Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
polkit CheckAuthorization: fix race condition in privilege authorization
The unix-process authorization subject is deprecated: https://www.freedesktop.org/software/polkit/docs/latest/PolkitUnixProcess.html#polkit-unix-process-new as it is subject to a race condition. A client process requesting authorization can replace itself by a suid or otherwise root owned executable, thus granting the original non-privileged request privileges. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1002375 https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2011/CVE-2011-1485/polkit-pwnage.c Polkit uses the real-uid of the process by now, thus mitigating the exploit using suid binaries. It is still possible, however, to exit the client process and try to get a root program to get the same PID. In worst case this would allow an unauthenticated user to get backintime or some other program to be executed via udev rules as root user.
- Loading branch information
7f208dcThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CVE-2017-7572