data/polkit.loc | 6 6 + 0 - 0 !
3 files changed, 18 insertions(+)

 add gettext support for .policy files

gettext can extract strings from and merge them back into xml
file formats, with the help of .its files.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=96940
0.114/gettext switch to default translate no.patch | (download)

data/polkit.its | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 gettext: switch to default-translate "no"

The default appears to be to translate all entries. This rule never takes
effect, the path to /action/message and /action/description is wrong (/action
is not a root node). Since we wanted them to be translated, it doesn't matter.

But it also translates all other tags (vendor, allow_any, etc.) and that
causes polkit to be unhappy, it can't handle the various language versions of
"no"

** (polkitd:27434): WARNING **: Unknown PolkitImplicitAuthorization string
'tidak'

Switch to a default of "no" and explicitly include the message and description
strings to be translated.

The patch was modified for PolicyKit by Ondrej Holy <oholy@redhat.com>.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98366
0.114/Support polkit session agent running outside user session.patch | (download)

src/polkit/polkitunixsession-systemd.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 support polkit session agent running outside user session

commit a68f5dfd7662767b7b9822090b70bc5bd145c50c made
session applications that are running from a user bus
work with polkitd, by falling back to using the currently
active session.

This commit is similar, but for the polkit agent.  It allows,
a polkit agent to be run from a systemd --user service
that's not running directly in the users session.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=96977
0.115/Fix CVE 2018 1116 Trusting client supplied UID.patch | (download)

src/polkit/polkitprivate.h | 2 2 + 0 - 0 !
src/polkit/polkitunixprocess.c | 60 50 + 10 - 0 !
src/polkitbackend/polkitbackendinteractiveauthority.c | 39 25 + 14 - 0 !
src/polkitbackend/polkitbackendsessionmonitor-systemd.c | 38 34 + 4 - 0 !
src/polkitbackend/polkitbackendsessionmonitor.c | 40 35 + 5 - 0 !
src/polkitbackend/polkitbackendsessionmonitor.h | 1 1 + 0 - 0 !
6 files changed, 147 insertions(+), 33 deletions(-)

 fix cve-2018-1116: trusting client-supplied uid
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

As part of CVE-2013-4288, the D-Bus clients were allowed (and
encouraged) to submit the UID of the subject of authorization checks
to avoid races against UID changes (notably using executables
set-UID to root).

However, that also allowed any client to submit an arbitrary UID, and
that could be used to bypass "can only ask about / affect the same UID"
checks in CheckAuthorization / RegisterAuthenticationAgent /
UnregisterAuthenticationAgent.  This allowed an attacker:

- With CheckAuthorization, to cause the registered authentication
  agent in victim's session to pop up a dialog, or to determine whether
  the victim currently has a temporary authorization to perform an
  operation.

  (In principle, the attacker can also determine whether JavaScript
  rules allow the victim process to perform an operation; however,
  usually rules base their decisions on information determined from
  the supplied UID, so the attacker usually won't learn anything new.)

- With RegisterAuthenticationAgent, to prevent the victim's
  authentication agent to work (for a specific victim process),
  or to learn about which operations requiring authorization
  the victim is attempting.

To fix this, expose internal _polkit_unix_process_get_owner() /
obsolete polkit_unix_process_get_owner() as a private
polkit_unix_process_get_racy_uid__() (being more explicit about the
dangers on relying on it), and use it in
polkit_backend_session_monitor_get_user_for_subject() to return
a boolean indicating whether the subject UID may be caller-chosen.

Then, in the permission checks that require the subject to be
equal to the caller, fail on caller-chosen UIDs (and continue
through the pre-existing code paths which allow root, or root-designated
server processes, to ask about arbitrary subjects.)

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
0.116/Possible resource leak found by static analyzer.patch | (download)

src/polkitagent/polkitagentlistener.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 possible resource leak found by static analyzer

0.116/Elaborate message printed by polkit when disconnecting fr.patch | (download)

src/polkitagent/polkitagentlistener.c | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 elaborate message printed by polkit when disconnecting from ssh

Polkit raises unnecessarily elaborate warning message when user restarts machine from ssh.
This message was moved to debug mode.

0.116/Error message raised on every systemctl start in emergenc.patch | (download)

src/programs/pkttyagent.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 error message raised on every 'systemctl start' in emergency.target

Superuser should know that polkit is not running in emergency.target.
If not, basic info with debug sources is offered instead of error message.
Other usecases taken into account.

0.116/Fix a critical warning on calling polkit_permission_new_s.patch | (download)

src/polkit/polkitpermission.c | 11 7 + 4 - 0 !
1 file changed, 7 insertions(+), 4 deletions(-)

 fix a critical warning on calling polkit_permission_new_sync with no
 system bus

0.116/Allow negative uids gids in PolkitUnixUser and Group obje.patch | (download)

src/polkit/polkitunixgroup.c | 15 11 + 4 - 0 !
src/polkit/polkitunixprocess.c | 12 8 + 4 - 0 !
src/polkit/polkitunixuser.c | 13 10 + 3 - 0 !
3 files changed, 29 insertions(+), 11 deletions(-)

 allow negative uids/gids in polkitunixuser and group objects

(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
there should be no users with such number, see
https://systemd.io/UIDS-GIDS#special-linux-uids.

(uid_t) -1 is used as the default value in class initialization.

When a user or group above INT32_MAX is created, the numeric uid or
gid wraps around to negative when the value is assigned to gint, and
polkit gets confused. Let's accept such gids, except for -1.

A nicer fix would be to change the underlying type to e.g. uint32 to
not have negative values. But this cannot be done without breaking the
API, so likely new functions will have to be added (a
polkit_unix_user_new variant that takes a unsigned, and the same for
_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
require a bigger patch.

Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.

(cherry picked from commit 2cb40c4d5feeaa09325522bd7d97910f1b59e379)

0.116/tests add tests for high uids.patch | (download)

test/data/etc/group | 1 1 + 0 - 0 !
test/data/etc/passwd | 2 2 + 0 - 0 !
test/data/etc/polkit-1/localauthority/10-test/com.example.pkla | 13 13 + 0 - 0 !
test/polkitbackend/polkitbackendlocalauthoritytest.c | 41 40 + 1 - 0 !
4 files changed, 56 insertions(+), 1 deletion(-)

 tests: add tests for high uids

Modified by Marc Deslauriers for polkit 105

(cherry picked from commit b534a10727455409acd54018a9c91000e7626126)

0.116/backend Compare PolkitUnixProcess uids for temporary auth.patch | (download)

src/polkit/polkitsubject.c | 2 2 + 0 - 0 !
src/polkit/polkitunixprocess.c | 71 70 + 1 - 0 !
src/polkitbackend/polkitbackendinteractiveauthority.c | 39 38 + 1 - 0 !
3 files changed, 110 insertions(+), 2 deletions(-)

 backend: compare polkitunixprocess uids for temporary authorizations

It turns out that the combination of `(pid, start time)` is not
enough to be unique.  For temporary authorizations, we can avoid
separate users racing on pid reuse by simply comparing the uid.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1692

And the above original email report is included in full in a new comment.

Reported-by: Jann Horn <jannh@google.com>

Bug: https://gitlab.freedesktop.org/polkit/polkit/issues/75
0.116/Allow uid of 1 for a PolkitUnixProcess.patch | (download)

src/polkit/polkitunixprocess.c | 9 2 + 7 - 0 !
1 file changed, 2 insertions(+), 7 deletions(-)

 allow uid of -1 for a polkitunixprocess

Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and
PolkitUnixProcess to allow negative values for their uid/gid properties,
since these are values above INT_MAX which wrap around but are still
valid, with the exception of -1 which is not valid. However,
PolkitUnixProcess allows a uid of -1 to be passed to
polkit_unix_process_new_for_owner() which means polkit is expected to
figure out the uid on its own (this happens in the _constructed
function). So this commit removes the check in
polkit_unix_process_set_property() so that new_for_owner() can be used
as documented without producing a critical error message.

This does not affect the protection against CVE-2018-19788 which is
based on creating a user with a UID up to but not including 4294967295
(-1).

0.116/pkttyagent PolkitAgentTextListener leaves echo tty disabl.patch | (download)

src/programs/pkttyagent.c | 57 57 + 0 - 0 !
1 file changed, 57 insertions(+)

 pkttyagent: polkitagenttextlistener leaves echo tty disabled if
 SIGINT/SIGTERM

If no password is typed into terminal during authentication raised by PolkitAgentTextListener, pkttyagent sends kill (it receives from systemctl/hostnamectl e.g.) without chance to restore echoing back on. This cannot be done in on_request() since it's run in a thread without guarantee the signal is distributed there.

01_pam_polkit.patch | (download)

data/polkit-1.in | 10 6 + 4 - 0 !
1 file changed, 6 insertions(+), 4 deletions(-)

 use debian's common-* pam infrastructure, plus pam_env

02_gettext.patch | (download)

src/polkitbackend/polkitbackendactionpool.c | 49 49 + 0 - 0 !
1 file changed, 49 insertions(+)

 use gettext for translations in .policy files

Bug: http://bugs.freedesktop.org/show_bug.cgi?id=29639
Bug-Ubuntu: https://launchpad.net/bugs/619632

05_revert admin identities unix group wheel.patch | (download)

src/polkitbackend/50-localauthority.conf | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 revert "default to adminidentities=unix-group:wheel for local
 authority"

This reverts commit 763faf434b445c20ae9529100d3ef5290976d0c9.

On Red Hat derivatives, every member of group 'wheel' is necessarily
privileged. On Debian derivatives, there is no wheel group, and gid 0
(root) is not used in this way. Change the default rule to consider
uid 0 to be privileged, instead.

On Red Hat derivatives, 50-default.rules is not preserved by upgrades;
on dpkg-based systems, it is a proper conffile and may be edited
(at the sysadmin's own risk), so the comment about not editing it is
misleading.

[smcv: added longer explanation of why we make this change;
remove unrelated cosmetic change to a man page]

06_systemd service.patch | (download)

data/org.freedesktop.PolicyKit1.service.in | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 install systemd service file for polkitd.

10_build against libsystemd.patch | (download)

configure.ac | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 build against libsystemd

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779756
Move D Bus policy file to usr share dbus 1 system.d.patch | (download)

data/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 move d-bus policy file to /usr/share/dbus-1/system.d/

To better support stateless systems with an empty /etc, the old location
in /etc/dbus-1/system.d/ should only be used for local admin changes.
Package provided D-Bus policy files are supposed to be installed in
/usr/share/dbus-1/system.d/.

This is supported since dbus 1.9.18.

https://lists.freedesktop.org/archives/dbus/2015-July/016746.html

https://gitlab.freedesktop.org/polkit/polkit/merge_requests/11

Statically link libpolkit backend1 into polkitd.patch | (download)

configure.ac | 1 0 + 1 - 0 !
data/Makefile.am | 2 1 + 1 - 0 !
data/polkit-backend-1.pc.in | 11 0 + 11 - 0 !
docs/man/polkit.xml | 6 0 + 6 - 0 !
docs/polkit/Makefile.am | 3 0 + 3 - 0 !
docs/polkit/polkit-1-docs.xml | 7 0 + 7 - 0 !
docs/polkit/polkit-1-sections.txt | 80 0 + 80 - 0 !
docs/polkit/polkit-1.types | 9 0 + 9 - 0 !
src/polkitbackend/Makefile.am | 13 1 + 12 - 0 !
9 files changed, 2 insertions(+), 130 deletions(-)

 statically link libpolkit-backend1 into polkitd

Nothing else in Debian depends on that library: in principle it was
meant to be used for pluggable polkit backends, but those never actually
happened, and the library's API was never declared stable.

Similar to part of 0f830c76 "Nuke polkitbackend library, localauthority
backend and extension system" upstream.

Signed-off-by: Simon McVittie <smcv@debian.org>