rpms / rtkit

Clone
Source Code
GIT

Blame SOURCES/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c9 c9-beta
  1.   c8
  2.   SOURCES
  3.   0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
Blob History Raw
18d201 
From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001
18d201 
From: Colin Walters <walters@verbum.org>
18d201 
Date: Thu, 22 Aug 2013 16:05:22 -0400
18d201 
Subject: [PATCH] [SECURITY] Pass uid of caller to polkit
18d201
18d201 
Otherwise, we force polkit to look up the uid itself in /proc, which
18d201 
is racy if they execve() a setuid binary.
18d201 
---
18d201 
 rtkit-daemon.c |   11 ++++++++++-
18d201 
 1 files changed, 10 insertions(+), 1 deletions(-)
18d201
18d201 
diff --git a/rtkit-daemon.c b/rtkit-daemon.c
18d201 
index 2ebe673..3ecc1f7 100644
18d201 
--- a/rtkit-daemon.c
18d201 
+++ b/rtkit-daemon.c
18d201 
@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
18d201 
         DBusMessage *m = NULL, *r = NULL;
18d201 
         const char *unix_process = "unix-process";
18d201 
         const char *pid = "pid";
18d201 
+        const char *uid = "uid";
18d201 
         const char *start_time = "start-time";
18d201 
         const char *cancel_id = "";
18d201 
         uint32_t flags = 0;
18d201 
         uint32_t pid_u32 = p->pid;
18d201 
-        uint64_t start_time_u64 = p->starttime;
18d201 
+        uint32_t uid_u32 = (uint32_t)u->uid;
18d201 
         DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
18d201 
+        uint64_t start_time_u64 = p->starttime;
18d201 
         int ret;
18d201 
         dbus_bool_t authorized = FALSE;
18d201
18d201 
@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
18d201 
         assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
18d201 
         assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
18d201
18d201 
+        assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict));
18d201 
+        assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid));
18d201 
+        assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant));
18d201 
+        assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32));
18d201 
+        assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
18d201 
+        assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
18d201 
+
18d201 
         assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array));
18d201 
         assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));
18d201
18d201 
--
18d201 
1.7.1
18d201

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation