diff --git a/abi_libs b/abi_libs --- a/abi_libs +++ b/abi_libs @@ -1,9 +1,2 @@ libpolkit-agent-1.so.0 libpolkit-gobject-1.so.0 -pk-example-frobnicate -pkaction -pkcheck -pkexec -pkttyagent -polkit-agent-helper-1 -polkitd diff --git a/abi_symbols b/abi_symbols --- a/abi_symbols +++ b/abi_symbols @@ -160,91 +160,3 @@ libpolkit-gobject-1.so.0:polkit_unix_user_new libpolkit-gobject-1.so.0:polkit_unix_user_new_for_name libpolkit-gobject-1.so.0:polkit_unix_user_set_uid -pk-example-frobnicate:_IO_stdin_used -pk-example-frobnicate:__bss_start -pk-example-frobnicate:__data_start -pk-example-frobnicate:_edata -pk-example-frobnicate:_end -pk-example-frobnicate:_start -pk-example-frobnicate:main -pkaction:_IO_stdin_used -pkaction:__bss_start -pkaction:__data_start -pkaction:_edata -pkaction:_end -pkaction:_start -pkaction:main -pkcheck:_IO_stdin_used -pkcheck:__bss_start -pkcheck:__data_start -pkcheck:_edata -pkcheck:_end -pkcheck:_start -pkcheck:main -pkexec:_IO_stdin_used -pkexec:__bss_start -pkexec:__data_start -pkexec:_edata -pkexec:_end -pkexec:_start -pkexec:main -pkttyagent:_IO_stdin_used -pkttyagent:__bss_start -pkttyagent:__data_start -pkttyagent:_edata -pkttyagent:_end -pkttyagent:_start -pkttyagent:main -polkit-agent-helper-1:_IO_stdin_used -polkit-agent-helper-1:__bss_start -polkit-agent-helper-1:__data_start -polkit-agent-helper-1:_edata -polkit-agent-helper-1:_end -polkit-agent-helper-1:_polkit_clearenv -polkit-agent-helper-1:_start -polkit-agent-helper-1:flush_and_wait -polkit-agent-helper-1:main -polkit-agent-helper-1:read_cookie -polkit-agent-helper-1:send_dbus_message -polkitd:_IO_stdin_used -polkitd:__bss_start -polkitd:__data_start -polkitd:_edata -polkitd:_end -polkitd:_start -polkitd:main -polkitd:policy_file_free -polkitd:policy_file_new_from_path -polkitd:policy_file_test -polkitd:polkit_backend_action_pool_get_action -polkitd:polkit_backend_action_pool_get_all_actions -polkitd:polkit_backend_action_pool_get_type -polkitd:polkit_backend_action_pool_new -polkitd:polkit_backend_authority_authentication_agent_response -polkitd:polkit_backend_authority_check_authorization -polkitd:polkit_backend_authority_check_authorization_finish -polkitd:polkit_backend_authority_enumerate_actions -polkitd:polkit_backend_authority_enumerate_temporary_authorizations -polkitd:polkit_backend_authority_get -polkitd:polkit_backend_authority_get_features -polkitd:polkit_backend_authority_get_name -polkitd:polkit_backend_authority_get_type -polkitd:polkit_backend_authority_get_version -polkitd:polkit_backend_authority_log -polkitd:polkit_backend_authority_register -polkitd:polkit_backend_authority_register_authentication_agent -polkitd:polkit_backend_authority_revoke_temporary_authorization_by_id -polkitd:polkit_backend_authority_revoke_temporary_authorizations -polkitd:polkit_backend_authority_unregister -polkitd:polkit_backend_authority_unregister_authentication_agent -polkitd:polkit_backend_interactive_authority_check_authorization_sync -polkitd:polkit_backend_interactive_authority_get_admin_identities -polkitd:polkit_backend_interactive_authority_get_type -polkitd:polkit_backend_keyfile_authority_get_type -polkitd:polkit_backend_session_monitor_get_session_for_subject -polkitd:polkit_backend_session_monitor_get_sessions -polkitd:polkit_backend_session_monitor_get_type -polkitd:polkit_backend_session_monitor_get_user_for_subject -polkitd:polkit_backend_session_monitor_is_session_active -polkitd:polkit_backend_session_monitor_is_session_local -polkitd:polkit_backend_session_monitor_new diff --git a/abi_used_libs b/abi_used_libs --- a/abi_used_libs +++ b/abi_used_libs @@ -1,4 +1,5 @@ libc.so.6 +libduktape.so.207 libexpat.so.1 libgio-2.0.so.0 libglib-2.0.so.0 diff --git a/abi_used_symbols b/abi_used_symbols --- a/abi_used_symbols +++ b/abi_used_symbols @@ -10,6 +10,7 @@ libc.so.6:calloc libc.so.6:chdir libc.so.6:clearenv +libc.so.6:clock_gettime libc.so.6:close libc.so.6:closelog libc.so.6:ctermid @@ -19,17 +20,15 @@ libc.so.6:execv libc.so.6:exit libc.so.6:fclose -libc.so.6:fcntl +libc.so.6:fcntl64 libc.so.6:fdatasync libc.so.6:feof libc.so.6:fflush libc.so.6:fgets libc.so.6:fileno -libc.so.6:fopen +libc.so.6:fopen64 libc.so.6:fputc -libc.so.6:fputs libc.so.6:free -libc.so.6:fwrite libc.so.6:get_current_dir_name libc.so.6:getc libc.so.6:getegid @@ -52,10 +51,23 @@ libc.so.6:kill libc.so.6:localtime libc.so.6:memset -libc.so.6:open +libc.so.6:open64 libc.so.6:openlog libc.so.6:perror libc.so.6:prctl +libc.so.6:pthread_cancel +libc.so.6:pthread_cond_destroy +libc.so.6:pthread_cond_init +libc.so.6:pthread_cond_signal +libc.so.6:pthread_cond_timedwait +libc.so.6:pthread_condattr_destroy +libc.so.6:pthread_condattr_init +libc.so.6:pthread_condattr_setclock +libc.so.6:pthread_create +libc.so.6:pthread_join +libc.so.6:pthread_mutex_lock +libc.so.6:pthread_mutex_unlock +libc.so.6:pthread_setcanceltype libc.so.6:putc libc.so.6:putenv libc.so.6:setbuf @@ -65,7 +77,11 @@ libc.so.6:setnetgrent libc.so.6:setregid libc.so.6:setreuid -libc.so.6:stat +libc.so.6:sigaction +libc.so.6:sigaddset +libc.so.6:sigemptyset +libc.so.6:sleep +libc.so.6:stat64 libc.so.6:stderr libc.so.6:stdin libc.so.6:stdout @@ -85,6 +101,32 @@ libc.so.6:ttyname libc.so.6:usleep libc.so.6:waitpid +libduktape.so.207:duk_call_prop +libduktape.so.207:duk_create_heap +libduktape.so.207:duk_destroy_heap +libduktape.so.207:duk_error_raw +libduktape.so.207:duk_eval_raw +libduktape.so.207:duk_get_global_string +libduktape.so.207:duk_get_length +libduktape.so.207:duk_get_prop_index +libduktape.so.207:duk_is_array +libduktape.so.207:duk_is_null +libduktape.so.207:duk_new +libduktape.so.207:duk_pcall_prop +libduktape.so.207:duk_pop +libduktape.so.207:duk_push_array +libduktape.so.207:duk_push_boolean +libduktape.so.207:duk_push_global_object +libduktape.so.207:duk_push_int +libduktape.so.207:duk_push_object +libduktape.so.207:duk_push_string +libduktape.so.207:duk_put_function_list +libduktape.so.207:duk_put_prop_index +libduktape.so.207:duk_put_prop_string +libduktape.so.207:duk_require_string +libduktape.so.207:duk_safe_to_lstring +libduktape.so.207:duk_set_top +libduktape.so.207:duk_to_string libexpat.so.1:XML_ErrorString libexpat.so.1:XML_GetCurrentLineNumber libexpat.so.1:XML_GetErrorCode @@ -110,6 +152,7 @@ libgio-2.0.so.0:g_cancellable_disconnect libgio-2.0.so.0:g_cancellable_get_type libgio-2.0.so.0:g_cancellable_new +libgio-2.0.so.0:g_cancellable_set_error_if_cancelled libgio-2.0.so.0:g_dbus_connection_call libgio-2.0.so.0:g_dbus_connection_call_finish libgio-2.0.so.0:g_dbus_connection_call_sync @@ -167,12 +210,13 @@ libgio-2.0.so.0:g_simple_async_result_set_error libgio-2.0.so.0:g_simple_async_result_set_from_error libgio-2.0.so.0:g_simple_async_result_set_op_res_gpointer +libgio-2.0.so.0:g_simple_async_result_take_error libgio-2.0.so.0:g_unix_output_stream_new -libglib-2.0.so.0:g_ascii_strdown libglib-2.0.so.0:g_ascii_strtoull libglib-2.0.so.0:g_ascii_table libglib-2.0.so.0:g_assertion_message_expr libglib-2.0.so.0:g_build_filename +libglib-2.0.so.0:g_child_watch_source_new libglib-2.0.so.0:g_clear_error libglib-2.0.so.0:g_dgettext libglib-2.0.so.0:g_dir_close @@ -205,18 +249,13 @@ libglib-2.0.so.0:g_hash_table_remove_all libglib-2.0.so.0:g_hash_table_unref libglib-2.0.so.0:g_intern_static_string +libglib-2.0.so.0:g_io_channel_read_chars libglib-2.0.so.0:g_io_channel_read_line +libglib-2.0.so.0:g_io_channel_read_to_end +libglib-2.0.so.0:g_io_channel_set_flags libglib-2.0.so.0:g_io_channel_unix_new libglib-2.0.so.0:g_io_channel_unref libglib-2.0.so.0:g_io_create_watch -libglib-2.0.so.0:g_key_file_get_boolean -libglib-2.0.so.0:g_key_file_get_string -libglib-2.0.so.0:g_key_file_get_string_list -libglib-2.0.so.0:g_key_file_has_group -libglib-2.0.so.0:g_key_file_has_key -libglib-2.0.so.0:g_key_file_load_from_file -libglib-2.0.so.0:g_key_file_new -libglib-2.0.so.0:g_key_file_unref libglib-2.0.so.0:g_list_append libglib-2.0.so.0:g_list_concat libglib-2.0.so.0:g_list_copy @@ -236,6 +275,7 @@ libglib-2.0.so.0:g_main_context_new libglib-2.0.so.0:g_main_context_pop_thread_default libglib-2.0.so.0:g_main_context_push_thread_default +libglib-2.0.so.0:g_main_context_ref libglib-2.0.so.0:g_main_context_unref libglib-2.0.so.0:g_main_loop_new libglib-2.0.so.0:g_main_loop_quit @@ -270,6 +310,8 @@ libglib-2.0.so.0:g_set_error libglib-2.0.so.0:g_set_prgname libglib-2.0.so.0:g_setenv +libglib-2.0.so.0:g_slice_alloc +libglib-2.0.so.0:g_slice_free1 libglib-2.0.so.0:g_snprintf libglib-2.0.so.0:g_source_add_poll libglib-2.0.so.0:g_source_attach @@ -277,6 +319,7 @@ libglib-2.0.so.0:g_source_new libglib-2.0.so.0:g_source_remove libglib-2.0.so.0:g_source_set_callback +libglib-2.0.so.0:g_source_set_priority libglib-2.0.so.0:g_source_unref libglib-2.0.so.0:g_spawn_async_with_pipes libglib-2.0.so.0:g_str_equal @@ -295,6 +338,7 @@ libglib-2.0.so.0:g_strescape libglib-2.0.so.0:g_strfreev libglib-2.0.so.0:g_string_append +libglib-2.0.so.0:g_string_append_len libglib-2.0.so.0:g_string_append_printf libglib-2.0.so.0:g_string_free libglib-2.0.so.0:g_string_insert_c @@ -304,11 +348,12 @@ libglib-2.0.so.0:g_strndup libglib-2.0.so.0:g_strsplit libglib-2.0.so.0:g_strv_length -libglib-2.0.so.0:g_thread_create libglib-2.0.so.0:g_thread_join +libglib-2.0.so.0:g_thread_try_new libglib-2.0.so.0:g_thread_yield libglib-2.0.so.0:g_timeout_add libglib-2.0.so.0:g_timeout_add_seconds +libglib-2.0.so.0:g_timeout_source_new_seconds libglib-2.0.so.0:g_unix_signal_add libglib-2.0.so.0:g_variant_builder_add libglib-2.0.so.0:g_variant_builder_add_value @@ -351,11 +396,13 @@ libgobject-2.0.so.0:g_object_ref libgobject-2.0.so.0:g_object_unref libgobject-2.0.so.0:g_object_weak_ref +libgobject-2.0.so.0:g_param_spec_boolean libgobject-2.0.so.0:g_param_spec_boxed libgobject-2.0.so.0:g_param_spec_flags libgobject-2.0.so.0:g_param_spec_int libgobject-2.0.so.0:g_param_spec_object libgobject-2.0.so.0:g_param_spec_string +libgobject-2.0.so.0:g_param_spec_uint libgobject-2.0.so.0:g_param_spec_uint64 libgobject-2.0.so.0:g_signal_connect_data libgobject-2.0.so.0:g_signal_emit @@ -369,8 +416,8 @@ libgobject-2.0.so.0:g_type_check_instance_cast libgobject-2.0.so.0:g_type_check_instance_is_a libgobject-2.0.so.0:g_type_class_add_private +libgobject-2.0.so.0:g_type_class_adjust_private_offset libgobject-2.0.so.0:g_type_class_peek_parent -libgobject-2.0.so.0:g_type_init libgobject-2.0.so.0:g_type_instance_get_private libgobject-2.0.so.0:g_type_interface_add_prerequisite libgobject-2.0.so.0:g_type_interface_peek @@ -381,14 +428,18 @@ libgobject-2.0.so.0:g_value_dup_boxed libgobject-2.0.so.0:g_value_dup_object libgobject-2.0.so.0:g_value_dup_string +libgobject-2.0.so.0:g_value_get_boolean libgobject-2.0.so.0:g_value_get_int libgobject-2.0.so.0:g_value_get_string +libgobject-2.0.so.0:g_value_get_uint libgobject-2.0.so.0:g_value_get_uint64 libgobject-2.0.so.0:g_value_peek_pointer +libgobject-2.0.so.0:g_value_set_boolean libgobject-2.0.so.0:g_value_set_flags libgobject-2.0.so.0:g_value_set_int libgobject-2.0.so.0:g_value_set_object libgobject-2.0.so.0:g_value_set_string +libgobject-2.0.so.0:g_value_set_uint libgobject-2.0.so.0:g_value_set_uint64 libgobject-2.0.so.0:g_value_take_string libpam.so.0:pam_acct_mgmt diff --git a/files/0001-install-50-default-rules-in-usr.patch b/files/0001-install-50-default-rules-in-usr.patch new file mode 100644 --- /dev/null +++ b/files/0001-install-50-default-rules-in-usr.patch @@ -0,0 +1,28 @@ +From b6538f6e9cc956959494aff0eeade3a0b5733103 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 10 Jun 2022 14:20:51 +0100 +Subject: [PATCH] Install 50-default.rules in /usr/share + +Same rationale as https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/11 +and https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/72 /etc is for +local admin changes, upstream/vendor config files should go in /usr/share +--- + src/polkitbackend/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/polkitbackend/meson.build b/src/polkitbackend/meson.build +index 7c5d443..c35e6c2 100644 +--- a/src/polkitbackend/meson.build ++++ b/src/polkitbackend/meson.build +@@ -61,7 +61,7 @@ libpolkit_backend = static_library( + + install_data( + '50-default.rules', +- install_dir: pk_pkgsysconfdir / 'rules.d', ++ install_dir: pk_pkgdatadir / 'rules.d', + ) + + program = 'polkitd' +-- +GitLab + diff --git a/files/0003-data-Use-modern-stateless-dbus-system.d-directory.patch b/files/0003-data-Use-modern-stateless-dbus-system.d-directory.patch deleted file mode 100644 --- a/files/0003-data-Use-modern-stateless-dbus-system.d-directory.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 69fb14be4b9234ae11fb0162090c6be618ed5168 Mon Sep 17 00:00:00 2001 -From: Ikey Doherty -Date: Thu, 19 Oct 2017 17:41:50 +0100 -Subject: [PATCH 3/3] data: Use modern stateless dbus `system.d` directory - -Signed-off-by: Ikey Doherty ---- - data/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/data/Makefile.am b/data/Makefile.am -index fe0f1d5..f2b27ed 100644 ---- a/data/Makefile.am -+++ b/data/Makefile.am -@@ -15,7 +15,7 @@ $(service_DATA): $(service_in_files) Makefile - - # ---------------------------------------------------------------------------------------------------- - --dbusconfdir = $(sysconfdir)/dbus-1/system.d -+dbusconfdir = $(datadir)/dbus-1/system.d - dbusconf_in_files = org.freedesktop.PolicyKit1.conf.in - dbusconf_DATA = $(dbusconf_in_files:.conf.in=.conf) - --- -2.14.2 - diff --git a/files/in-systemd-we-trust.patch b/files/in-systemd-we-trust.patch deleted file mode 100644 --- a/files/in-systemd-we-trust.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index 5ca36d7..8a66dc3 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -163,26 +163,6 @@ if test "$enable_libsystemd_login" != "no"; then - fi - fi - --AS_IF([test "x$cross_compiling" != "xyes" ], [ -- AS_IF([test "$have_libsystemd" = "yes"], [ -- AS_IF([test ! -d /sys/fs/cgroup/systemd/ ], [ -- AS_IF([test "$enable_libsystemd_login" = "yes"], [ -- AC_MSG_WARN([libsystemd requested but system does not appear to be using systemd]) -- ], [ -- AC_MSG_ERROR([libsystemd autoconfigured, but system does not appear to use systemd]) -- ]) -- ]) -- ], [ -- AS_IF([test -d /sys/fs/cgroup/systemd/ ], [ -- AS_IF([test "$enable_libsystemd_login" = "no" ], [ -- AC_MSG_WARN([ConsoleKit requested but system appears to use systemd]) -- ], [ -- AC_MSG_ERROR([ConsoleKit autoconfigured, but systemd is in use (missing libsystemd or libsystemd-login pkg-config?)]) -- ]) -- ]) -- ]) --]) -- - AC_SUBST(LIBSYSTEMD_CFLAGS) - AC_SUBST(LIBSYSTEMD_LIBS) - AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes"], [Using libsystemd]) diff --git a/files/polkit.tmpfiles b/files/polkit.tmpfiles --- a/files/polkit.tmpfiles +++ b/files/polkit.tmpfiles @@ -1 +1,2 @@ d /var/empty 0755 - - - +d /etc/polkit-1/rules.d 0755 - - - diff --git a/files/security/CVE-2018-1116.patch b/files/security/CVE-2018-1116.patch deleted file mode 100644 --- a/files/security/CVE-2018-1116.patch +++ /dev/null @@ -1,576 +0,0 @@ -From bc7ffad53643a9c80231fc41f5582d6a8931c32c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= -Date: Mon, 25 Jun 2018 19:24:06 +0200 -Subject: Fix CVE-2018-1116: Trusting client-supplied UID -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As part of CVE-2013-4288, the D-Bus clients were allowed (and -encouraged) to submit the UID of the subject of authorization checks -to avoid races against UID changes (notably using executables -set-UID to root). - -However, that also allowed any client to submit an arbitrary UID, and -that could be used to bypass "can only ask about / affect the same UID" -checks in CheckAuthorization / RegisterAuthenticationAgent / -UnregisterAuthenticationAgent. This allowed an attacker: - -- With CheckAuthorization, to cause the registered authentication - agent in victim's session to pop up a dialog, or to determine whether - the victim currently has a temporary authorization to perform an - operation. - - (In principle, the attacker can also determine whether JavaScript - rules allow the victim process to perform an operation; however, - usually rules base their decisions on information determined from - the supplied UID, so the attacker usually won't learn anything new.) - -- With RegisterAuthenticationAgent, to prevent the victim's - authentication agent to work (for a specific victim process), - or to learn about which operations requiring authorization - the victim is attempting. - -To fix this, expose internal _polkit_unix_process_get_owner() / -obsolete polkit_unix_process_get_owner() as a private -polkit_unix_process_get_racy_uid__() (being more explicit about the -dangers on relying on it), and use it in -polkit_backend_session_monitor_get_user_for_subject() to return -a boolean indicating whether the subject UID may be caller-chosen. - -Then, in the permission checks that require the subject to be -equal to the caller, fail on caller-chosen UIDs (and continue -through the pre-existing code paths which allow root, or root-designated -server processes, to ask about arbitrary subjects.) - -Signed-off-by: Miloslav Trmač ---- - src/polkit/polkitprivate.h | 2 + - src/polkit/polkitunixprocess.c | 61 ++++++++++++++++++---- - .../polkitbackendinteractiveauthority.c | 39 +++++++++----- - .../polkitbackendsessionmonitor-systemd.c | 38 ++++++++++++-- - src/polkitbackend/polkitbackendsessionmonitor.c | 40 ++++++++++++-- - src/polkitbackend/polkitbackendsessionmonitor.h | 1 + - 6 files changed, 148 insertions(+), 33 deletions(-) - -diff --git a/src/polkit/polkitprivate.h b/src/polkit/polkitprivate.h -index 9f07063..c80142d 100644 ---- a/src/polkit/polkitprivate.h -+++ b/src/polkit/polkitprivate.h -@@ -44,6 +44,8 @@ GVariant *polkit_action_description_to_gvariant (PolkitActionDescription *action - GVariant *polkit_subject_to_gvariant (PolkitSubject *subject); - GVariant *polkit_identity_to_gvariant (PolkitIdentity *identity); - -+gint polkit_unix_process_get_racy_uid__ (PolkitUnixProcess *process, GError **error); -+ - PolkitSubject *polkit_subject_new_for_gvariant (GVariant *variant, GError **error); - PolkitIdentity *polkit_identity_new_for_gvariant (GVariant *variant, GError **error); - -diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c -index d4ebf50..972b777 100644 ---- a/src/polkit/polkitunixprocess.c -+++ b/src/polkit/polkitunixprocess.c -@@ -56,6 +56,14 @@ - * To uniquely identify processes, both the process id and the start - * time of the process (a monotonic increasing value representing the - * time since the kernel was started) is used. -+ * -+ * NOTE: This object stores, and provides access to, the real UID of the -+ * process. That value can change over time (with set*uid*(2) and exec*(2)). -+ * Checks whether an operation is allowed need to take care to use the UID -+ * value as of the time when the operation was made (or, following the open() -+ * privilege check model, when the connection making the operation possible -+ * was initiated). That is usually done by initializing this with -+ * polkit_unix_process_new_for_owner() with trusted data. - */ - - /** -@@ -90,9 +98,6 @@ static void subject_iface_init (PolkitSubjectIface *subject_iface); - static guint64 get_start_time_for_pid (gint pid, - GError **error); - --static gint _polkit_unix_process_get_owner (PolkitUnixProcess *process, -- GError **error); -- - #if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) - static gboolean get_kinfo_proc (gint pid, - #if defined(HAVE_NETBSD) -@@ -182,7 +187,7 @@ polkit_unix_process_constructed (GObject *object) - { - GError *error; - error = NULL; -- process->uid = _polkit_unix_process_get_owner (process, &error); -+ process->uid = polkit_unix_process_get_racy_uid__ (process, &error); - if (error != NULL) - { - process->uid = -1; -@@ -271,6 +276,12 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass) - * Gets the user id for @process. Note that this is the real user-id, - * not the effective user-id. - * -+ * NOTE: The UID may change over time, so the returned value may not match the -+ * current state of the underlying process; or the UID may have been set by -+ * polkit_unix_process_new_for_owner() or polkit_unix_process_set_uid(), -+ * in which case it may not correspond to the actual UID of the referenced -+ * process at all (at any point in time). -+ * - * Returns: The user id for @process or -1 if unknown. - */ - gint -@@ -708,13 +719,20 @@ out: - return start_time; - } - --static gint --_polkit_unix_process_get_owner (PolkitUnixProcess *process, -- GError **error) -+/* -+ * Private: Return the "current" UID. Note that this is inherently racy, -+ * and the value may already be obsolete by the time this function returns; -+ * this function only guarantees that the UID was valid at some point during -+ * its execution. -+ */ -+gint -+polkit_unix_process_get_racy_uid__ (PolkitUnixProcess *process, -+ GError **error) - { - gint result; - gchar *contents; - gchar **lines; -+ guint64 start_time; - #if defined(HAVE_FREEBSD) || defined(HAVE_OPENBSD) - struct kinfo_proc p; - #elif defined(HAVE_NETBSD) -@@ -722,6 +740,7 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, - #else - gchar filename[64]; - guint n; -+ GError *local_error; - #endif - - g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), 0); -@@ -745,8 +764,10 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, - - #if defined(HAVE_FREEBSD) - result = p.ki_uid; -+ start_time = (guint64) p.ki_start.tv_sec; - #else - result = p.p_uid; -+ start_time = (guint64) p.p_ustart_sec; - #endif - #else - -@@ -781,17 +802,37 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, - else - { - result = real_uid; -- goto out; -+ goto found; - } - } -- - g_set_error (error, - POLKIT_ERROR, - POLKIT_ERROR_FAILED, - "Didn't find any line starting with `Uid:' in file %s", - filename); -+ goto out; -+ -+found: -+ /* The UID and start time are, sadly, not available in a single file. So, -+ * read the UID first, and then the start time; if the start time is the same -+ * before and after reading the UID, it couldn't have changed. -+ */ -+ local_error = NULL; -+ start_time = get_start_time_for_pid (process->pid, &local_error); -+ if (local_error != NULL) -+ { -+ g_propagate_error (error, local_error); -+ goto out; -+ } - #endif - -+ if (process->start_time != start_time) -+ { -+ g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED, -+ "process with PID %d has been replaced", process->pid); -+ goto out; -+ } -+ - out: - g_strfreev (lines); - g_free (contents); -@@ -810,5 +851,5 @@ gint - polkit_unix_process_get_owner (PolkitUnixProcess *process, - GError **error) - { -- return _polkit_unix_process_get_owner (process, error); -+ return polkit_unix_process_get_racy_uid__ (process, error); - } -diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c -index 1cd60d3..cb6fdab 100644 ---- a/src/polkitbackend/polkitbackendinteractiveauthority.c -+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c -@@ -575,7 +575,7 @@ log_result (PolkitBackendInteractiveAuthority *authority, - if (polkit_authorization_result_get_is_authorized (result)) - log_result_str = "ALLOWING"; - -- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); -+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL, NULL); - - subject_str = polkit_subject_to_string (subject); - -@@ -847,6 +847,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - gchar *subject_str; - PolkitIdentity *user_of_caller; - PolkitIdentity *user_of_subject; -+ gboolean user_of_subject_matches; - gchar *user_of_caller_str; - gchar *user_of_subject_str; - PolkitAuthorizationResult *result; -@@ -892,7 +893,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - action_id); - - user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, -- caller, -+ caller, NULL, - &error); - if (error != NULL) - { -@@ -907,7 +908,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - g_debug (" user of caller is %s", user_of_caller_str); - - user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, -- subject, -+ subject, &user_of_subject_matches, - &error); - if (error != NULL) - { -@@ -937,7 +938,10 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - * We only allow this if, and only if, - * - * - processes may check for another process owned by the *same* user but not -- * if details are passed (otherwise you'd be able to spoof the dialog) -+ * if details are passed (otherwise you'd be able to spoof the dialog); -+ * the caller supplies the user_of_subject value, so we additionally -+ * require it to match at least at one point in time (via -+ * user_of_subject_matches). - * - * - processes running as uid 0 may check anything and pass any details - * -@@ -945,7 +949,9 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - * then any uid referenced by that annotation is also allowed to check - * to check anything and pass any details - */ -- if (!polkit_identity_equal (user_of_caller, user_of_subject) || has_details) -+ if (!user_of_subject_matches -+ || !polkit_identity_equal (user_of_caller, user_of_subject) -+ || has_details) - { - if (!may_identity_check_authorization (interactive_authority, action_id, user_of_caller)) - { -@@ -1110,9 +1116,10 @@ check_authorization_sync (PolkitBackendAuthority *authority, - goto out; - } - -- /* every subject has a user */ -+ /* every subject has a user; this is supplied by the client, so we rely -+ * on the caller to validate its acceptability. */ - user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, -- subject, -+ subject, NULL, - error); - if (user_of_subject == NULL) - goto out; -@@ -2480,6 +2487,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - PolkitSubject *session_for_caller; - PolkitIdentity *user_of_caller; - PolkitIdentity *user_of_subject; -+ gboolean user_of_subject_matches; - AuthenticationAgent *agent; - gboolean ret; - gchar *caller_cmdline; -@@ -2532,7 +2540,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - goto out; - } - -- user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL); -+ user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL, NULL); - if (user_of_caller == NULL) - { - g_set_error (error, -@@ -2541,7 +2549,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - "Cannot determine user of caller"); - goto out; - } -- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); -+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, &user_of_subject_matches, NULL); - if (user_of_subject == NULL) - { - g_set_error (error, -@@ -2550,7 +2558,8 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - "Cannot determine user of subject"); - goto out; - } -- if (!polkit_identity_equal (user_of_caller, user_of_subject)) -+ if (!user_of_subject_matches -+ || !polkit_identity_equal (user_of_caller, user_of_subject)) - { - if (identity_is_root_user (user_of_caller)) - { -@@ -2643,6 +2652,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack - PolkitSubject *session_for_caller; - PolkitIdentity *user_of_caller; - PolkitIdentity *user_of_subject; -+ gboolean user_of_subject_matches; - AuthenticationAgent *agent; - gboolean ret; - gchar *scope_str; -@@ -2691,7 +2701,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack - goto out; - } - -- user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL); -+ user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL, NULL); - if (user_of_caller == NULL) - { - g_set_error (error, -@@ -2700,7 +2710,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack - "Cannot determine user of caller"); - goto out; - } -- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); -+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, &user_of_subject_matches, NULL); - if (user_of_subject == NULL) - { - g_set_error (error, -@@ -2709,7 +2719,8 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack - "Cannot determine user of subject"); - goto out; - } -- if (!polkit_identity_equal (user_of_caller, user_of_subject)) -+ if (!user_of_subject_matches -+ || !polkit_identity_equal (user_of_caller, user_of_subject)) - { - if (identity_is_root_user (user_of_caller)) - { -@@ -2819,7 +2830,7 @@ polkit_backend_interactive_authority_authentication_agent_response (PolkitBacken - identity_str); - - user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, -- caller, -+ caller, NULL, - error); - if (user_of_caller == NULL) - goto out; -diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -index 2a6c739..b00cdbd 100644 ---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -@@ -29,6 +29,7 @@ - #include - - #include -+#include - #include "polkitbackendsessionmonitor.h" - - /* -@@ -246,26 +247,40 @@ polkit_backend_session_monitor_get_sessions (PolkitBackendSessionMonitor *monito - * polkit_backend_session_monitor_get_user: - * @monitor: A #PolkitBackendSessionMonitor. - * @subject: A #PolkitSubject. -+ * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state. - * @error: Return location for error. - * - * Gets the user corresponding to @subject or %NULL if no user exists. - * -+ * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may -+ * come from e.g. a D-Bus client), so it may not correspond to the actual UID -+ * of the referenced process (at any point in time). This is indicated by -+ * setting @result_matches to %FALSE; the caller may reject such subjects or -+ * require additional privileges. @result_matches == %TRUE only indicates that -+ * the UID matched the underlying process at ONE point in time, it may not match -+ * later. -+ * - * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref(). - */ - PolkitIdentity * - polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, - PolkitSubject *subject, -+ gboolean *result_matches, - GError **error) - { - PolkitIdentity *ret; -- guint32 uid; -+ gboolean matches; - - ret = NULL; -+ matches = FALSE; - - if (POLKIT_IS_UNIX_PROCESS (subject)) - { -- uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -- if ((gint) uid == -1) -+ gint subject_uid, current_uid; -+ GError *local_error; -+ -+ subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -+ if (subject_uid == -1) - { - g_set_error (error, - POLKIT_ERROR, -@@ -273,14 +288,24 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor - "Unix process subject does not have uid set"); - goto out; - } -- ret = polkit_unix_user_new (uid); -+ local_error = NULL; -+ current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error); -+ if (local_error != NULL) -+ { -+ g_propagate_error (error, local_error); -+ goto out; -+ } -+ ret = polkit_unix_user_new (subject_uid); -+ matches = (subject_uid == current_uid); - } - else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) - { - ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); -+ matches = TRUE; - } - else if (POLKIT_IS_UNIX_SESSION (subject)) - { -+ uid_t uid; - - if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0) - { -@@ -292,9 +317,14 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor - } - - ret = polkit_unix_user_new (uid); -+ matches = TRUE; - } - - out: -+ if (result_matches != NULL) -+ { -+ *result_matches = matches; -+ } - return ret; - } - -diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c -index e1a9ab3..ed30755 100644 ---- a/src/polkitbackend/polkitbackendsessionmonitor.c -+++ b/src/polkitbackend/polkitbackendsessionmonitor.c -@@ -27,6 +27,7 @@ - #include - - #include -+#include - #include "polkitbackendsessionmonitor.h" - - #define CKDB_PATH "/var/run/ConsoleKit/database" -@@ -273,28 +274,40 @@ polkit_backend_session_monitor_get_sessions (PolkitBackendSessionMonitor *monito - * polkit_backend_session_monitor_get_user: - * @monitor: A #PolkitBackendSessionMonitor. - * @subject: A #PolkitSubject. -+ * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state. - * @error: Return location for error. - * - * Gets the user corresponding to @subject or %NULL if no user exists. - * -+ * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may -+ * come from e.g. a D-Bus client), so it may not correspond to the actual UID -+ * of the referenced process (at any point in time). This is indicated by -+ * setting @result_matches to %FALSE; the caller may reject such subjects or -+ * require additional privileges. @result_matches == %TRUE only indicates that -+ * the UID matched the underlying process at ONE point in time, it may not match -+ * later. -+ * - * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref(). - */ - PolkitIdentity * - polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, - PolkitSubject *subject, -+ gboolean *result_matches, - GError **error) - { - PolkitIdentity *ret; -+ gboolean matches; - GError *local_error; -- gchar *group; -- guint32 uid; - - ret = NULL; -+ matches = FALSE; - - if (POLKIT_IS_UNIX_PROCESS (subject)) - { -- uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -- if ((gint) uid == -1) -+ gint subject_uid, current_uid; -+ -+ subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -+ if (subject_uid == -1) - { - g_set_error (error, - POLKIT_ERROR, -@@ -302,14 +315,26 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor - "Unix process subject does not have uid set"); - goto out; - } -- ret = polkit_unix_user_new (uid); -+ local_error = NULL; -+ current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error); -+ if (local_error != NULL) -+ { -+ g_propagate_error (error, local_error); -+ goto out; -+ } -+ ret = polkit_unix_user_new (subject_uid); -+ matches = (subject_uid == current_uid); - } - else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) - { - ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); -+ matches = TRUE; - } - else if (POLKIT_IS_UNIX_SESSION (subject)) - { -+ gint uid; -+ gchar *group; -+ - if (!ensure_database (monitor, error)) - { - g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": "); -@@ -328,9 +353,14 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor - g_free (group); - - ret = polkit_unix_user_new (uid); -+ matches = TRUE; - } - - out: -+ if (result_matches != NULL) -+ { -+ *result_matches = matches; -+ } - return ret; - } - -diff --git a/src/polkitbackend/polkitbackendsessionmonitor.h b/src/polkitbackend/polkitbackendsessionmonitor.h -index 8f8a2ca..3972326 100644 ---- a/src/polkitbackend/polkitbackendsessionmonitor.h -+++ b/src/polkitbackend/polkitbackendsessionmonitor.h -@@ -47,6 +47,7 @@ GList *polkit_backend_session_monitor_get_sessions (Polkit - - PolkitIdentity *polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, - PolkitSubject *subject, -+ gboolean *result_matches, - GError **error); - - PolkitSubject *polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMonitor *monitor, --- -cgit v1.1 diff --git a/files/security/CVE-2018-19788.patch b/files/security/CVE-2018-19788.patch deleted file mode 100644 --- a/files/security/CVE-2018-19788.patch +++ /dev/null @@ -1,188 +0,0 @@ -From 2cb40c4d5feeaa09325522bd7d97910f1b59e379 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Mon, 3 Dec 2018 10:28:58 +0100 -Subject: [PATCH] Allow negative uids/gids in PolkitUnixUser and Group objects - -(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since -there should be no users with such number, see -https://systemd.io/UIDS-GIDS#special-linux-uids. - -(uid_t) -1 is used as the default value in class initialization. - -When a user or group above INT32_MAX is created, the numeric uid or -gid wraps around to negative when the value is assigned to gint, and -polkit gets confused. Let's accept such gids, except for -1. - -A nicer fix would be to change the underlying type to e.g. uint32 to -not have negative values. But this cannot be done without breaking the -API, so likely new functions will have to be added (a -polkit_unix_user_new variant that takes a unsigned, and the same for -_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will -require a bigger patch. - -Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74. ---- - src/polkit/polkitunixgroup.c | 15 +++++++++++---- - src/polkit/polkitunixprocess.c | 12 ++++++++---- - src/polkit/polkitunixuser.c | 13 ++++++++++--- - 3 files changed, 29 insertions(+), 11 deletions(-) - -diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c -index c57a1aa..309f689 100644 ---- a/src/polkit/polkitunixgroup.c -+++ b/src/polkit/polkitunixgroup.c -@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT, - static void - polkit_unix_group_init (PolkitUnixGroup *unix_group) - { -+ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */ - } - - static void -@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object, - GParamSpec *pspec) - { - PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); -+ gint val; - - switch (prop_id) - { - case PROP_GID: -- unix_group->gid = g_value_get_int (value); -+ val = g_value_get_int (value); -+ g_return_if_fail (val != -1); -+ unix_group->gid = val; - break; - - default: -@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass) - g_param_spec_int ("gid", - "Group ID", - "The UNIX group ID", -- 0, -+ G_MININT, - G_MAXINT, -- 0, -+ -1, - G_PARAM_CONSTRUCT | - G_PARAM_READWRITE | - G_PARAM_STATIC_NAME | -@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group) - */ - void - polkit_unix_group_set_gid (PolkitUnixGroup *group, -- gint gid) -+ gint gid) - { - g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); -+ g_return_if_fail (gid != -1); - group->gid = gid; - } - -@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, - PolkitIdentity * - polkit_unix_group_new (gint gid) - { -+ g_return_val_if_fail (gid != -1, NULL); -+ - return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, - "gid", gid, - NULL)); -diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c -index 972b777..b02b258 100644 ---- a/src/polkit/polkitunixprocess.c -+++ b/src/polkit/polkitunixprocess.c -@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object, - polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); - break; - -- case PROP_UID: -- polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); -+ case PROP_UID: { -+ gint val; -+ -+ val = g_value_get_int (value); -+ g_return_if_fail (val != -1); -+ polkit_unix_process_set_uid (unix_process, val); - break; -+ } - - case PROP_START_TIME: - polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); -@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass) - g_param_spec_int ("uid", - "User ID", - "The UNIX user ID", -- -1, -+ G_MININT, - G_MAXINT, - -1, - G_PARAM_CONSTRUCT | -@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process, - gint uid) - { - g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process)); -- g_return_if_fail (uid >= -1); - process->uid = uid; - } - -diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c -index 8bfd3a1..234a697 100644 ---- a/src/polkit/polkitunixuser.c -+++ b/src/polkit/polkitunixuser.c -@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT, - static void - polkit_unix_user_init (PolkitUnixUser *unix_user) - { -+ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */ - unix_user->name = NULL; - } - -@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object, - GParamSpec *pspec) - { - PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); -+ gint val; - - switch (prop_id) - { - case PROP_UID: -- unix_user->uid = g_value_get_int (value); -+ val = g_value_get_int (value); -+ g_return_if_fail (val != -1); -+ unix_user->uid = val; - break; - - default: -@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass) - g_param_spec_int ("uid", - "User ID", - "The UNIX user ID", -- 0, -+ G_MININT, - G_MAXINT, -- 0, -+ -1, - G_PARAM_CONSTRUCT | - G_PARAM_READWRITE | - G_PARAM_STATIC_NAME | -@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, - gint uid) - { - g_return_if_fail (POLKIT_IS_UNIX_USER (user)); -+ g_return_if_fail (uid != -1); - user->uid = uid; - } - -@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, - PolkitIdentity * - polkit_unix_user_new (gint uid) - { -+ g_return_val_if_fail (uid != -1, NULL); -+ - return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, - "uid", uid, - NULL)); --- -GitLab - diff --git a/files/security/CVE-2019-6133.patch b/files/security/CVE-2019-6133.patch deleted file mode 100644 --- a/files/security/CVE-2019-6133.patch +++ /dev/null @@ -1,185 +0,0 @@ -From 6cc6aafee135ba44ea748250d7d29b562ca190e3 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Fri, 4 Jan 2019 14:24:48 -0500 -Subject: [PATCH] backend: Compare PolkitUnixProcess uids for temporary - authorizations - -It turns out that the combination of `(pid, start time)` is not -enough to be unique. For temporary authorizations, we can avoid -separate users racing on pid reuse by simply comparing the uid. - -https://bugs.chromium.org/p/project-zero/issues/detail?id=1692 - -And the above original email report is included in full in a new comment. - -Reported-by: Jann Horn - -Closes: https://gitlab.freedesktop.org/polkit/polkit/issues/75 ---- - src/polkit/polkitsubject.c | 2 + - src/polkit/polkitunixprocess.c | 71 ++++++++++++++++++- - .../polkitbackendinteractiveauthority.c | 39 +++++++++- - 3 files changed, 110 insertions(+), 2 deletions(-) - -diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c -index d4c1182..ccabd0a 100644 ---- a/src/polkit/polkitsubject.c -+++ b/src/polkit/polkitsubject.c -@@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subject) - * @b: A #PolkitSubject. - * - * Checks if @a and @b are equal, ie. represent the same subject. -+ * However, avoid calling polkit_subject_equal() to compare two processes; -+ * for more information see the `PolkitUnixProcess` documentation. - * - * This function can be used in e.g. g_hash_table_new(). - * -diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c -index b02b258..78d7251 100644 ---- a/src/polkit/polkitunixprocess.c -+++ b/src/polkit/polkitunixprocess.c -@@ -51,7 +51,10 @@ - * @title: PolkitUnixProcess - * @short_description: Unix processs - * -- * An object for representing a UNIX process. -+ * An object for representing a UNIX process. NOTE: This object as -+ * designed is now known broken; a mechanism to exploit a delay in -+ * start time in the Linux kernel was identified. Avoid -+ * calling polkit_subject_equal() to compare two processes. - * - * To uniquely identify processes, both the process id and the start - * time of the process (a monotonic increasing value representing the -@@ -66,6 +69,72 @@ - * polkit_unix_process_new_for_owner() with trusted data. - */ - -+/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75 -+ -+ But quoting the original email in full here to ensure it's preserved: -+ -+ From: Jann Horn -+ Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork -+ Date: Wednesday, October 10, 2018 5:34 PM -+ -+When a (non-root) user attempts to e.g. control systemd units in the system -+instance from an active session over DBus, the access is gated by a polkit -+policy that requires "auth_admin_keep" auth. This results in an auth prompt -+being shown to the user, asking the user to confirm the action by entering the -+password of an administrator account. -+ -+After the action has been confirmed, the auth decision for "auth_admin_keep" is -+cached for up to five minutes. Subject to some restrictions, similar actions can -+then be performed in this timespan without requiring re-auth: -+ -+ - The PID of the DBus client requesting the new action must match the PID of -+ the DBus client requesting the old action (based on SO_PEERCRED information -+ forwarded by the DBus daemon). -+ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22) -+ must not have changed. The granularity of this timestamp is in the -+ millisecond range. -+ - polkit polls every two seconds whether a process with the expected start time -+ still exists. If not, the temporary auth entry is purged. -+ -+Without the start time check, this would obviously be buggy because an attacker -+could simply wait for the legitimate client to disappear, then create a new -+client with the same PID. -+ -+Unfortunately, the start time check is bypassable because fork() is not atomic. -+Looking at the source code of copy_process() in the kernel: -+ -+ p->start_time = ktime_get_ns(); -+ p->real_start_time = ktime_get_boot_ns(); -+ [...] -+ retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls); -+ if (retval) -+ goto bad_fork_cleanup_io; -+ -+ if (pid != &init_struct_pid) { -+ pid = alloc_pid(p->nsproxy->pid_ns_for_children); -+ if (IS_ERR(pid)) { -+ retval = PTR_ERR(pid); -+ goto bad_fork_cleanup_thread; -+ } -+ } -+ -+The ktime_get_boot_ns() call is where the "start time" of the process is -+recorded. The alloc_pid() call is where a free PID is allocated. In between -+these, some time passes; and because the copy_thread_tls() call between them can -+access userspace memory when sys_clone() is invoked through the 32-bit syscall -+entry point, an attacker can even stall the kernel arbitrarily long at this -+point (by supplying a pointer into userspace memory that is associated with a -+userfaultfd or is backed by a custom FUSE filesystem). -+ -+This means that an attacker can immediately call sys_clone() when the victim -+process is created, often resulting in a process that has the exact same start -+time reported in procfs; and then the attacker can delay the alloc_pid() call -+until after the victim process has died and the PID assignment has cycled -+around. This results in an attacker process that polkit can't distinguish from -+the victim process. -+*/ -+ -+ - /** - * PolkitUnixProcess: - * -diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c -index a1630b9..80e8141 100644 ---- a/src/polkitbackend/polkitbackendinteractiveauthority.c -+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c -@@ -3031,6 +3031,43 @@ temporary_authorization_store_free (TemporaryAuthorizationStore *store) - g_free (store); - } - -+/* See the comment at the top of polkitunixprocess.c */ -+static gboolean -+subject_equal_for_authz (PolkitSubject *a, -+ PolkitSubject *b) -+{ -+ if (!polkit_subject_equal (a, b)) -+ return FALSE; -+ -+ /* Now special case unix processes, as we want to protect against -+ * pid reuse by including the UID. -+ */ -+ if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) { -+ PolkitUnixProcess *ap = (PolkitUnixProcess*)a; -+ int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a); -+ PolkitUnixProcess *bp = (PolkitUnixProcess*)b; -+ int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b); -+ -+ if (uid_a != -1 && uid_b != -1) -+ { -+ if (uid_a == uid_b) -+ { -+ return TRUE; -+ } -+ else -+ { -+ g_printerr ("denying slowfork; pid %d uid %d != %d!\n", -+ polkit_unix_process_get_pid (ap), -+ uid_a, uid_b); -+ return FALSE; -+ } -+ } -+ /* Fall through; one of the uids is unset so we can't reliably compare */ -+ } -+ -+ return TRUE; -+} -+ - static gboolean - temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store, - PolkitSubject *subject, -@@ -3073,7 +3110,7 @@ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *st - TemporaryAuthorization *authorization = l->data; - - if (strcmp (action_id, authorization->action_id) == 0 && -- polkit_subject_equal (subject_to_use, authorization->subject)) -+ subject_equal_for_authz (subject_to_use, authorization->subject)) - { - ret = TRUE; - if (out_tmp_authz_id != NULL) --- -GitLab - diff --git a/files/security/CVE-2021-3560.patch b/files/security/CVE-2021-3560.patch deleted file mode 100644 --- a/files/security/CVE-2021-3560.patch +++ /dev/null @@ -1,27 +0,0 @@ -From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001 -From: Jan Rybar -Date: Wed, 2 Jun 2021 15:43:38 +0200 -Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit - -initial values returned if error caught ---- - src/polkit/polkitsystembusname.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c -index 8daa12c..8ed1363 100644 ---- a/src/polkit/polkitsystembusname.c -+++ b/src/polkit/polkitsystembusname.c -@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus - while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) - g_main_context_iteration (tmp_context, TRUE); - -+ if (data.caught_error) -+ goto out; -+ - if (out_uid) - *out_uid = data.uid; - if (out_pid) --- -GitLab - diff --git a/files/security/CVE-2021-4034.patch b/files/security/CVE-2021-4034.patch deleted file mode 100644 --- a/files/security/CVE-2021-4034.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c -index f1bb4e13f7dbfb0c06eff7b5ded07d2a7a75cd44..768525cd4ff0540103d0e42c5aba265cdc43dec4 100644 ---- a/src/programs/pkcheck.c -+++ b/src/programs/pkcheck.c -@@ -363,6 +363,11 @@ main (int argc, char *argv[]) - local_agent_handle = NULL; - ret = 126; - -+ if (argc < 1) -+ { -+ exit(126); -+ } -+ - /* Disable remote file access from GIO. */ - setenv ("GIO_USE_VFS", "local", 1); - -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 7698c5c2fff8a6116f32f62a0fd1598739fc3c27..84e5ef69b1eb7a175f311ce6dbf9a07b15aa167d 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -488,6 +488,15 @@ main (int argc, char *argv[]) - pid_t pid_of_caller; - gpointer local_agent_handle; - -+ -+ /* -+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out. -+ */ -+ if (argc<1) -+ { -+ exit(127); -+ } -+ - ret = 127; - authority = NULL; - subject = NULL; -@@ -614,10 +623,10 @@ main (int argc, char *argv[]) - - path = g_strdup (pwstruct.pw_shell); - if (!path) -- { -+ { - g_printerr ("No shell configured or error retrieving pw_shell\n"); - goto out; -- } -+ } - /* If you change this, be sure to change the if (!command_line) - case below too */ - command_line = g_strdup (path); -@@ -636,7 +645,15 @@ main (int argc, char *argv[]) - goto out; - } - g_free (path); -- argv[n] = path = s; -+ path = s; -+ -+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. -+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination -+ */ -+ if (argv[n] != NULL) -+ { -+ argv[n] = path; -+ } - } - if (access (path, F_OK) != 0) - { diff --git a/files/series b/files/series --- a/files/series +++ b/files/series @@ -1,9 +1,3 @@ 0001-Change-the-default-admin-group-to-sudo.patch 0001-pkexec-Support-a-stateless-configuration.patch -0003-data-Use-modern-stateless-dbus-system.d-directory.patch -in-systemd-we-trust.patch -security/CVE-2018-1116.patch -security/CVE-2018-19788.patch -security/CVE-2019-6133.patch -security/CVE-2021-3560.patch -security/CVE-2021-4034.patch +0001-install-50-default-rules-in-usr.patch diff --git a/package.yml b/package.yml --- a/package.yml +++ b/package.yml @@ -1,8 +1,8 @@ name : polkit -version : 0.113 -release : 25 +version : 121 +release : 26 source : - - git|https://github.com/ikeydoherty/polkit-no-script.git : 5bcb1c1f9f678d950c44eccba81db36fddb09efc + - https://www.freedesktop.org/software/polkit/releases/polkit-121.tar.gz : 9dc7ae341a797c994a5a36da21963f0c5c8e3e5a1780ccc2a5f52e7be01affaa homepage : http://www.freedesktop.org/wiki/Software/polkit license : - GPL-2.0-or-later @@ -14,35 +14,35 @@ polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes: It is a framework for centralizing the decision making process with respect to granting access to privileged operations for unprivileged applications. See the polkit(8) manual page for more detailed information. builddeps : - docbook-xml + - pkgconfig(duktape) - pkgconfig(expat) - pkgconfig(gtk-doc) - pkgconfig(udev) + # check: + - python-dbusmock setup : | # Patch the tree to be usable. %apply_patches - export NOCONFIGURE=1 - - %autogen --disable-static \ - --libexecdir=%libdir%/polkit-1 \ - --with-os-type=Solus \ - --enable-libsystemd-login=yes \ - --enable-introspection=yes \ - --enable-gtk-doc \ - --enable-gtk-doc-html \ - --with-wheel-group=sudo \ - --with-backend=keyfile \ - --disable-test - # TODO: Make test suite work again! + %meson_configure -Dos_type=redhat \ + -Dsession_tracking=libsystemd-login \ + -Dexamples=true \ + -Dman=true \ + -Dgtk_doc=true \ + -Dtests=true build : | - %make + %ninja_build install : | - %make_install + %ninja_install # systemd can hook up users + stuff for us. install -D -m 00644 $pkgfiles/polkit.sysusers $installdir/%libdir%/sysusers.d/polkit.conf install -D -m 00644 $pkgfiles/polkit.tmpfiles $installdir/%libdir%/tmpfiles.d/polkit.conf - # Make pam work goodly. - rm -rf $installdir/etc/pam.d + # Stateless + rm -rf $installdir/etc/ + + # Make pam work goodly install -Dm00644 $pkgfiles/pam.d/polkit-1 $installdir/usr/share/defaults/etc/pam.d/polkit-1 +check : | + meson test -C solusBuildDir --print-errorlogs -t 3 diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml --- a/pspec_x86_64.xml +++ b/pspec_x86_64.xml @@ -3,8 +3,8 @@ polkit http://www.freedesktop.org/wiki/Software/polkit - F. von Gellhorn - flinux@vongellhorn.ch + Reilly Brogan + solus@reillybrogan.com GPL-2.0-or-later system.base @@ -20,8 +20,6 @@ system.base - /etc/polkit-1/rules.d/50-default.keyrules - /etc/polkit-1/rules.d/50-default.rules /usr/bin/pk-example-frobnicate /usr/bin/pkaction /usr/bin/pkcheck @@ -51,8 +49,13 @@ /usr/share/locale/hr/LC_MESSAGES/polkit-1.mo /usr/share/locale/hu/LC_MESSAGES/polkit-1.mo /usr/share/locale/id/LC_MESSAGES/polkit-1.mo + /usr/share/locale/it/LC_MESSAGES/polkit-1.mo + /usr/share/locale/nl/LC_MESSAGES/polkit-1.mo + /usr/share/locale/nn/LC_MESSAGES/polkit-1.mo /usr/share/locale/pl/LC_MESSAGES/polkit-1.mo + /usr/share/locale/pt/LC_MESSAGES/polkit-1.mo /usr/share/locale/pt_BR/LC_MESSAGES/polkit-1.mo + /usr/share/locale/ro/LC_MESSAGES/polkit-1.mo /usr/share/locale/sk/LC_MESSAGES/polkit-1.mo /usr/share/locale/sv/LC_MESSAGES/polkit-1.mo /usr/share/locale/tr/LC_MESSAGES/polkit-1.mo @@ -67,7 +70,8 @@ /usr/share/man/man8/polkitd.8 /usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy /usr/share/polkit-1/actions/org.freedesktop.policykit.policy - /usr/share/polkit-1/rules.d + /usr/share/polkit-1/policyconfig-1.dtd + /usr/share/polkit-1/rules.d/50-default.rules @@ -77,7 +81,7 @@ system.devel - polkit + polkit /usr/include/polkit-1/polkit/polkit.h @@ -180,12 +184,12 @@ - - 2022-03-26 - 0.113 + + 2022-07-21 + 121 Packaging update - F. von Gellhorn - flinux@vongellhorn.ch + Reilly Brogan + solus@reillybrogan.com \ No newline at end of file