Please sign in to comment.
polkit CheckAuthorization: fix race condition in privilege authorization
The unix-process authorization subject is deprecated: https://www.freedesktop.org/software/polkit/docs/latest/PolkitUnixProcess.html#polkit-unix-process-new as it is subject to a race condition. A client process requesting authorization can replace itself by a suid or otherwise root owned executable, thus granting the original non-privileged request privileges. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1002375 https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2011/CVE-2011-1485/polkit-pwnage.c Polkit uses the real-uid of the process by now, thus mitigating the exploit using suid binaries. It is still possible, however, to exit the client process and try to get a root program to get the same PID. In worst case this would allow an unauthenticated user to get backintime or some other program to be executed via udev rules as root user.
- Loading branch information...