Skip to content
Permalink
Browse files Browse the repository at this point in the history
polkit CheckAuthorization: fix race condition in privilege authorization
The unix-process authorization subject is deprecated:

https://www.freedesktop.org/software/polkit/docs/latest/PolkitUnixProcess.html#polkit-unix-process-new

as it is subject to a race condition. A client process requesting
authorization can replace itself by a suid or otherwise root owned
executable, thus granting the original non-privileged request
privileges.

See also:

https://bugzilla.redhat.com/show_bug.cgi?id=1002375
https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2011/CVE-2011-1485/polkit-pwnage.c

Polkit uses the real-uid of the process by now, thus mitigating the
exploit using suid binaries. It is still possible, however, to exit the
client process and try to get a root program to get the same PID.

In worst case this would allow an unauthenticated user to get backintime
or some other program to be executed via udev rules as root user.
  • Loading branch information
mgerstner committed Apr 6, 2017
1 parent c689a4d commit 7f208dc
Showing 1 changed file with 1 addition and 7 deletions.
8 changes: 1 addition & 7 deletions qt/serviceHelper.py
Expand Up @@ -282,18 +282,12 @@ def _checkPolkitPrivilege(self, sender, conn, privilege):
# bus, and it does not make sense to restrict operations here
return

info = SenderInfo(sender, conn)

# get peer PID
pid = info.connectionPid()

# query PolicyKit
self._initPolkit()
try:
# we don't need is_challenge return here, since we call with AllowUserInteraction
(is_auth, _, details) = self.polkit.CheckAuthorization(
('unix-process', {'pid': dbus.UInt32(pid, variant_level=1),
'start-time': dbus.UInt64(0, variant_level=1)}),
('system-bus-name', {'name': dbus.String(sender, variant_level=1)}),
privilege, {'': ''}, dbus.UInt32(1), '', timeout=3000)
except dbus.DBusException as e:
if e._dbus_error_name == 'org.freedesktop.DBus.Error.ServiceUnknown':
Expand Down

1 comment on commit 7f208dc

@carnil
Copy link

@carnil carnil commented on 7f208dc Apr 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.