debian/0000755000000000000000000000000013446701316007173 5ustar debian/rules0000755000000000000000000000233012234310757010250 0ustar #!/usr/bin/make -f # -*- makefile -*- DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) %: dh $@ --with autoreconf DPKG_GENSYMBOLS_CHECK_LEVEL=4 export DPKG_GENSYMBOLS_CHECK_LEVEL override_dh_auto_configure: dh_auto_configure -- \ --disable-silent-rules \ --enable-gtk-doc \ --enable-man-pages \ --enable-introspection \ --enable-systemd \ --disable-examples \ --libexecdir=\$${prefix}/lib/policykit-1 override_dh_auto_test: # the system D-BUS tests can't work on the buildds, so don't let a # failed test fail the build make check || true override_dh_makeshlibs: dh_makeshlibs -Xusr/lib/$(DEB_HOST_MULTIARCH)/polkit-1/ override_dh_shlibdeps: dh_shlibdeps dh_girepository override_dh_install: dh_install # on Debian use sudo group; on Ubuntu, also allow the admin group for # historical reasons if dpkg-vendor --is ubuntu; then \ /bin/echo -e "[Configuration]\nAdminIdentities=unix-group:sudo;unix-group:admin" > debian/policykit-1/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf; \ elif dpkg-vendor --is debian; then \ /bin/echo -e "[Configuration]\nAdminIdentities=unix-group:sudo" > debian/policykit-1/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf; \ fi debian/control0000644000000000000000000001153712234310747010603 0ustar Source: policykit-1 Section: admin Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Utopia Maintenance Team Uploaders: Michael Biebl , Martin Pitt Build-Depends: debhelper (>= 9), autotools-dev, dh-autoreconf, pkg-config, libglib2.0-dev (>= 2.28.0), libexpat1-dev, libpam0g-dev, libselinux1-dev [linux-any], libsystemd-login-dev, gtk-doc-tools, xsltproc, libgirepository1.0-dev (>= 0.9.12), gobject-introspection (>= 0.9.12-4~), gir1.2-glib-2.0, libglib2.0-doc, libgtk-3-doc Standards-Version: 3.9.3 Vcs-Git: git://git.debian.org/git/pkg-utopia/policykit.git Vcs-Browser: http://git.debian.org/?p=pkg-utopia/policykit.git;a=summary Homepage: http://hal.freedesktop.org/docs/PolicyKit/ Package: policykit-1 Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-systemd, dbus Multi-Arch: foreign Description: framework for managing administrative policies and privileges PolicyKit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . It is a framework for centralizing the decision making process with respect to granting access to privileged operations for unprivileged (desktop) applications. Package: policykit-1-doc Architecture: all Section: doc Depends: ${misc:Depends} Suggests: devhelp Description: documentation for PolicyKit-1 PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . This package contains the API documentation of PolicyKit. Package: libpolkit-gobject-1-0 Architecture: any Section: libs Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} Multi-Arch: same Breaks: policykit-1 (<< 0.99), libpolkit-gtk-1-0 (<< 0.99), libpolkit-agent-1-0 (<< 0.99), libpolkit-backend-1-0 (<< 0.99) Description: PolicyKit Authorization API PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . This package contains a library for accessing PolicyKit. Package: libpolkit-gobject-1-dev Architecture: any Section: libdevel Depends: libpolkit-gobject-1-0 (= ${binary:Version}), ${misc:Depends}, libglib2.0-dev, gir1.2-polkit-1.0 (= ${binary:Version}) Description: PolicyKit Authorization API - development files PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . This package contains the development files for the library found in libpolkit-gobject-1-0. Package: libpolkit-agent-1-0 Architecture: any Section: libs Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} Multi-Arch: same Description: PolicyKit Authentication Agent API PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . This package contains a library for accessing the authentication agent. Package: libpolkit-agent-1-dev Architecture: any Section: libdevel Depends: libpolkit-agent-1-0 (= ${binary:Version}), ${misc:Depends}, libpolkit-gobject-1-dev, gir1.2-polkit-1.0 (= ${binary:Version}) Description: PolicyKit Authentication Agent API - development files PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . This package contains the development files for the library found in libpolkit-agent-1-0. Package: libpolkit-backend-1-0 Architecture: any Section: libs Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} Multi-Arch: same Breaks: policykit-1 (<< 0.99) Description: PolicyKit backend API PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . This package contains a library for implementing authentication backends. Package: libpolkit-backend-1-dev Architecture: any Section: libdevel Depends: libpolkit-backend-1-0 (= ${binary:Version}), ${misc:Depends}, libpolkit-gobject-1-dev Description: PolicyKit backend API - development files PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . This package contains the development files for the library found in libpolkit-backend-1-0. Package: gir1.2-polkit-1.0 Section: introspection Architecture: any Depends: ${gir:Depends}, ${shlibs:Depends}, ${misc:Depends} Description: GObject introspection data for PolicyKit PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. . This package contains introspection data for PolicyKit. . It can be used by packages using the GIRepository format to generate dynamic bindings. debian/watch0000644000000000000000000000012412227267237010226 0ustar version=3 http://www.freedesktop.org/software/polkit/releases/polkit-(.*)\.tar\.gz debian/libpolkit-agent-1-0.install0000644000000000000000000000004112227267237014143 0ustar usr/lib/*/libpolkit-agent-1.so.* debian/gbp.conf0000644000000000000000000000006512227267237010620 0ustar [DEFAULT] pristine-tar = True debian-branch = master debian/policykit-1.prerm0000644000000000000000000000235712227267237012423 0ustar #!/bin/sh # prerm script for policykit-1 # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `upgrade' # * `failed-upgrade' # * `remove' `in-favour' # * `deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package get_pid() { [ -n "$1" ] || return [ -S /var/run/dbus/system_bus_socket ] || return dbus-send --system --dest=org.freedesktop.DBus --print-reply \ /org/freedesktop/DBus org.freedesktop.DBus.GetConnectionUnixProcessID \ string:$1 2>/dev/null | awk '/uint32/ {print $2}' } case "$1" in remove) kill $(get_pid org.freedesktop.PolicyKit1) 2>/dev/null || true ;; upgrade|deconfigure|failed-upgrade) ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/patches/0000755000000000000000000000000013446700544010624 5ustar debian/patches/02_gettext.patch0000644000000000000000000001421012227267237013633 0ustar From c28ef44e1ba82e1a3419c740ac0bbb8aaa591bcd Mon Sep 17 00:00:00 2001 From: Robert Ancell Date: Wed, 18 Aug 2010 16:26:15 +1000 Subject: [PATCH] Use gettext for translations in .policy files Bug: http://bugs.freedesktop.org/show_bug.cgi?id=29639 Bug-Ubuntu: https://launchpad.net/bugs/619632 --- src/polkitbackend/polkitbackendactionpool.c | 48 +++++++++++++++++++++++++++ 1 files changed, 48 insertions(+), 0 deletions(-) Index: policykit/src/polkitbackend/polkitbackendactionpool.c =================================================================== --- policykit.orig/src/polkitbackend/polkitbackendactionpool.c 2011-04-20 12:02:27.366174916 +0200 +++ policykit/src/polkitbackend/polkitbackendactionpool.c 2011-08-08 14:14:31.713738052 +0200 @@ -24,6 +24,8 @@ #include #include #include +#include +#include #include #include @@ -45,7 +47,9 @@ gchar *vendor_url; gchar *icon_name; gchar *description; + gchar *description_domain; gchar *message; + gchar *message_domain; PolkitImplicitAuthorization implicit_authorization_any; PolkitImplicitAuthorization implicit_authorization_inactive; @@ -67,7 +71,9 @@ g_free (action->vendor_url); g_free (action->icon_name); g_free (action->description); + g_free (action->description_domain); g_free (action->message); + g_free (action->message_domain); g_hash_table_unref (action->localized_description); g_hash_table_unref (action->localized_message); @@ -87,6 +93,7 @@ static const gchar *_localize (GHashTable *translations, const gchar *untranslated, + const gchar *domain, const gchar *lang); typedef struct @@ -387,9 +394,11 @@ description = _localize (parsed_action->localized_description, parsed_action->description, + parsed_action->description_domain, locale); message = _localize (parsed_action->localized_message, parsed_action->message, + parsed_action->message_domain, locale); ret = polkit_action_description_new (action_id, @@ -605,11 +614,16 @@ GHashTable *policy_messages; char *policy_description_nolang; + char *policy_description_domain; char *policy_message_nolang; + char *policy_message_domain; /* the value of xml:lang for the thing we're reading in _cdata() */ char *elem_lang; + /* the value of gettext-domain for the thing we're reading in _cdata() */ + char *elem_domain; + char *annotate_key; GHashTable *annotations; @@ -631,8 +645,12 @@ g_free (pd->policy_description_nolang); pd->policy_description_nolang = NULL; + g_free (pd->policy_description_domain); + pd->policy_description_domain = NULL; g_free (pd->policy_message_nolang); pd->policy_message_nolang = NULL; + g_free (pd->policy_message_domain); + pd->policy_message_domain = NULL; if (pd->policy_descriptions != NULL) { g_hash_table_unref (pd->policy_descriptions); @@ -652,6 +670,8 @@ } g_free (pd->elem_lang); pd->elem_lang = NULL; + g_free (pd->elem_domain); + pd->elem_domain = NULL; } static void @@ -739,6 +759,10 @@ { pd->elem_lang = g_strdup (attr[1]); } + if (num_attr == 2 && strcmp (attr[0], "gettext-domain") == 0) + { + pd->elem_domain = g_strdup (attr[1]); + } state = STATE_IN_ACTION_DESCRIPTION; } else if (strcmp (el, "message") == 0) @@ -747,6 +771,10 @@ { pd->elem_lang = g_strdup (attr[1]); } + if (num_attr == 2 && strcmp (attr[0], "gettext-domain") == 0) + { + pd->elem_domain = g_strdup (attr[1]); + } state = STATE_IN_ACTION_MESSAGE; } else if (strcmp (el, "vendor") == 0 && num_attr == 0) @@ -849,6 +877,7 @@ { g_free (pd->policy_description_nolang); pd->policy_description_nolang = str; + pd->policy_description_domain = g_strdup (pd->elem_domain); str = NULL; } else @@ -865,6 +894,7 @@ { g_free (pd->policy_message_nolang); pd->policy_message_nolang = str; + pd->policy_message_domain = g_strdup (pd->elem_domain); str = NULL; } else @@ -962,6 +992,8 @@ g_free (pd->elem_lang); pd->elem_lang = NULL; + g_free (pd->elem_domain); + pd->elem_domain = NULL; switch (pd->state) { @@ -993,7 +1025,9 @@ action->vendor_url = g_strdup (vendor_url); action->icon_name = g_strdup (icon_name); action->description = g_strdup (pd->policy_description_nolang); + action->description_domain = g_strdup (pd->policy_description_domain); action->message = g_strdup (pd->policy_message_nolang); + action->message_domain = g_strdup (pd->policy_message_domain); action->localized_description = pd->policy_descriptions; action->localized_message = pd->policy_messages; @@ -1095,6 +1129,7 @@ * _localize: * @translations: a mapping from xml:lang to the value, e.g. 'da' -> 'Smadre', 'en_CA' -> 'Punch, Aye!' * @untranslated: the untranslated value, e.g. 'Punch' + * @domain: the gettext domain for this string. Make be NULL. * @lang: the locale we're interested in, e.g. 'da_DK', 'da', 'en_CA', 'en_US'; basically just $LANG * with the encoding cut off. Maybe be NULL. * @@ -1105,11 +1140,25 @@ static const gchar * _localize (GHashTable *translations, const gchar *untranslated, + const gchar *domain, const gchar *lang) { const gchar *result; gchar lang2[256]; guint n; + + if (domain != NULL) + { + gchar *old_locale; + + old_locale = g_strdup (setlocale (LC_ALL, NULL)); + setlocale (LC_ALL, lang); + result = dgettext (domain, untranslated); + setlocale (LC_ALL, old_locale); + g_free (old_locale); + + goto out; + } if (lang == NULL) { debian/patches/CVE-2018-19788-1.patch0000644000000000000000000001674113402514154013507 0ustar From 2cb40c4d5feeaa09325522bd7d97910f1b59e379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 3 Dec 2018 10:28:58 +0100 Subject: [PATCH] Allow negative uids/gids in PolkitUnixUser and Group objects (uid_t) -1 is still used as placeholder to mean "unset". This is OK, since there should be no users with such number, see https://systemd.io/UIDS-GIDS#special-linux-uids. (uid_t) -1 is used as the default value in class initialization. When a user or group above INT32_MAX is created, the numeric uid or gid wraps around to negative when the value is assigned to gint, and polkit gets confused. Let's accept such gids, except for -1. A nicer fix would be to change the underlying type to e.g. uint32 to not have negative values. But this cannot be done without breaking the API, so likely new functions will have to be added (a polkit_unix_user_new variant that takes a unsigned, and the same for _group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will require a bigger patch. Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74. --- src/polkit/polkitunixgroup.c | 15 +++++++++++---- src/polkit/polkitunixprocess.c | 12 ++++++++---- src/polkit/polkitunixuser.c | 13 ++++++++++--- 3 files changed, 29 insertions(+), 11 deletions(-) Index: policykit-1-0.105/src/polkit/polkitunixgroup.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitunixgroup.c 2018-12-07 07:46:23.491243637 -0500 +++ policykit-1-0.105/src/polkit/polkitunixgroup.c 2018-12-07 07:46:23.491243637 -0500 @@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup static void polkit_unix_group_init (PolkitUnixGroup *unix_group) { + unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */ } static void @@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject GParamSpec *pspec) { PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); + gint val; switch (prop_id) { case PROP_GID: - unix_group->gid = g_value_get_int (value); + val = g_value_get_int (value); + g_return_if_fail (val != -1); + unix_group->gid = val; break; default: @@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnix g_param_spec_int ("gid", "Group ID", "The UNIX group ID", - 0, + G_MININT, G_MAXINT, - 0, + -1, G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_NAME | @@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGro */ void polkit_unix_group_set_gid (PolkitUnixGroup *group, - gint gid) + gint gid) { g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); + g_return_if_fail (gid != -1); group->gid = gid; } @@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGro PolkitIdentity * polkit_unix_group_new (gint gid) { + g_return_val_if_fail (gid != -1, NULL); + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, "gid", gid, NULL)); Index: policykit-1-0.105/src/polkit/polkitunixprocess.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitunixprocess.c 2018-12-07 07:46:23.491243637 -0500 +++ policykit-1-0.105/src/polkit/polkitunixprocess.c 2018-12-07 07:46:23.491243637 -0500 @@ -147,9 +147,14 @@ polkit_unix_process_set_property (GObjec polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); break; - case PROP_UID: - polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); + case PROP_UID: { + gint val; + + val = g_value_get_int (value); + g_return_if_fail (val != -1); + polkit_unix_process_set_uid (unix_process, val); break; + } case PROP_START_TIME: polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); @@ -227,7 +232,7 @@ polkit_unix_process_class_init (PolkitUn g_param_spec_int ("uid", "User ID", "The UNIX user ID", - -1, + G_MININT, G_MAXINT, -1, G_PARAM_CONSTRUCT | @@ -291,7 +296,6 @@ polkit_unix_process_set_uid (PolkitUnixP gint uid) { g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process)); - g_return_if_fail (uid >= -1); process->uid = uid; } Index: policykit-1-0.105/src/polkit/polkitunixuser.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitunixuser.c 2018-12-07 07:46:23.491243637 -0500 +++ policykit-1-0.105/src/polkit/polkitunixuser.c 2018-12-07 07:46:23.491243637 -0500 @@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, static void polkit_unix_user_init (PolkitUnixUser *unix_user) { + unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */ unix_user->name = NULL; } @@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject GParamSpec *pspec) { PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); + gint val; switch (prop_id) { case PROP_UID: - unix_user->uid = g_value_get_int (value); + val = g_value_get_int (value); + g_return_if_fail (val != -1); + unix_user->uid = val; break; default: @@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixU g_param_spec_int ("uid", "User ID", "The UNIX user ID", - 0, + G_MININT, G_MAXINT, - 0, + -1, G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_NAME | @@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser gint uid) { g_return_if_fail (POLKIT_IS_UNIX_USER (user)); + g_return_if_fail (uid != -1); user->uid = uid; } @@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser PolkitIdentity * polkit_unix_user_new (gint uid) { + g_return_val_if_fail (uid != -1, NULL); + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, "uid", uid, NULL)); debian/patches/series0000644000000000000000000000107313446700540012036 0ustar 01_pam_polkit.patch 02_gettext.patch 03_complete_session.patch 04_get_cwd.patch 05_revert-admin-identities-unix-group-wheel.patch 06_systemd-service.patch 07_set-XAUTHORITY-environment-variable-if-unset.patch 08_deprecate_racy_APIs.patch cve-2013-4288.patch 09_pam_environment.patch git_type_registration.patch fix_memleak.patch escape-helper-output.patch CVE-2015-3218.patch CVE-2015-3255.patch CVE-2015-4625-1.patch CVE-2015-4625-2.patch CVE-2015-4625-3.patch CVE-2018-1116.patch CVE-2018-19788-1.patch CVE-2018-19788-2.patch CVE-2018-19788-3.patch CVE-2019-6133.patch debian/patches/03_complete_session.patch0000644000000000000000000000446612227267237015537 0ustar From: James Westby Date: Thu, 28 Oct 2010 09:14:26 -0400 Subject: Fix the race that leads to the password box disappearing, but the dialog remaining. Bug: http://bugs.freedesktop.org/show_bug.cgi?id=30515 Bug-Ubuntu: https://launchpad.net/bugs/649939 Bug-Ubuntu: https://launchpad.net/bugs/445303 Index: policykit-1/src/polkitagent/polkitagentsession.c =================================================================== --- policykit-1.orig/src/polkitagent/polkitagentsession.c 2012-04-24 19:44:21.195751945 +0200 +++ policykit-1/src/polkitagent/polkitagentsession.c 2012-04-24 21:03:20.487887522 +0200 @@ -435,6 +435,7 @@ gpointer user_data) { PolkitAgentSession *session = POLKIT_AGENT_SESSION (user_data); + GMainContext *context = g_main_context_default(); if (G_UNLIKELY (_show_debug ())) { @@ -446,6 +447,11 @@ /* kill all the watches we have set up, except for the child since it has exited already */ session->child_pid = 0; + /* Allow the stdout of the child to be processed if we haven't finished yet */ + while (g_main_context_pending(context)) + { + g_main_context_iteration(context, FALSE); + } complete_session (session, FALSE); } @@ -650,15 +656,15 @@ if (G_UNLIKELY (_show_debug ())) g_print ("PolkitAgentSession: spawned helper with pid %d\n", (gint) session->child_pid); - session->child_watch_source = g_child_watch_source_new (session->child_pid); - g_source_set_callback (session->child_watch_source, (GSourceFunc) child_watch_func, session, NULL); - g_source_attach (session->child_watch_source, g_main_context_get_thread_default ()); - session->child_stdout_channel = g_io_channel_unix_new (session->child_stdout); session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, G_IO_IN); g_source_set_callback (session->child_stdout_watch_source, (GSourceFunc) io_watch_have_data, session, NULL); g_source_attach (session->child_stdout_watch_source, g_main_context_get_thread_default ()); + session->child_watch_source = g_child_watch_source_new (session->child_pid); + g_source_set_callback (session->child_watch_source, (GSourceFunc) child_watch_func, session, NULL); + g_source_attach (session->child_watch_source, g_main_context_get_thread_default ()); + session->success = FALSE; debian/patches/escape-helper-output.patch0000644000000000000000000001160512624556367015734 0ustar Description: Escape helper output to handle multiline messages Some pam modules produce multiline messages which caused errors in PolkitAgentSession as the subsequent lines were interpreted as separate messages unrecognized by the authenticator. Escaping every message allows to avoid such behaviour. . policykit-1 (0.105-4ubuntu2.14.04.2) trusty; urgency=medium . * Fix handling of multi-line helper output. (LP: #1510824) Description: TODO: Put a short summary on the line above and replace this paragraph with a longer explanation of this change. Complete the meta-information with other relevant fields (see below for details). To make it easier, the information below has been extracted from the changelog. Adjust it or drop it. . --- policykit-1-0.105.orig/src/polkitagent/polkitagenthelper-pam.c +++ policykit-1-0.105/src/polkitagent/polkitagenthelper-pam.c @@ -39,25 +39,35 @@ static void send_to_helper (const gchar *str1, const gchar *str2) { + char *escaped; + char *tmp2; + size_t len2; + + tmp2 = g_strdup(str2); + len2 = strlen(tmp2); #ifdef PAH_DEBUG - fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", str1); + fprintf (stderr, "polkit-agent-helper-1: writing `%s ' to stdout\n", str1); #endif /* PAH_DEBUG */ - fprintf (stdout, "%s", str1); + fprintf (stdout, "%s ", str1); + + if (len2 > 0 && tmp2[len2 - 1] == '\n') + tmp2[len2 - 1] = '\0'; + escaped = g_strescape (tmp2, NULL); #ifdef PAH_DEBUG - fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", str2); + fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", escaped); #endif /* PAH_DEBUG */ - fprintf (stdout, "%s", str2); - if (strlen (str2) > 0 && str2[strlen (str2) - 1] != '\n') - { + fprintf (stdout, "%s", escaped); #ifdef PAH_DEBUG - fprintf (stderr, "polkit-agent-helper-1: writing newline to stdout\n"); + fprintf (stderr, "polkit-agent-helper-1: writing newline to stdout\n"); #endif /* PAH_DEBUG */ - fputc ('\n', stdout); - } + fputc ('\n', stdout); #ifdef PAH_DEBUG fprintf (stderr, "polkit-agent-helper-1: flushing stdout\n"); #endif /* PAH_DEBUG */ fflush (stdout); + + g_free (escaped); + g_free (tmp2); } int @@ -89,7 +99,7 @@ main (int argc, char *argv[]) /* Special-case a very common error triggered in jhbuild setups */ s = g_strdup_printf ("Incorrect permissions on %s (needs to be setuid root)", argv[0]); - send_to_helper ("PAM_ERROR_MSG ", s); + send_to_helper ("PAM_ERROR_MSG", s); g_free (s); goto error; } @@ -226,7 +236,6 @@ conversation_function (int n, const stru struct pam_response *aresp; char buf[PAM_MAX_RESP_SIZE]; int i; - gchar *escaped = NULL; data = data; if (n <= 0 || n > PAM_MAX_NUM_MSG) @@ -243,35 +252,13 @@ conversation_function (int n, const stru { case PAM_PROMPT_ECHO_OFF: -#ifdef PAH_DEBUG - fprintf (stderr, "polkit-agent-helper-1: writing `PAM_PROMPT_ECHO_OFF ' to stdout\n"); -#endif /* PAH_DEBUG */ - fprintf (stdout, "PAM_PROMPT_ECHO_OFF "); + send_to_helper ("PAM_PROMPT_ECHO_OFF", msg[i]->msg); goto conv1; case PAM_PROMPT_ECHO_ON: -#ifdef PAH_DEBUG - fprintf (stderr, "polkit-agent-helper-1: writing `PAM_PROMPT_ECHO_ON ' to stdout\n"); -#endif /* PAH_DEBUG */ - fprintf (stdout, "PAM_PROMPT_ECHO_ON "); - conv1: -#ifdef PAH_DEBUG - fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", msg[i]->msg); -#endif /* PAH_DEBUG */ - if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] == '\n') - msg[i]->msg[strlen (msg[i]->msg) - 1] == '\0'; - escaped = g_strescape (msg[i]->msg, NULL); - fputs (escaped, stdout); - g_free (escaped); -#ifdef PAH_DEBUG - fprintf (stderr, "polkit-agent-helper-1: writing newline to stdout\n"); -#endif /* PAH_DEBUG */ - fputc ('\n', stdout); -#ifdef PAH_DEBUG - fprintf (stderr, "polkit-agent-helper-1: flushing stdout\n"); -#endif /* PAH_DEBUG */ - fflush (stdout); + send_to_helper ("PAM_PROMPT_ECHO_ON", msg[i]->msg); + conv1: if (fgets (buf, sizeof buf, stdin) == NULL) goto error; @@ -285,17 +272,11 @@ conversation_function (int n, const stru break; case PAM_ERROR_MSG: - fprintf (stdout, "PAM_ERROR_MSG "); - goto conv2; + send_to_helper ("PAM_ERROR_MSG", msg[i]->msg); + break; case PAM_TEXT_INFO: - fprintf (stdout, "PAM_TEXT_INFO "); - conv2: - fputs (msg[i]->msg, stdout); - if (strlen (msg[i]->msg) > 0 && - msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n') - fputc ('\n', stdout); - fflush (stdout); + send_to_helper ("PAM_TEXT_INFO", msg[i]->msg); break; default: debian/patches/CVE-2015-4625-1.patch0000644000000000000000000004457113322123267013410 0ustar Backport of: From ea544ffc18405237ccd95d28d7f45afef49aca17 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 4 Jun 2015 12:15:18 -0400 Subject: CVE-2015-4625: Use unpredictable cookie values, keep them secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tavis noted that it'd be possible with a 32 bit counter for someone to cause the cookie to wrap by creating Authentication requests in a loop. Something important to note here is that wrapping of signed integers is undefined behavior in C, so we definitely want to fix that. All counter integers used in this patch are unsigned. See the comment above `authentication_agent_generate_cookie` for details, but basically we're now using a cookie of the form: ``` - - - ``` Which has multiple 64 bit counters, plus unpredictable random 128 bit integer ids (effectively UUIDs, but we're not calling them that because we don't need to be globally unique. We further ensure that the cookies are not visible to other processes by changing the setuid helper to accept them over standard input. This means that an attacker would have to guess both ids. In any case, the security hole here is better fixed with the other change to bind user id (uid) of the agent with cookie lookups, making cookie guessing worthless. Nevertheless, I think it's worth doing this change too, for defense in depth. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90832 CVE: CVE-2015-4625 Reported-by: Tavis Ormandy Reviewed-by: Miloslav Trmač Signed-off-by: Colin Walters --- configure.ac | 2 +- src/polkitagent/polkitagenthelper-pam.c | 12 ++- src/polkitagent/polkitagenthelper-shadow.c | 12 ++- src/polkitagent/polkitagenthelperprivate.c | 33 ++++++++ src/polkitagent/polkitagenthelperprivate.h | 2 + src/polkitagent/polkitagentsession.c | 30 ++++--- .../polkitbackendinteractiveauthority.c | 99 +++++++++++++++++----- 7 files changed, 150 insertions(+), 40 deletions(-) Index: policykit-1-0.105/configure.ac =================================================================== --- policykit-1-0.105.orig/configure.ac 2018-07-13 07:49:32.000000000 -0400 +++ policykit-1-0.105/configure.ac 2018-07-13 09:18:13.272161384 -0400 @@ -123,7 +123,7 @@ if test "x$GCC" = "xyes"; then changequote([,])dnl fi -PKG_CHECK_MODULES(GLIB, [gio-2.0 >= 2.28.0]) +PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0]) AC_SUBST(GLIB_CFLAGS) AC_SUBST(GLIB_LIBS) Index: policykit-1-0.105/src/polkitagent/polkitagenthelper-pam.c =================================================================== --- policykit-1-0.105.orig/src/polkitagent/polkitagenthelper-pam.c 2018-07-13 09:17:04.636032142 -0400 +++ policykit-1-0.105/src/polkitagent/polkitagenthelper-pam.c 2018-07-13 09:17:04.636032142 -0400 @@ -75,7 +75,7 @@ main (int argc, char *argv[]) { int rc; const char *user_to_auth; - const char *cookie; + char *cookie = NULL; struct pam_conv pam_conversation; pam_handle_t *pam_h; const void *authed_user; @@ -107,7 +107,7 @@ main (int argc, char *argv[]) openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); /* check for correct invocation */ - if (argc != 3) + if (!(argc == 2 || argc == 3)) { syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ()); fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n"); @@ -115,7 +115,10 @@ main (int argc, char *argv[]) } user_to_auth = argv[1]; - cookie = argv[2]; + + cookie = read_cookie (argc, argv); + if (!cookie) + goto error; if (getuid () != 0) { @@ -213,6 +216,8 @@ main (int argc, char *argv[]) goto error; } + free (cookie); + #ifdef PAH_DEBUG fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n"); #endif /* PAH_DEBUG */ @@ -222,6 +227,7 @@ main (int argc, char *argv[]) return 0; error: + free (cookie); if (pam_h != NULL) pam_end (pam_h, rc); Index: policykit-1-0.105/src/polkitagent/polkitagenthelper-shadow.c =================================================================== --- policykit-1-0.105.orig/src/polkitagent/polkitagenthelper-shadow.c 2018-07-13 09:17:04.636032142 -0400 +++ policykit-1-0.105/src/polkitagent/polkitagenthelper-shadow.c 2018-07-13 09:17:04.636032142 -0400 @@ -46,7 +46,7 @@ main (int argc, char *argv[]) { struct spwd *shadow; const char *user_to_auth; - const char *cookie; + char *cookie = NULL; time_t now; /* clear the entire environment to avoid attacks with @@ -67,7 +67,7 @@ main (int argc, char *argv[]) openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV); /* check for correct invocation */ - if (argc != 3) + if (!(argc == 2 || argc == 3)) { syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ()); fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n"); @@ -86,7 +86,10 @@ main (int argc, char *argv[]) } user_to_auth = argv[1]; - cookie = argv[2]; + + cookie = read_cookie (argc, argv); + if (!cookie) + goto error; #ifdef PAH_DEBUG fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth); @@ -153,6 +156,8 @@ main (int argc, char *argv[]) goto error; } + free (cookie); + #ifdef PAH_DEBUG fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n"); #endif /* PAH_DEBUG */ @@ -162,6 +167,7 @@ main (int argc, char *argv[]) return 0; error: + free (cookie); fprintf (stdout, "FAILURE\n"); flush_and_wait (); return 1; Index: policykit-1-0.105/src/polkitagent/polkitagenthelperprivate.c =================================================================== --- policykit-1-0.105.orig/src/polkitagent/polkitagenthelperprivate.c 2018-07-13 09:17:04.636032142 -0400 +++ policykit-1-0.105/src/polkitagent/polkitagenthelperprivate.c 2018-07-13 09:17:04.636032142 -0400 @@ -23,6 +23,7 @@ #include "config.h" #include "polkitagenthelperprivate.h" #include +#include #include #include @@ -45,6 +46,38 @@ _polkit_clearenv (void) #endif +char * +read_cookie (int argc, char **argv) +{ + /* As part of CVE-2015-4625, we started passing the cookie + * on standard input, to ensure it's not visible to other + * processes. However, to ensure that things continue + * to work if the setuid binary is upgraded while old + * agents are still running (this will be common with + * package managers), we support both modes. + */ + if (argc == 3) + return strdup (argv[2]); + else + { + char *ret = NULL; + size_t n = 0; + ssize_t r = getline (&ret, &n, stdin); + if (r == -1) + { + if (!feof (stdin)) + perror ("getline"); + free (ret); + return NULL; + } + else + { + g_strchomp (ret); + return ret; + } + } +} + gboolean send_dbus_message (const char *cookie, const char *user) { Index: policykit-1-0.105/src/polkitagent/polkitagenthelperprivate.h =================================================================== --- policykit-1-0.105.orig/src/polkitagent/polkitagenthelperprivate.h 2018-07-13 09:17:04.636032142 -0400 +++ policykit-1-0.105/src/polkitagent/polkitagenthelperprivate.h 2018-07-13 09:17:04.636032142 -0400 @@ -38,6 +38,8 @@ int _polkit_clearenv (void); +char *read_cookie (int argc, char **argv); + gboolean send_dbus_message (const char *cookie, const char *user); void flush_and_wait (); Index: policykit-1-0.105/src/polkitagent/polkitagentsession.c =================================================================== --- policykit-1-0.105.orig/src/polkitagent/polkitagentsession.c 2018-07-13 09:17:04.636032142 -0400 +++ policykit-1-0.105/src/polkitagent/polkitagentsession.c 2018-07-13 09:17:04.636032142 -0400 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include "polkitagentmarshal.h" @@ -88,7 +89,7 @@ struct _PolkitAgentSession gchar *cookie; PolkitIdentity *identity; - int child_stdin; + GOutputStream *child_stdin; int child_stdout; GPid child_pid; @@ -130,7 +131,6 @@ G_DEFINE_TYPE (PolkitAgentSession, polki static void polkit_agent_session_init (PolkitAgentSession *session) { - session->child_stdin = -1; session->child_stdout = -1; } @@ -403,11 +403,7 @@ kill_helper (PolkitAgentSession *session session->child_stdout = -1; } - if (session->child_stdin != -1) - { - g_warn_if_fail (close (session->child_stdin) == 0); - session->child_stdin = -1; - } + g_clear_object (&session->child_stdin); session->helper_is_running = FALSE; @@ -573,9 +569,9 @@ polkit_agent_session_response (PolkitAge add_newline = (response[response_len] != '\n'); - write (session->child_stdin, response, response_len); + (void) g_output_stream_write_all (session->child_stdin, response, response_len, NULL, NULL, NULL); if (add_newline) - write (session->child_stdin, newline, 1); + (void) g_output_stream_write_all (session->child_stdin, newline, 1, NULL, NULL, NULL); } /** @@ -595,8 +591,9 @@ polkit_agent_session_initiate (PolkitAge { uid_t uid; GError *error; - gchar *helper_argv[4]; + gchar *helper_argv[3]; struct passwd *passwd; + int stdin_fd = -1; g_return_if_fail (POLKIT_AGENT_IS_SESSION (session)); @@ -628,10 +625,8 @@ polkit_agent_session_initiate (PolkitAge helper_argv[0] = PACKAGE_LIBEXEC_DIR "/polkit-agent-helper-1"; helper_argv[1] = passwd->pw_name; - helper_argv[2] = session->cookie; - helper_argv[3] = NULL; + helper_argv[2] = NULL; - session->child_stdin = -1; session->child_stdout = -1; error = NULL; @@ -643,7 +638,7 @@ polkit_agent_session_initiate (PolkitAge NULL, NULL, &session->child_pid, - &session->child_stdin, + &stdin_fd, &session->child_stdout, NULL, &error)) @@ -656,6 +651,13 @@ polkit_agent_session_initiate (PolkitAge if (G_UNLIKELY (_show_debug ())) g_print ("PolkitAgentSession: spawned helper with pid %d\n", (gint) session->child_pid); + session->child_stdin = (GOutputStream*)g_unix_output_stream_new (stdin_fd, TRUE); + + /* Write the cookie on stdin so it can't be seen by other processes */ + (void) g_output_stream_write_all (session->child_stdin, session->cookie, strlen (session->cookie), + NULL, NULL, NULL); + (void) g_output_stream_write_all (session->child_stdin, "\n", 1, NULL, NULL, NULL); + session->child_stdout_channel = g_io_channel_unix_new (session->child_stdout); session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, G_IO_IN); g_source_set_callback (session->child_stdout_watch_source, (GSourceFunc) io_watch_have_data, session, NULL); Index: policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendinteractiveauthority.c 2018-07-13 09:17:04.636032142 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c 2018-07-13 09:17:04.636032142 -0400 @@ -212,6 +212,8 @@ typedef struct GDBusConnection *system_bus_connection; guint name_owner_changed_signal_id; + + guint64 agent_serial; } PolkitBackendInteractiveAuthorityPrivate; /* ---------------------------------------------------------------------------------------------------- */ @@ -430,11 +432,15 @@ struct AuthenticationAgent volatile gint ref_count; PolkitSubject *scope; + guint64 serial; gchar *locale; GVariant *registration_options; gchar *object_path; gchar *unique_system_bus_name; + GRand *cookie_pool; + gchar *cookie_prefix; + guint64 cookie_serial; GDBusProxy *proxy; @@ -1426,9 +1432,54 @@ authentication_session_cancelled_cb (GCa authentication_session_cancel (session); } +/* We're not calling this a UUID, but it's basically + * the same thing, just not formatted that way because: + * + * - I'm too lazy to do it + * - If we did, people might think it was actually + * generated from /dev/random, which we're not doing + * because this value doesn't actually need to be + * globally unique. + */ +static void +append_rand_u128_str (GString *buf, + GRand *pool) +{ + g_string_append_printf (buf, "%08x%08x%08x%08x", + g_rand_int (pool), + g_rand_int (pool), + g_rand_int (pool), + g_rand_int (pool)); +} + +/* A value that should be unique to the (AuthenticationAgent, AuthenticationSession) + * pair, and not guessable by other agents. + * + * - - - + * + * See http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html + * + */ +static gchar * +authentication_agent_generate_cookie (AuthenticationAgent *agent) +{ + GString *buf = g_string_new (""); + + g_string_append (buf, agent->cookie_prefix); + + g_string_append_c (buf, '-'); + agent->cookie_serial++; + g_string_append_printf (buf, "%" G_GUINT64_FORMAT, + agent->cookie_serial); + g_string_append_c (buf, '-'); + append_rand_u128_str (buf, agent->cookie_pool); + + return g_string_free (buf, FALSE); +} + + static AuthenticationSession * authentication_session_new (AuthenticationAgent *agent, - const gchar *cookie, PolkitSubject *subject, PolkitIdentity *user_of_subject, PolkitSubject *caller, @@ -1445,7 +1496,7 @@ authentication_session_new (Authenticati session = g_new0 (AuthenticationSession, 1); session->agent = authentication_agent_ref (agent); - session->cookie = g_strdup (cookie); + session->cookie = authentication_agent_generate_cookie (agent); session->subject = g_object_ref (subject); session->user_of_subject = g_object_ref (user_of_subject); session->caller = g_object_ref (caller); @@ -1492,16 +1543,6 @@ authentication_session_free (Authenticat g_free (session); } -static gchar * -authentication_agent_new_cookie (AuthenticationAgent *agent) -{ - static gint counter = 0; - - /* TODO: use a more random-looking cookie */ - - return g_strdup_printf ("cookie%d", counter++); -} - static PolkitSubject * authentication_agent_get_scope (AuthenticationAgent *agent) { @@ -1549,12 +1590,15 @@ authentication_agent_unref (Authenticati g_free (agent->unique_system_bus_name); if (agent->registration_options != NULL) g_variant_unref (agent->registration_options); + g_rand_free (agent->cookie_pool); + g_free (agent->cookie_prefix); g_free (agent); } } static AuthenticationAgent * -authentication_agent_new (PolkitSubject *scope, +authentication_agent_new (guint64 serial, + PolkitSubject *scope, const gchar *unique_system_bus_name, const gchar *locale, const gchar *object_path, @@ -1588,6 +1632,7 @@ authentication_agent_new (PolkitSubject agent = g_new0 (AuthenticationAgent, 1); agent->ref_count = 1; + agent->serial = serial; agent->scope = g_object_ref (scope); agent->object_path = g_strdup (object_path); agent->unique_system_bus_name = g_strdup (unique_system_bus_name); @@ -1595,6 +1640,25 @@ authentication_agent_new (PolkitSubject agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL; agent->proxy = proxy; + { + GString *cookie_prefix = g_string_new (""); + GRand *agent_private_rand = g_rand_new (); + + g_string_append_printf (cookie_prefix, "%" G_GUINT64_FORMAT "-", agent->serial); + + /* Use a uniquely seeded PRNG to get a prefix cookie for this agent, + * whose sequence will not correlate with the per-authentication session + * cookies. + */ + append_rand_u128_str (cookie_prefix, agent_private_rand); + g_rand_free (agent_private_rand); + + agent->cookie_prefix = g_string_free (cookie_prefix, FALSE); + + /* And a newly seeded pool for per-session cookies */ + agent->cookie_pool = g_rand_new (); + } + return agent; } @@ -2079,7 +2143,6 @@ authentication_agent_initiate_challenge gpointer user_data) { AuthenticationSession *session; - gchar *cookie; GList *l; GList *identities; gchar *localized_message; @@ -2100,8 +2163,6 @@ authentication_agent_initiate_challenge &localized_icon_name, &localized_details); - cookie = authentication_agent_new_cookie (agent); - identities = NULL; /* select admin user if required by the implicit authorization */ @@ -2121,7 +2182,6 @@ authentication_agent_initiate_challenge } session = authentication_session_new (agent, - cookie, subject, user_of_subject, caller, @@ -2175,7 +2235,6 @@ authentication_agent_initiate_challenge g_list_foreach (identities, (GFunc) g_object_unref, NULL); g_list_free (identities); - g_free (cookie); g_free (localized_message); g_free (localized_icon_name); @@ -2322,7 +2381,9 @@ polkit_backend_interactive_authority_reg goto out; } - agent = authentication_agent_new (subject, + priv->agent_serial++; + agent = authentication_agent_new (priv->agent_serial, + subject, polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)), locale, object_path, debian/patches/09_pam_environment.patch0000644000000000000000000000163712227267237015370 0ustar Author: Steve Langasek Description: set process environment from pam_getenvlist() Various pam modules provide environment variables that are intended to be set in the environment of the pam session. pkexec needs to process the output of pam_getenvlist() to get these. Bug-Ubuntu: https://bugs.launchpad.net/bugs/982684 Index: trunk/src/programs/pkexec.c =================================================================== --- trunk.orig/src/programs/pkexec.c +++ trunk/src/programs/pkexec.c @@ -145,6 +145,7 @@ gboolean ret; gint rc; pam_handle_t *pam_h; + char **envlist; struct pam_conv conversation; ret = FALSE; @@ -176,6 +177,14 @@ ret = TRUE; + envlist = pam_getenvlist (pam_h); + if (envlist != NULL) { + int i; + for (i = 0; envlist[i]; i++) + putenv(envlist[i]); + free (envlist); + } + out: if (pam_h != NULL) pam_end (pam_h, rc); debian/patches/git_type_registration.patch0000644000000000000000000000713112276462576016277 0ustar From 20ad116a6582e57d20f9d8197758947918753a4c Mon Sep 17 00:00:00 2001 From: Tomas Bzatek Date: Wed, 29 May 2013 13:45:31 +0000 Subject: Use GOnce for interface type registration Static local variable may not be enough since it doesn't provide locking. Related to these udisksd warnings: GLib-GObject-WARNING **: cannot register existing type `PolkitSubject' Thanks to Hans de Goede for spotting this! https://bugs.freedesktop.org/show_bug.cgi?id=65130 --- diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c index dd15b2f..7813c2c 100644 --- a/src/polkit/polkitidentity.c +++ b/src/polkit/polkitidentity.c @@ -49,9 +49,9 @@ base_init (gpointer g_iface) GType polkit_identity_get_type (void) { - static GType iface_type = 0; + static volatile gsize g_define_type_id__volatile = 0; - if (iface_type == 0) + if (g_once_init_enter (&g_define_type_id__volatile)) { static const GTypeInfo info = { @@ -67,12 +67,14 @@ polkit_identity_get_type (void) NULL /* value_table */ }; - iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitIdentity", &info, 0); + GType iface_type = + g_type_register_static (G_TYPE_INTERFACE, "PolkitIdentity", &info, 0); g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT); + g_once_init_leave (&g_define_type_id__volatile, iface_type); } - return iface_type; + return g_define_type_id__volatile; } /** diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c index d2c4c20..aed5795 100644 --- a/src/polkit/polkitsubject.c +++ b/src/polkit/polkitsubject.c @@ -50,9 +50,9 @@ base_init (gpointer g_iface) GType polkit_subject_get_type (void) { - static GType iface_type = 0; + static volatile gsize g_define_type_id__volatile = 0; - if (iface_type == 0) + if (g_once_init_enter (&g_define_type_id__volatile)) { static const GTypeInfo info = { @@ -68,12 +68,14 @@ polkit_subject_get_type (void) NULL /* value_table */ }; - iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitSubject", &info, 0); + GType iface_type = + g_type_register_static (G_TYPE_INTERFACE, "PolkitSubject", &info, 0); g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT); + g_once_init_leave (&g_define_type_id__volatile, iface_type); } - return iface_type; + return g_define_type_id__volatile; } /** diff --git a/src/polkitbackend/polkitbackendactionlookup.c b/src/polkitbackend/polkitbackendactionlookup.c index 5a1a228..20747e7 100644 --- a/src/polkitbackend/polkitbackendactionlookup.c +++ b/src/polkitbackend/polkitbackendactionlookup.c @@ -74,9 +74,9 @@ base_init (gpointer g_iface) GType polkit_backend_action_lookup_get_type (void) { - static GType iface_type = 0; + static volatile gsize g_define_type_id__volatile = 0; - if (iface_type == 0) + if (g_once_init_enter (&g_define_type_id__volatile)) { static const GTypeInfo info = { @@ -92,12 +92,14 @@ polkit_backend_action_lookup_get_type (void) NULL /* value_table */ }; - iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitBackendActionLookup", &info, 0); + GType iface_type = + g_type_register_static (G_TYPE_INTERFACE, "PolkitBackendActionLookup", &info, 0); g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT); + g_once_init_leave (&g_define_type_id__volatile, iface_type); } - return iface_type; + return g_define_type_id__volatile; } /** -- cgit v0.9.0.2-2-gbebe debian/patches/04_get_cwd.patch0000644000000000000000000000234412227267237013572 0ustar From cd184d77f57d45ffce34f0210bbff72f6fd3116f Mon Sep 17 00:00:00 2001 From: Emilio Pozuelo Monfort Date: Sat, 26 Mar 2011 07:28:14 +0000 Subject: [PATCH] Fix build on GNU Hurd https://bugs.freedesktop.org/show_bug.cgi?id=35685 --- src/programs/pkexec.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) Index: policykit-1/src/programs/pkexec.c =================================================================== --- policykit-1.orig/src/programs/pkexec.c 2011-08-02 03:16:07.070394919 +0200 +++ policykit-1/src/programs/pkexec.c 2011-08-02 03:16:43.241940179 +0200 @@ -53,7 +53,7 @@ #include static gchar *original_user_name = NULL; -static gchar original_cwd[PATH_MAX]; +static gchar *original_cwd; static gchar *command_line = NULL; static struct passwd *pw; @@ -465,7 +465,7 @@ goto out; } - if (getcwd (original_cwd, sizeof (original_cwd)) == NULL) + if ((original_cwd = g_get_current_dir ()) == NULL) { g_printerr ("Error getting cwd: %s\n", g_strerror (errno)); @@ -931,6 +931,7 @@ g_ptr_array_free (saved_env, TRUE); } + g_free (original_cwd); g_free (path); g_free (command_line); g_free (opt_user); debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch0000644000000000000000000000434712227267237022354 0ustar From d6acecdd0ebb42e28ff28e04e0207cb01fa20910 Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Wed, 19 Dec 2012 14:28:29 -0500 Subject: [PATCH] Set XAUTHORITY environment variable if is unset The way it works is that if XAUTHORITY is unset, then its default value is $HOME/.Xauthority. But since we're changing user identity this will not work since $HOME will now change. Therefore, if XAUTHORITY is unset, just set its default value before changing identity. This bug only affected login managers using X Window Authorization but not explicitly setting the XAUTHORITY variable. You can argue that XAUTHORITY is broken since it forces uid-changing apps like pkexec(1) to do more work - and get involved in intimate details of how X works and so on - but that doesn't change how things work. Based on a patch from Peter Wu . https://bugs.freedesktop.org/show_bug.cgi?id=51623 Signed-off-by: David Zeuthen --- src/programs/pkexec.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) Index: policykit-1/src/programs/pkexec.c =================================================================== --- policykit-1.orig/src/programs/pkexec.c 2012-12-20 18:41:37.714807215 +0100 +++ policykit-1/src/programs/pkexec.c 2012-12-20 18:41:37.790805274 +0100 @@ -597,6 +597,28 @@ g_ptr_array_add (saved_env, g_strdup (value)); } + /* $XAUTHORITY is "special" - if unset, we need to set it to ~/.Xauthority. Yes, + * this is broken but it's unfortunately how things work (see fdo #51623 for + * details) + */ + if (g_getenv ("XAUTHORITY") == NULL) + { + const gchar *home; + + /* pre-2.36 GLib does not examine $HOME (it always looks in /etc/passwd) and + * this is not what we want + */ + home = g_getenv ("HOME"); + if (home == NULL) + home = g_get_home_dir (); + + if (home != NULL) + { + g_ptr_array_add (saved_env, g_strdup ("XAUTHORITY")); + g_ptr_array_add (saved_env, g_build_filename (home, ".Xauthority", NULL)); + } + } + /* Nuke the environment to get a well-known and sanitized environment to avoid attacks * via e.g. the DBUS_SYSTEM_BUS_ADDRESS environment variable and similar. */ debian/patches/08_deprecate_racy_APIs.patch0000644000000000000000000000227012227267237016006 0ustar commit 08291789a1f99d4ab29c74c39344304bcca43023 Author: Colin Walters Date: Tue Aug 20 15:15:31 2013 -0400 polkitunixprocess: Deprecate racy APIs It's only safe for processes to be created with their owning uid, (without kernel support, which we don't have). Anything else is subject to clients exec()ing setuid binaries after the fact. diff --git a/src/polkit/polkitunixprocess.h b/src/polkit/polkitunixprocess.h index 531a57d..f5ed1a7 100644 --- a/src/polkit/polkitunixprocess.h +++ b/src/polkit/polkitunixprocess.h @@ -47,7 +47,9 @@ typedef struct _PolkitUnixProcess PolkitUnixProcess; typedef struct _PolkitUnixProcessClass PolkitUnixProcessClass; GType polkit_unix_process_get_type (void) G_GNUC_CONST; +G_GNUC_DEPRECATED_FOR(polkit_unix_process_new_for_owner) PolkitSubject *polkit_unix_process_new (gint pid); +G_GNUC_DEPRECATED_FOR(polkit_unix_process_new_for_owner) PolkitSubject *polkit_unix_process_new_full (gint pid, guint64 start_time); PolkitSubject *polkit_unix_process_new_for_owner (gint pid, debian/patches/CVE-2018-19788-2.patch0000644000000000000000000001172513402514157013510 0ustar Backport of: From b534a10727455409acd54018a9c91000e7626126 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 3 Dec 2018 11:20:34 +0100 Subject: [PATCH] tests: add tests for high uids --- test/data/etc/group | 1 + test/data/etc/passwd | 2 + .../etc/polkit-1/rules.d/10-testing.rules | 21 ++++++ .../test-polkitbackendjsauthority.c | 72 +++++++++++++++++++ 4 files changed, 96 insertions(+) Index: policykit-1-0.105/test/data/etc/group =================================================================== --- policykit-1-0.105.orig/test/data/etc/group 2018-12-07 08:21:34.402387757 -0500 +++ policykit-1-0.105/test/data/etc/group 2018-12-07 08:21:34.398387743 -0500 @@ -5,3 +5,4 @@ john:x:500: jane:x:501: sally:x:502: henry:x:503: +highuid2:x:4000000000: Index: policykit-1-0.105/test/data/etc/passwd =================================================================== --- policykit-1-0.105.orig/test/data/etc/passwd 2018-12-07 08:21:34.402387757 -0500 +++ policykit-1-0.105/test/data/etc/passwd 2018-12-07 08:21:34.398387743 -0500 @@ -3,3 +3,5 @@ john:x:500:500:John Done:/home/john:/bin jane:x:501:501:Jane Smith:/home/jane:/bin/bash sally:x:502:502:Sally Derp:/home/sally:/bin/bash henry:x:503:503:Henry Herp:/home/henry:/bin/bash +highuid1:x:2147483648:2147483648:The first high uid:/home/highuid1:/sbin/nologin +highuid2:x:4000000000:4000000000:An example high uid:/home/example:/sbin/nologin Index: policykit-1-0.105/test/data/etc/polkit-1/localauthority/10-test/com.example.pkla =================================================================== --- policykit-1-0.105.orig/test/data/etc/polkit-1/localauthority/10-test/com.example.pkla 2018-12-07 08:21:34.402387757 -0500 +++ policykit-1-0.105/test/data/etc/polkit-1/localauthority/10-test/com.example.pkla 2018-12-07 08:21:34.398387743 -0500 @@ -12,3 +12,16 @@ ResultAny=no ResultInactive=auth_self ResultActive=yes +[User john can do this] +Identity=unix-user:john +Action=net.company.john_action +ResultAny=no +ResultInactive=auth_self +ResultActive=yes + +[User highuid2 can do this] +Identity=unix-user:highuid2 +Action=net.company.highuid2_action +ResultAny=no +ResultInactive=auth_self +ResultActive=yes Index: policykit-1-0.105/test/polkitbackend/polkitbackendlocalauthoritytest.c =================================================================== --- policykit-1-0.105.orig/test/polkitbackend/polkitbackendlocalauthoritytest.c 2018-12-07 08:21:34.402387757 -0500 +++ policykit-1-0.105/test/polkitbackend/polkitbackendlocalauthoritytest.c 2018-12-07 10:23:33.528742547 -0500 @@ -226,7 +226,46 @@ struct auth_context check_authorization_ {"unix-user:jane", TRUE, TRUE, "com.example.awesomeproduct.bar", POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED}, - + /* highuid1 is not a member of group 'users', see test/data/etc/group + * group_membership_with_non_member(highuid22) */ + {"unix-user:highuid2", TRUE, TRUE, "com.example.awesomeproduct.foo", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, + /* highuid2 is not a member of group 'users', see test/data/etc/group + * group_membership_with_non_member(highuid21) */ + {"unix-user:highuid2", TRUE, TRUE, "com.example.awesomeproduct.foo", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, + /* highuid1 is not a member of group 'users', see test/data/etc/group + * group_membership_with_non_member(highuid24) */ + {"unix-user:2147483648", TRUE, TRUE, "com.example.awesomeproduct.foo", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, + /* highuid2 is not a member of group 'users', see test/data/etc/group + * group_membership_with_non_member(highuid23) */ + {"unix-user:4000000000", TRUE, TRUE, "com.example.awesomeproduct.foo", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, + /* john is authorized to do this, see com.example.pkla + * john_action */ + {"unix-user:john", TRUE, TRUE, "net.company.john_action", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED}, + /* only john is authorized to do this, see com.example.pkla + * jane_action */ + {"unix-user:jane", TRUE, TRUE, "net.company.john_action", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, + /* highuid2 is authorized to do this, see com.example.pkla + * highuid2_action */ + {"unix-user:highuid2", TRUE, TRUE, "net.company.highuid2_action", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED}, + /* only highuid2 is authorized to do this, see com.example.pkla + * highuid1_action */ + {"unix-user:highuid1", TRUE, TRUE, "net.company.highuid2_action", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, {NULL}, }; debian/patches/CVE-2015-4625-2.patch0000644000000000000000000006637213322110664013411 0ustar From 493aa5dc1d278ab9097110c1262f5229bbaf1766 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 17 Jun 2015 13:07:02 -0400 Subject: CVE-2015-4625: Bind use of cookies to specific uids MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html The "cookie" value that Polkit hands out is global to all polkit users. And when `AuthenticationAgentResponse` is invoked, we previously only received the cookie and *target* identity, and attempted to find an agent from that. The problem is that the current cookie is just an integer counter, and if it overflowed, it would be possible for an successful authorization in one session to trigger a response in another session. The overflow and ability to guess the cookie were fixed by the previous patch. This patch is conceptually further hardening on top of that. Polkit currently treats uids as equivalent from a security domain perspective; there is no support for SELinux/AppArmor/etc. differentiation. We can retrieve the uid from `getuid()` in the setuid helper, which allows us to ensure the uid invoking `AuthenticationAgentResponse2` matches that of the agent. Then the authority only looks at authentication sessions matching the cookie that were created by a matching uid, thus removing the ability for different uids to interfere with each other entirely. Several fixes to this patch were contributed by: Miloslav Trmač Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837 CVE: CVE-2015-4625 Reported-by: Tavis Ormandy Reviewed-by: Miloslav Trmač Signed-off-by: Colin Walters --- ....freedesktop.PolicyKit1.AuthenticationAgent.xml | 14 ++++- data/org.freedesktop.PolicyKit1.Authority.xml | 24 ++++++++- ...erface-org.freedesktop.PolicyKit1.Authority.xml | 46 +++++++++++++++- docs/polkit/overview.xml | 18 ++++--- src/polkit/polkitauthority.c | 13 ++++- src/polkitbackend/polkitbackendauthority.c | 61 +++++++++++++++++++++- src/polkitbackend/polkitbackendauthority.h | 2 + .../polkitbackendinteractiveauthority.c | 39 ++++++++++++-- 8 files changed, 198 insertions(+), 19 deletions(-) Index: policykit-1-0.105/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml =================================================================== --- policykit-1-0.105.orig/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml 2018-07-13 07:49:04.165788244 -0400 +++ policykit-1-0.105/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml 2018-07-13 07:49:04.153788232 -0400 @@ -8,7 +8,19 @@ - + Index: policykit-1-0.105/data/org.freedesktop.PolicyKit1.Authority.xml =================================================================== --- policykit-1-0.105.orig/data/org.freedesktop.PolicyKit1.Authority.xml 2018-07-13 07:49:04.165788244 -0400 +++ policykit-1-0.105/data/org.freedesktop.PolicyKit1.Authority.xml 2018-07-13 07:49:04.153788232 -0400 @@ -313,7 +313,29 @@ - + + + + + + + + + + + + + + + + + + Index: policykit-1-0.105/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml =================================================================== --- policykit-1-0.105.orig/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml 2018-07-13 07:49:04.165788244 -0400 +++ policykit-1-0.105/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml 2018-07-13 07:49:04.157788236 -0400 @@ -42,6 +42,8 @@ Structure AuthenticationAgentResponse (IN String cookie, IN Identity identity) +AuthenticationAgentResponse2 (IN uint32 uid, IN String cookie, + IN Identity identity) EnumerateTemporaryAuthorizations (IN Subject subject, OUT Array<TemporaryAuthorization> temporary_authorizations) RevokeTemporaryAuthorizations (IN Subject subject) @@ -777,12 +779,54 @@ AuthenticationAgentResponse (IN String IN Identity identity) -Method for authentication agents to invoke on successful authentication. This method will fail unless a sufficiently privileged caller invokes it. +Method for authentication agents to invoke on successful +authentication, intended only for use by a privileged helper process +internal to polkit. Deprecated in favor of AuthenticationAgentResponse2. IN String cookie: + +The cookie identifying the authentication request that was passed to the authentication agent. + + + + + IN Identity identity: + + +A Identity struct describing what identity was authenticated. + + + + + + + AuthenticationAgentResponse2 () + +AuthenticationAgentResponse2 (IN uint32 uid, + IN String cookie, + IN Identity identity) + + +Method for authentication agents to invoke on successful +authentication, intended only for use by a privileged helper process +internal to polkit. Note this method was introduced in 0.114 to fix a security issue. + + + + IN uint32 uid: + + +The user id of the agent; normally this is the owner of the parent pid +of the process that invoked the internal setuid helper. + + + + + IN String cookie: + The cookie identifying the authentication request that was passed to the authentication agent. Index: policykit-1-0.105/docs/polkit/overview.xml =================================================================== --- policykit-1-0.105.orig/docs/polkit/overview.xml 2018-07-13 07:49:04.165788244 -0400 +++ policykit-1-0.105/docs/polkit/overview.xml 2018-07-13 07:49:04.157788236 -0400 @@ -66,16 +66,18 @@ Authentication agents are provided by desktop environments. When an user session starts, the agent registers with the polkit - Authority using - the RegisterAuthenticationAgent() + Authority using the RegisterAuthenticationAgent() method. When services are needed, the authority will invoke - methods on - the org.freedesktop.PolicyKit1.AuthenticationAgent + methods on the org.freedesktop.PolicyKit1.AuthenticationAgent D-Bus interface. Once the user is authenticated, (a privileged - part of) the agent invokes - the AuthenticationAgentResponse() - method. Note that the polkit Authority itself does not care - how the agent authenticates the user. + part of) the agent invokes the AuthenticationAgentResponse() + method. This method should be treated as an internal + implementation detail, and callers should use the public shared + library API to invoke it, which currently uses a setuid helper + program. The libpolkit-agent-1 Index: policykit-1-0.105/src/polkit/polkitauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitauthority.c 2018-07-13 07:49:04.165788244 -0400 +++ policykit-1-0.105/src/polkit/polkitauthority.c 2018-07-13 07:49:04.157788236 -0400 @@ -1492,6 +1492,14 @@ polkit_authority_authentication_agent_re gpointer user_data) { GVariant *identity_value; + /* Note that in reality, this API is only accessible to root, and + * only called from the setuid helper `polkit-agent-helper-1`. + * + * However, because this is currently public API, we avoid + * triggering warnings from ABI diff type programs by just grabbing + * the real uid of the caller here. + */ + uid_t uid = getuid (); g_return_if_fail (POLKIT_IS_AUTHORITY (authority)); g_return_if_fail (cookie != NULL); @@ -1501,8 +1509,9 @@ polkit_authority_authentication_agent_re identity_value = polkit_identity_to_gvariant (identity); g_variant_ref_sink (identity_value); g_dbus_proxy_call (authority->proxy, - "AuthenticationAgentResponse", - g_variant_new ("(s@(sa{sv}))", + "AuthenticationAgentResponse2", + g_variant_new ("(us@(sa{sv}))", + (guint32)uid, cookie, identity_value), G_DBUS_CALL_FLAGS_NONE, Index: policykit-1-0.105/src/polkitbackend/polkitbackendauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendauthority.c 2018-07-13 07:49:04.165788244 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendauthority.c 2018-07-13 07:49:04.157788236 -0400 @@ -355,6 +355,7 @@ polkit_backend_authority_unregister_auth gboolean polkit_backend_authority_authentication_agent_response (PolkitBackendAuthority *authority, PolkitSubject *caller, + uid_t uid, const gchar *cookie, PolkitIdentity *identity, GError **error) @@ -373,7 +374,7 @@ polkit_backend_authority_authentication_ } else { - return klass->authentication_agent_response (authority, caller, cookie, identity, error); + return klass->authentication_agent_response (authority, caller, uid, cookie, identity, error); } } @@ -587,6 +588,11 @@ static const gchar *server_introspection " " " " " " + " " + " " + " " + " " + " " " " " " " " @@ -1035,6 +1041,57 @@ server_handle_authentication_agent_respo error = NULL; if (!polkit_backend_authority_authentication_agent_response (server->authority, caller, + (uid_t)-1, + cookie, + identity, + &error)) + { + g_dbus_method_invocation_return_gerror (invocation, error); + g_error_free (error); + goto out; + } + + g_dbus_method_invocation_return_value (invocation, g_variant_new ("()")); + + out: + if (identity != NULL) + g_object_unref (identity); +} + +static void +server_handle_authentication_agent_response2 (Server *server, + GVariant *parameters, + PolkitSubject *caller, + GDBusMethodInvocation *invocation) +{ + const gchar *cookie; + GVariant *identity_gvariant; + PolkitIdentity *identity; + GError *error; + guint32 uid; + + identity = NULL; + + g_variant_get (parameters, + "(u&s@(sa{sv}))", + &uid, + &cookie, + &identity_gvariant); + + error = NULL; + identity = polkit_identity_new_for_gvariant (identity_gvariant, &error); + if (identity == NULL) + { + g_prefix_error (&error, "Error getting identity: "); + g_dbus_method_invocation_return_gerror (invocation, error); + g_error_free (error); + goto out; + } + + error = NULL; + if (!polkit_backend_authority_authentication_agent_response (server->authority, + caller, + (uid_t)uid, cookie, identity, &error)) @@ -1222,6 +1279,8 @@ server_handle_method_call (GDBusConnecti server_handle_unregister_authentication_agent (server, parameters, caller, invocation); else if (g_strcmp0 (method_name, "AuthenticationAgentResponse") == 0) server_handle_authentication_agent_response (server, parameters, caller, invocation); + else if (g_strcmp0 (method_name, "AuthenticationAgentResponse2") == 0) + server_handle_authentication_agent_response2 (server, parameters, caller, invocation); else if (g_strcmp0 (method_name, "EnumerateTemporaryAuthorizations") == 0) server_handle_enumerate_temporary_authorizations (server, parameters, caller, invocation); else if (g_strcmp0 (method_name, "RevokeTemporaryAuthorizations") == 0) Index: policykit-1-0.105/src/polkitbackend/polkitbackendauthority.h =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendauthority.h 2018-07-13 07:49:04.165788244 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendauthority.h 2018-07-13 07:49:04.157788236 -0400 @@ -154,6 +154,7 @@ struct _PolkitBackendAuthorityClass gboolean (*authentication_agent_response) (PolkitBackendAuthority *authority, PolkitSubject *caller, + uid_t uid, const gchar *cookie, PolkitIdentity *identity, GError **error); @@ -256,6 +257,7 @@ gboolean polkit_backend_authority_unregi gboolean polkit_backend_authority_authentication_agent_response (PolkitBackendAuthority *authority, PolkitSubject *caller, + uid_t uid, const gchar *cookie, PolkitIdentity *identity, GError **error); Index: policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendinteractiveauthority.c 2018-07-13 07:49:04.165788244 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c 2018-07-13 07:49:04.157788236 -0400 @@ -106,8 +106,9 @@ static AuthenticationAgent *get_authenti PolkitSubject *subject); -static AuthenticationSession *get_authentication_session_for_cookie (PolkitBackendInteractiveAuthority *authority, - const gchar *cookie); +static AuthenticationSession *get_authentication_session_for_uid_and_cookie (PolkitBackendInteractiveAuthority *authority, + uid_t uid, + const gchar *cookie); static GList *get_authentication_sessions_initiated_by_system_bus_unique_name (PolkitBackendInteractiveAuthority *authority, const gchar *system_bus_unique_name); @@ -167,6 +168,7 @@ static gboolean polkit_backend_interacti static gboolean polkit_backend_interactive_authority_authentication_agent_response (PolkitBackendAuthority *authority, PolkitSubject *caller, + uid_t uid, const gchar *cookie, PolkitIdentity *identity, GError **error); @@ -431,6 +433,7 @@ struct AuthenticationAgent { volatile gint ref_count; + uid_t creator_uid; PolkitSubject *scope; guint64 serial; @@ -1599,6 +1602,7 @@ authentication_agent_unref (Authenticati static AuthenticationAgent * authentication_agent_new (guint64 serial, PolkitSubject *scope, + PolkitIdentity *creator, const gchar *unique_system_bus_name, const gchar *locale, const gchar *object_path, @@ -1607,6 +1611,10 @@ authentication_agent_new (guint64 s { AuthenticationAgent *agent; GDBusProxy *proxy; + PolkitUnixUser *creator_user; + + g_assert (POLKIT_IS_UNIX_USER (creator)); + creator_user = POLKIT_UNIX_USER (creator); if (!g_variant_is_object_path (object_path)) { @@ -1634,6 +1642,7 @@ authentication_agent_new (guint64 s agent->ref_count = 1; agent->serial = serial; agent->scope = g_object_ref (scope); + agent->creator_uid = (uid_t)polkit_unix_user_get_uid (creator_user); agent->object_path = g_strdup (object_path); agent->unique_system_bus_name = g_strdup (unique_system_bus_name); agent->locale = g_strdup (locale); @@ -1732,8 +1741,9 @@ get_authentication_agent_for_subject (Po } static AuthenticationSession * -get_authentication_session_for_cookie (PolkitBackendInteractiveAuthority *authority, - const gchar *cookie) +get_authentication_session_for_uid_and_cookie (PolkitBackendInteractiveAuthority *authority, + uid_t uid, + const gchar *cookie) { PolkitBackendInteractiveAuthorityPrivate *priv; GHashTableIter hash_iter; @@ -1751,6 +1761,23 @@ get_authentication_session_for_cookie (P { GList *l; + /* We need to ensure that if somehow we have duplicate cookies + * due to wrapping, that the cookie used is matched to the user + * who called AuthenticationAgentResponse2. See + * http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html + * + * Except if the legacy AuthenticationAgentResponse is invoked, + * we don't know the uid and hence use -1. Continue to support + * the old behavior for backwards compatibility, although everyone + * who is using our own setuid helper will automatically be updated + * to the new API. + */ + if (uid != (uid_t)-1) + { + if (agent->creator_uid != uid) + continue; + } + for (l = agent->active_sessions; l != NULL; l = l->next) { AuthenticationSession *session = l->data; @@ -2384,6 +2411,7 @@ polkit_backend_interactive_authority_reg priv->agent_serial++; agent = authentication_agent_new (priv->agent_serial, subject, + user_of_caller, polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)), locale, object_path, @@ -2597,6 +2625,7 @@ polkit_backend_interactive_authority_unr static gboolean polkit_backend_interactive_authority_authentication_agent_response (PolkitBackendAuthority *authority, PolkitSubject *caller, + uid_t uid, const gchar *cookie, PolkitIdentity *identity, GError **error) @@ -2639,7 +2668,7 @@ polkit_backend_interactive_authority_aut } /* find the authentication session */ - session = get_authentication_session_for_cookie (interactive_authority, cookie); + session = get_authentication_session_for_uid_and_cookie (interactive_authority, uid, cookie); if (session == NULL) { g_set_error (error, debian/patches/CVE-2019-6133.patch0000644000000000000000000001741113446700544013251 0ustar From 6cc6aafee135ba44ea748250d7d29b562ca190e3 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 4 Jan 2019 14:24:48 -0500 Subject: [PATCH] backend: Compare PolkitUnixProcess uids for temporary authorizations It turns out that the combination of `(pid, start time)` is not enough to be unique. For temporary authorizations, we can avoid separate users racing on pid reuse by simply comparing the uid. https://bugs.chromium.org/p/project-zero/issues/detail?id=1692 And the above original email report is included in full in a new comment. Reported-by: Jann Horn Closes: https://gitlab.freedesktop.org/polkit/polkit/issues/75 --- src/polkit/polkitsubject.c | 2 + src/polkit/polkitunixprocess.c | 71 ++++++++++++++++++- .../polkitbackendinteractiveauthority.c | 39 +++++++++- 3 files changed, 110 insertions(+), 2 deletions(-) Index: policykit-1-0.105/src/polkit/polkitsubject.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitsubject.c 2019-03-27 09:57:54.063092465 -0400 +++ policykit-1-0.105/src/polkit/polkitsubject.c 2019-03-27 09:57:54.059092451 -0400 @@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subj * @b: A #PolkitSubject. * * Checks if @a and @b are equal, ie. represent the same subject. + * However, avoid calling polkit_subject_equal() to compare two processes; + * for more information see the `PolkitUnixProcess` documentation. * * This function can be used in e.g. g_hash_table_new(). * Index: policykit-1-0.105/src/polkit/polkitunixprocess.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitunixprocess.c 2019-03-27 09:57:54.063092465 -0400 +++ policykit-1-0.105/src/polkit/polkitunixprocess.c 2019-03-27 09:57:54.059092451 -0400 @@ -44,7 +44,10 @@ * @title: PolkitUnixProcess * @short_description: Unix processs * - * An object for representing a UNIX process. + * An object for representing a UNIX process. NOTE: This object as + * designed is now known broken; a mechanism to exploit a delay in + * start time in the Linux kernel was identified. Avoid + * calling polkit_subject_equal() to compare two processes. * * To uniquely identify processes, both the process id and the start * time of the process (a monotonic increasing value representing the @@ -59,6 +62,72 @@ * polkit_unix_process_new_for_owner() with trusted data. */ +/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75 + + But quoting the original email in full here to ensure it's preserved: + + From: Jann Horn + Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork + Date: Wednesday, October 10, 2018 5:34 PM + +When a (non-root) user attempts to e.g. control systemd units in the system +instance from an active session over DBus, the access is gated by a polkit +policy that requires "auth_admin_keep" auth. This results in an auth prompt +being shown to the user, asking the user to confirm the action by entering the +password of an administrator account. + +After the action has been confirmed, the auth decision for "auth_admin_keep" is +cached for up to five minutes. Subject to some restrictions, similar actions can +then be performed in this timespan without requiring re-auth: + + - The PID of the DBus client requesting the new action must match the PID of + the DBus client requesting the old action (based on SO_PEERCRED information + forwarded by the DBus daemon). + - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22) + must not have changed. The granularity of this timestamp is in the + millisecond range. + - polkit polls every two seconds whether a process with the expected start time + still exists. If not, the temporary auth entry is purged. + +Without the start time check, this would obviously be buggy because an attacker +could simply wait for the legitimate client to disappear, then create a new +client with the same PID. + +Unfortunately, the start time check is bypassable because fork() is not atomic. +Looking at the source code of copy_process() in the kernel: + + p->start_time = ktime_get_ns(); + p->real_start_time = ktime_get_boot_ns(); + [...] + retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls); + if (retval) + goto bad_fork_cleanup_io; + + if (pid != &init_struct_pid) { + pid = alloc_pid(p->nsproxy->pid_ns_for_children); + if (IS_ERR(pid)) { + retval = PTR_ERR(pid); + goto bad_fork_cleanup_thread; + } + } + +The ktime_get_boot_ns() call is where the "start time" of the process is +recorded. The alloc_pid() call is where a free PID is allocated. In between +these, some time passes; and because the copy_thread_tls() call between them can +access userspace memory when sys_clone() is invoked through the 32-bit syscall +entry point, an attacker can even stall the kernel arbitrarily long at this +point (by supplying a pointer into userspace memory that is associated with a +userfaultfd or is backed by a custom FUSE filesystem). + +This means that an attacker can immediately call sys_clone() when the victim +process is created, often resulting in a process that has the exact same start +time reported in procfs; and then the attacker can delay the alloc_pid() call +until after the victim process has died and the PID assignment has cycled +around. This results in an attacker process that polkit can't distinguish from +the victim process. +*/ + + /** * PolkitUnixProcess: * Index: policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendinteractiveauthority.c 2019-03-27 09:57:54.063092465 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c 2019-03-27 09:57:54.059092451 -0400 @@ -2863,6 +2863,43 @@ temporary_authorization_store_free (Temp g_free (store); } +/* See the comment at the top of polkitunixprocess.c */ +static gboolean +subject_equal_for_authz (PolkitSubject *a, + PolkitSubject *b) +{ + if (!polkit_subject_equal (a, b)) + return FALSE; + + /* Now special case unix processes, as we want to protect against + * pid reuse by including the UID. + */ + if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) { + PolkitUnixProcess *ap = (PolkitUnixProcess*)a; + int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a); + PolkitUnixProcess *bp = (PolkitUnixProcess*)b; + int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b); + + if (uid_a != -1 && uid_b != -1) + { + if (uid_a == uid_b) + { + return TRUE; + } + else + { + g_printerr ("denying slowfork; pid %d uid %d != %d!\n", + polkit_unix_process_get_pid (ap), + uid_a, uid_b); + return FALSE; + } + } + /* Fall through; one of the uids is unset so we can't reliably compare */ + } + + return TRUE; +} + static gboolean temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store, PolkitSubject *subject, @@ -2905,7 +2942,7 @@ temporary_authorization_store_has_author TemporaryAuthorization *authorization = l->data; if (strcmp (action_id, authorization->action_id) == 0 && - polkit_subject_equal (subject_to_use, authorization->subject)) + subject_equal_for_authz (subject_to_use, authorization->subject)) { ret = TRUE; if (out_tmp_authz_id != NULL) debian/patches/fix_memleak.patch0000644000000000000000000000177712475335667014155 0ustar From f4d71e0de885010494b8b0b8d62ca910011d7544 Mon Sep 17 00:00:00 2001 From: "Max A. Dednev" Date: Sun, 11 Jan 2015 20:00:44 -0500 Subject: authority: Fix memory leak in EnumerateActions call results handler Policykit-1 doesn't release reference counters of GVariant data for org.freedesktop.PolicyKit1.Authority.EnumerateActions dbus call. This patch fixed reference counting and following memory leak. https://bugs.freedesktop.org/show_bug.cgi?id=88288 diff --git a/src/polkit/polkitauthority.c b/src/polkit/polkitauthority.c index 75619ab..ab6d3cd 100644 --- a/src/polkit/polkitauthority.c +++ b/src/polkit/polkitauthority.c @@ -715,7 +715,6 @@ polkit_authority_enumerate_actions_finish (PolkitAuthority *authority, while ((child = g_variant_iter_next_value (&iter)) != NULL) { ret = g_list_prepend (ret, polkit_action_description_new_for_gvariant (child)); - g_variant_ref_sink (child); g_variant_unref (child); } ret = g_list_reverse (ret); -- cgit v0.10.2 debian/patches/CVE-2015-3218.patch0000644000000000000000000001204613322110506013227 0ustar From 48e646918efb2bf0b3b505747655726d7869f31c Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Sat, 30 May 2015 09:06:23 -0400 Subject: CVE-2015-3218: backend: Handle invalid object paths in RegisterAuthenticationAgent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Properly propagate the error, otherwise we dereference a `NULL` pointer. This is a local, authenticated DoS. `RegisterAuthenticationAgentWithOptions` and `UnregisterAuthentication` have been validated to not need changes for this. http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html https://bugs.freedesktop.org/show_bug.cgi?id=90829 Reported-by: Tavis Ormandy Reviewed-by: Philip Withnall Reviewed-by: Miloslav Trmač Signed-off-by: Colin Walters --- .../polkitbackendinteractiveauthority.c | 53 ++++++++++++---------- 1 file changed, 30 insertions(+), 23 deletions(-) Index: policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendinteractiveauthority.c 2018-07-13 07:47:15.749681956 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c 2018-07-13 07:47:15.745681952 -0400 @@ -1558,36 +1558,42 @@ authentication_agent_new (PolkitSubject const gchar *unique_system_bus_name, const gchar *locale, const gchar *object_path, - GVariant *registration_options) + GVariant *registration_options, + GError **error) { AuthenticationAgent *agent; - GError *error; + GDBusProxy *proxy; - agent = g_new0 (AuthenticationAgent, 1); + if (!g_variant_is_object_path (object_path)) + { + g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED, + "Invalid object path '%s'", object_path); + return NULL; + } + + proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM, + G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES | + G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS, + NULL, /* GDBusInterfaceInfo* */ + unique_system_bus_name, + object_path, + "org.freedesktop.PolicyKit1.AuthenticationAgent", + NULL, /* GCancellable* */ + error); + if (proxy == NULL) + { + g_prefix_error (error, "Failed to construct proxy for agent: " ); + return NULL; + } + agent = g_new0 (AuthenticationAgent, 1); agent->ref_count = 1; agent->scope = g_object_ref (scope); agent->object_path = g_strdup (object_path); agent->unique_system_bus_name = g_strdup (unique_system_bus_name); agent->locale = g_strdup (locale); agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL; - - error = NULL; - agent->proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM, - G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES | - G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS, - NULL, /* GDBusInterfaceInfo* */ - agent->unique_system_bus_name, - agent->object_path, - "org.freedesktop.PolicyKit1.AuthenticationAgent", - NULL, /* GCancellable* */ - &error); - if (agent->proxy == NULL) - { - g_warning ("Error constructing proxy for agent: %s", error->message); - g_error_free (error); - /* TODO: Make authentication_agent_new() return NULL and set a GError */ - } + agent->proxy = proxy; return agent; } @@ -2234,8 +2240,6 @@ polkit_backend_interactive_authority_reg caller_cmdline = NULL; agent = NULL; - /* TODO: validate that object path is well-formed */ - interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority); priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (interactive_authority); @@ -2322,7 +2326,10 @@ polkit_backend_interactive_authority_reg polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)), locale, object_path, - options); + options, + error); + if (!agent) + goto out; g_hash_table_insert (priv->hash_scope_to_authentication_agent, g_object_ref (subject), debian/patches/CVE-2015-4625-3.patch0000644000000000000000000004146413322110673013405 0ustar From fb5076b7c05d01a532d593a4079a29cf2d63a228 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Wed, 17 Jun 2015 01:01:27 +0200 Subject: docs: Update for changes to uid binding/AuthenticationAgentResponse2 - Refer to PolkitAgentSession in general instead of to _response only - Revert to the original description of authentication cancellation, the agent really needs to return an error to the caller (in addition to dealing with the session if any). - Explicitly document the UID assumption; in the process fixing bug #69980. - Keep documenting that we need a sufficiently privileged caller. - Refer to the ...Response2 API in more places. - Also update docbook documentation. - Drop a paragraph suggesting non-PolkitAgentSession implementations are expected and commonplace. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837 Reviewed-by: Colin Walters --- ....freedesktop.PolicyKit1.AuthenticationAgent.xml | 6 +++--- data/org.freedesktop.PolicyKit1.Authority.xml | 11 ++++++---- ....freedesktop.PolicyKit1.AuthenticationAgent.xml | 7 +++++-- ...erface-org.freedesktop.PolicyKit1.Authority.xml | 12 +++++++---- docs/polkit/overview.xml | 8 ++++---- src/polkit/polkitauthority.c | 24 ++++++++++++++++++++-- src/polkitagent/polkitagentlistener.c | 5 +---- src/polkitbackend/polkitbackendauthority.c | 1 + 8 files changed, 51 insertions(+), 23 deletions(-) Index: policykit-1-0.105/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml =================================================================== --- policykit-1-0.105.orig/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml 2018-07-13 07:49:12.921796862 -0400 +++ policykit-1-0.105/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml 2018-07-13 07:49:12.913796854 -0400 @@ -13,14 +13,14 @@ user to authenticate as one of the identities in @identities for the action with the identifier @action_id.This authentication is normally achieved via the - polkit_agent_session_response() API, which invokes a private + PolkitAgentSession API, which invokes a private setuid helper process to verify the authentication. When successful, it calls the org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2() method on the #org.freedesktop.PolicyKit1.Authority interface of the PolicyKit daemon before returning. If the user dismisses the - authentication dialog, the authentication agent should call - polkit_agent_session_cancel()."/> + authentication dialog, the authentication agent should return an + error."/> Index: policykit-1-0.105/data/org.freedesktop.PolicyKit1.Authority.xml =================================================================== --- policykit-1-0.105.orig/data/org.freedesktop.PolicyKit1.Authority.xml 2018-07-13 07:49:12.921796862 -0400 +++ policykit-1-0.105/data/org.freedesktop.PolicyKit1.Authority.xml 2018-07-13 07:49:12.913796854 -0400 @@ -283,7 +283,7 @@ - + @@ -315,7 +315,8 @@ +internal to polkit. This method will fail unless a sufficiently privileged +caller invokes it. Deprecated in favor of org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2."/> @@ -330,11 +331,13 @@ internal to polkit."/> - + Index: policykit-1-0.105/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml =================================================================== --- policykit-1-0.105.orig/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml 2018-07-13 07:49:12.921796862 -0400 +++ policykit-1-0.105/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml 2018-07-13 07:49:12.913796854 -0400 @@ -47,10 +47,13 @@ BeginAuthentication (IN String identifier action_id.Upon succesful authentication, the authentication agent must invoke the AuthenticationAgentResponse() + linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2">AuthenticationAgentResponse2() method on the org.freedesktop.PolicyKit1.Authority - interface of the PolicyKit daemon before returning. + interface of the PolicyKit daemon before returning. This is normally + achieved via the PolkitAgentSession + API, which invokes a private setuid helper process to verify the + authentication. The authentication agent should not return until after authentication is complete. Index: policykit-1-0.105/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml =================================================================== --- policykit-1-0.105.orig/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml 2018-07-13 07:49:12.921796862 -0400 +++ policykit-1-0.105/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml 2018-07-13 07:49:12.913796854 -0400 @@ -42,7 +42,7 @@ Structure AuthenticationAgentResponse (IN String cookie, IN Identity identity) -AuthenticationAgentResponse2 (IN uint32 uid, IN String cookie, +AuthenticationAgentResponse2 (IN uint32 uid, IN String cookie, IN Identity identity) EnumerateTemporaryAuthorizations (IN Subject subject, OUT Array<TemporaryAuthorization> temporary_authorizations) @@ -701,7 +701,7 @@ RegisterAuthenticationAgent (IN -Register an authentication agent.Note that current versions of PolicyKit will only work if session_id is set to the empty string. In the future it might work for non-empty strings if the caller is sufficiently privileged. +Register an authentication agent.Note that this should be called by same effective UID which will be passed to AuthenticationAgentResponse2(). @@ -781,7 +781,8 @@ AuthenticationAgentResponse (IN String Method for authentication agents to invoke on successful authentication, intended only for use by a privileged helper process -internal to polkit. Deprecated in favor of AuthenticationAgentResponse2. +internal to polkit. This method will fail unless a sufficiently privileged ++caller invokes it. Deprecated in favor of AuthenticationAgentResponse2(). @@ -812,7 +813,10 @@ AuthenticationAgentResponse2 (IN uint32 Method for authentication agents to invoke on successful authentication, intended only for use by a privileged helper process -internal to polkit. Note this method was introduced in 0.114 to fix a security issue. +internal to polkit. This method will fail unless a sufficiently privileged +caller invokes it. Note this method was introduced in 0.114 and should be +preferred over AuthenticationAgentResponse() +as it fixes a security issue. Index: policykit-1-0.105/docs/polkit/overview.xml =================================================================== --- policykit-1-0.105.orig/docs/polkit/overview.xml 2018-07-13 07:49:12.921796862 -0400 +++ policykit-1-0.105/docs/polkit/overview.xml 2018-07-13 07:49:12.913796854 -0400 @@ -73,11 +73,11 @@ linkend="eggdbus-interface-org.freedesktop.PolicyKit1.AuthenticationAgent">org.freedesktop.PolicyKit1.AuthenticationAgent D-Bus interface. Once the user is authenticated, (a privileged part of) the agent invokes the AuthenticationAgentResponse() + linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2">AuthenticationAgentResponse2() method. This method should be treated as an internal - implementation detail, and callers should use the public shared - library API to invoke it, which currently uses a setuid helper - program. + implementation detail, and callers should use the + PolkitAgentSession API to invoke + it, which currently uses a setuid helper program. The libpolkit-agent-1 Index: policykit-1-0.105/src/polkit/polkitauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitauthority.c 2018-07-13 07:49:12.921796862 -0400 +++ policykit-1-0.105/src/polkit/polkitauthority.c 2018-07-13 07:49:12.917796858 -0400 @@ -1038,6 +1038,10 @@ polkit_authority_check_authorization_syn * * Asynchronously registers an authentication agent. * + * Note that this should be called by the same effective UID which will be + * the real UID using the #PolkitAgentSession API or otherwise calling + * polkit_authority_authentication_agent_response(). + * * When the operation is finished, @callback will be invoked in the * thread-default * main loop of the thread you are calling this method @@ -1129,7 +1133,13 @@ polkit_authority_register_authentication * @cancellable: (allow-none): A #GCancellable or %NULL. * @error: (allow-none): Return location for error or %NULL. * - * Registers an authentication agent. The calling thread is blocked + * Registers an authentication agent. + * + * Note that this should be called by the same effective UID which will be + * the real UID using the #PolkitAgentSession API or otherwise calling + * polkit_authority_authentication_agent_response(). + * + * The calling thread is blocked * until a reply is received. See * polkit_authority_register_authentication_agent() for the * asynchronous version. @@ -1178,6 +1188,10 @@ polkit_authority_register_authentication * * Asynchronously registers an authentication agent. * + * Note that this should be called by the same effective UID which will be + * the real UID using the #PolkitAgentSession API or otherwise calling + * polkit_authority_authentication_agent_response(). + * * When the operation is finished, @callback will be invoked in the * thread-default * main loop of the thread you are calling this method @@ -1292,7 +1306,13 @@ polkit_authority_register_authentication * @cancellable: (allow-none): A #GCancellable or %NULL. * @error: (allow-none): Return location for error or %NULL. * - * Registers an authentication agent. The calling thread is blocked + * Registers an authentication agent. + * + * Note that this should be called by the same effective UID which will be + * the real UID using the #PolkitAgentSession API or otherwise calling + * polkit_authority_authentication_agent_response(). + * + * The calling thread is blocked * until a reply is received. See * polkit_authority_register_authentication_agent_with_options() for the * asynchronous version. Index: policykit-1-0.105/src/polkitagent/polkitagentlistener.c =================================================================== --- policykit-1-0.105.orig/src/polkitagent/polkitagentlistener.c 2018-07-13 07:49:12.921796862 -0400 +++ policykit-1-0.105/src/polkitagent/polkitagentlistener.c 2018-07-13 07:49:12.917796858 -0400 @@ -37,10 +37,7 @@ * * Typically authentication agents use #PolkitAgentSession to * authenticate users (via passwords) and communicate back the - * authentication result to the PolicyKit daemon. This is however not - * requirement. Depending on the system an authentication agent may - * use other means (such as a Yes/No dialog) to obtain sufficient - * evidence that the user is one of the requested identities. + * authentication result to the PolicyKit daemon. * * To register a #PolkitAgentListener with the PolicyKit daemon, use * polkit_agent_listener_register() or Index: policykit-1-0.105/src/polkitbackend/polkitbackendauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendauthority.c 2018-07-13 07:49:12.921796862 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendauthority.c 2018-07-13 07:49:12.917796858 -0400 @@ -343,6 +343,7 @@ polkit_backend_authority_unregister_auth * polkit_backend_authority_authentication_agent_response: * @authority: A #PolkitBackendAuthority. * @caller: The system bus name that initiated the query. + * @uid: The real UID of the registered agent, or (uid_t)-1 if unknown. * @cookie: The cookie passed to the authentication agent from the authority. * @identity: The identity that was authenticated. * @error: Return location for error or %NULL. debian/patches/01_pam_polkit.patch0000644000000000000000000000120212227267237014302 0ustar Index: trunk/data/polkit-1.in =================================================================== --- trunk.orig/data/polkit-1.in +++ trunk/data/polkit-1.in @@ -1,6 +1,8 @@ #%PAM-1.0 -auth include @PAM_FILE_INCLUDE_AUTH@ -account include @PAM_FILE_INCLUDE_ACCOUNT@ -password include @PAM_FILE_INCLUDE_PASSWORD@ -session include @PAM_FILE_INCLUDE_SESSION@ +@include common-auth +@include common-account +@include common-password +session required pam_env.so readenv=1 user_readenv=0 +session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 +@include common-session debian/patches/CVE-2015-3255.patch0000644000000000000000000000517013322110521013225 0ustar From 9f5e0c731784003bd4d6fc75ab739ff8b2ea269f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Wed, 1 Apr 2015 05:22:37 +0200 Subject: CVE-2015-3255 Fix GHashTable usage. Don't assume that the hash table with free both the key and the value at the same time, supply proper deallocation functions for the key and value separately. Then drop ParsedAction::action_id which is no longer used for anything. https://bugs.freedesktop.org/show_bug.cgi?id=69501 and https://bugs.freedesktop.org/show_bug.cgi?id=83590 CVE: CVE-2015-3255 --- src/polkitbackend/polkitbackendactionpool.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) Index: policykit-1-0.105/src/polkitbackend/polkitbackendactionpool.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendactionpool.c 2018-07-13 07:47:27.417693355 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendactionpool.c 2018-07-13 07:47:27.417693355 -0400 @@ -42,7 +42,6 @@ typedef struct { - gchar *action_id; gchar *vendor_name; gchar *vendor_url; gchar *icon_name; @@ -66,7 +65,6 @@ typedef struct static void parsed_action_free (ParsedAction *action) { - g_free (action->action_id); g_free (action->vendor_name); g_free (action->vendor_url); g_free (action->icon_name); @@ -141,7 +139,7 @@ polkit_backend_action_pool_init (PolkitB priv->parsed_actions = g_hash_table_new_full (g_str_hash, g_str_equal, - NULL, + g_free, (GDestroyNotify) parsed_action_free); priv->parsed_files = g_hash_table_new_full (g_str_hash, @@ -1020,7 +1018,6 @@ _end (void *data, const char *el) icon_name = pd->global_icon_name; action = g_new0 (ParsedAction, 1); - action->action_id = g_strdup (pd->action_id); action->vendor_name = g_strdup (vendor); action->vendor_url = g_strdup (vendor_url); action->icon_name = g_strdup (icon_name); @@ -1037,7 +1034,8 @@ _end (void *data, const char *el) action->implicit_authorization_inactive = pd->implicit_authorization_inactive; action->implicit_authorization_active = pd->implicit_authorization_active; - g_hash_table_insert (priv->parsed_actions, action->action_id, action); + g_hash_table_insert (priv->parsed_actions, g_strdup (pd->action_id), + action); /* we steal these hash tables */ pd->annotations = NULL; debian/patches/CVE-2018-1116.patch0000644000000000000000000006001213322126462013231 0ustar Backport of: From bc7ffad53643a9c80231fc41f5582d6a8931c32c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Mon, 25 Jun 2018 19:24:06 +0200 Subject: Fix CVE-2018-1116: Trusting client-supplied UID MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As part of CVE-2013-4288, the D-Bus clients were allowed (and encouraged) to submit the UID of the subject of authorization checks to avoid races against UID changes (notably using executables set-UID to root). However, that also allowed any client to submit an arbitrary UID, and that could be used to bypass "can only ask about / affect the same UID" checks in CheckAuthorization / RegisterAuthenticationAgent / UnregisterAuthenticationAgent. This allowed an attacker: - With CheckAuthorization, to cause the registered authentication agent in victim's session to pop up a dialog, or to determine whether the victim currently has a temporary authorization to perform an operation. (In principle, the attacker can also determine whether JavaScript rules allow the victim process to perform an operation; however, usually rules base their decisions on information determined from the supplied UID, so the attacker usually won't learn anything new.) - With RegisterAuthenticationAgent, to prevent the victim's authentication agent to work (for a specific victim process), or to learn about which operations requiring authorization the victim is attempting. To fix this, expose internal _polkit_unix_process_get_owner() / obsolete polkit_unix_process_get_owner() as a private polkit_unix_process_get_racy_uid__() (being more explicit about the dangers on relying on it), and use it in polkit_backend_session_monitor_get_user_for_subject() to return a boolean indicating whether the subject UID may be caller-chosen. Then, in the permission checks that require the subject to be equal to the caller, fail on caller-chosen UIDs (and continue through the pre-existing code paths which allow root, or root-designated server processes, to ask about arbitrary subjects.) Signed-off-by: Miloslav Trmač --- src/polkit/polkitprivate.h | 2 + src/polkit/polkitunixprocess.c | 61 ++++++++++++++++++---- .../polkitbackendinteractiveauthority.c | 39 +++++++++----- .../polkitbackendsessionmonitor-systemd.c | 38 ++++++++++++-- src/polkitbackend/polkitbackendsessionmonitor.c | 40 ++++++++++++-- src/polkitbackend/polkitbackendsessionmonitor.h | 1 + 6 files changed, 148 insertions(+), 33 deletions(-) Index: policykit-1-0.105/src/polkit/polkitprivate.h =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitprivate.h 2018-07-13 09:45:29.751973426 -0400 +++ policykit-1-0.105/src/polkit/polkitprivate.h 2018-07-13 09:45:29.747973411 -0400 @@ -34,6 +34,8 @@ GVariant *polkit_action_description_to_g GVariant *polkit_subject_to_gvariant (PolkitSubject *subject); GVariant *polkit_identity_to_gvariant (PolkitIdentity *identity); +gint polkit_unix_process_get_racy_uid__ (PolkitUnixProcess *process, GError **error); + PolkitSubject *polkit_subject_new_for_gvariant (GVariant *variant, GError **error); PolkitIdentity *polkit_identity_new_for_gvariant (GVariant *variant, GError **error); Index: policykit-1-0.105/src/polkit/polkitunixprocess.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitunixprocess.c 2018-07-13 09:45:29.751973426 -0400 +++ policykit-1-0.105/src/polkit/polkitunixprocess.c 2018-07-13 09:45:29.747973411 -0400 @@ -49,6 +49,14 @@ * To uniquely identify processes, both the process id and the start * time of the process (a monotonic increasing value representing the * time since the kernel was started) is used. + * + * NOTE: This object stores, and provides access to, the real UID of the + * process. That value can change over time (with set*uid*(2) and exec*(2)). + * Checks whether an operation is allowed need to take care to use the UID + * value as of the time when the operation was made (or, following the open() + * privilege check model, when the connection making the operation possible + * was initiated). That is usually done by initializing this with + * polkit_unix_process_new_for_owner() with trusted data. */ /** @@ -83,9 +91,6 @@ static void subject_iface_init (PolkitSu static guint64 get_start_time_for_pid (gint pid, GError **error); -static gint _polkit_unix_process_get_owner (PolkitUnixProcess *process, - GError **error); - #ifdef HAVE_FREEBSD static gboolean get_kinfo_proc (gint pid, struct kinfo_proc *p); #endif @@ -170,7 +175,7 @@ polkit_unix_process_constructed (GObject { GError *error; error = NULL; - process->uid = _polkit_unix_process_get_owner (process, &error); + process->uid = polkit_unix_process_get_racy_uid__ (process, &error); if (error != NULL) { process->uid = -1; @@ -259,6 +264,12 @@ polkit_unix_process_class_init (PolkitUn * Gets the user id for @process. Note that this is the real user-id, * not the effective user-id. * + * NOTE: The UID may change over time, so the returned value may not match the + * current state of the underlying process; or the UID may have been set by + * polkit_unix_process_new_for_owner() or polkit_unix_process_set_uid(), + * in which case it may not correspond to the actual UID of the referenced + * process at all (at any point in time). + * * Returns: The user id for @process or -1 if unknown. */ gint @@ -655,18 +666,26 @@ out: return start_time; } -static gint -_polkit_unix_process_get_owner (PolkitUnixProcess *process, - GError **error) +/* + * Private: Return the "current" UID. Note that this is inherently racy, + * and the value may already be obsolete by the time this function returns; + * this function only guarantees that the UID was valid at some point during + * its execution. + */ +gint +polkit_unix_process_get_racy_uid__ (PolkitUnixProcess *process, + GError **error) { gint result; gchar *contents; gchar **lines; + guint64 start_time; #ifdef HAVE_FREEBSD struct kinfo_proc p; #else gchar filename[64]; guint n; + GError *local_error; #endif g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), 0); @@ -689,6 +708,7 @@ _polkit_unix_process_get_owner (PolkitUn } result = p.ki_uid; + start_time = (guint64) p.ki_start.tv_sec; #else /* see 'man proc' for layout of the status file @@ -722,17 +742,37 @@ _polkit_unix_process_get_owner (PolkitUn else { result = real_uid; - goto out; + goto found; } } - g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED, "Didn't find any line starting with `Uid:' in file %s", filename); + goto out; + +found: + /* The UID and start time are, sadly, not available in a single file. So, + * read the UID first, and then the start time; if the start time is the same + * before and after reading the UID, it couldn't have changed. + */ + local_error = NULL; + start_time = get_start_time_for_pid (process->pid, &local_error); + if (local_error != NULL) + { + g_propagate_error (error, local_error); + goto out; + } #endif + if (process->start_time != start_time) + { + g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED, + "process with PID %d has been replaced", process->pid); + goto out; + } + out: g_strfreev (lines); g_free (contents); @@ -744,5 +784,5 @@ gint polkit_unix_process_get_owner (PolkitUnixProcess *process, GError **error) { - return _polkit_unix_process_get_owner (process, error); + return polkit_unix_process_get_racy_uid__ (process, error); } Index: policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendinteractiveauthority.c 2018-07-13 09:45:29.751973426 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendinteractiveauthority.c 2018-07-13 09:45:29.747973411 -0400 @@ -563,7 +563,7 @@ log_result (PolkitBackendInteractiveAuth if (polkit_authorization_result_get_is_authorized (result)) log_result_str = "ALLOWING"; - user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); + user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL, NULL); subject_str = polkit_subject_to_string (subject); user_of_subject_str = polkit_identity_to_string (user_of_subject); @@ -833,6 +833,7 @@ polkit_backend_interactive_authority_che gchar *subject_str; PolkitIdentity *user_of_caller; PolkitIdentity *user_of_subject; + gboolean user_of_subject_matches; gchar *user_of_caller_str; gchar *user_of_subject_str; PolkitAuthorizationResult *result; @@ -878,7 +879,7 @@ polkit_backend_interactive_authority_che action_id); user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, - caller, + caller, NULL, &error); if (error != NULL) { @@ -893,7 +894,7 @@ polkit_backend_interactive_authority_che g_debug (" user of caller is %s", user_of_caller_str); user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, - subject, + subject, &user_of_subject_matches, &error); if (error != NULL) { @@ -923,7 +924,10 @@ polkit_backend_interactive_authority_che * We only allow this if, and only if, * * - processes may check for another process owned by the *same* user but not - * if details are passed (otherwise you'd be able to spoof the dialog) + * if details are passed (otherwise you'd be able to spoof the dialog); + * the caller supplies the user_of_subject value, so we additionally + * require it to match at least at one point in time (via + * user_of_subject_matches). * * - processes running as uid 0 may check anything and pass any details * @@ -931,7 +935,9 @@ polkit_backend_interactive_authority_che * then any uid referenced by that annotation is also allowed to check * to check anything and pass any details */ - if (!polkit_identity_equal (user_of_caller, user_of_subject) || has_details) + if (!user_of_subject_matches + || !polkit_identity_equal (user_of_caller, user_of_subject) + || has_details) { if (!may_identity_check_authorization (interactive_authority, action_id, user_of_caller)) { @@ -1095,9 +1101,10 @@ check_authorization_sync (PolkitBackendA goto out; } - /* every subject has a user */ + /* every subject has a user; this is supplied by the client, so we rely + * on the caller to validate its acceptability. */ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, - subject, + subject, NULL, error); if (user_of_subject == NULL) goto out; @@ -2312,6 +2319,7 @@ polkit_backend_interactive_authority_reg PolkitSubject *session_for_caller; PolkitIdentity *user_of_caller; PolkitIdentity *user_of_subject; + gboolean user_of_subject_matches; AuthenticationAgent *agent; gboolean ret; gchar *caller_cmdline; @@ -2364,7 +2372,7 @@ polkit_backend_interactive_authority_reg goto out; } - user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL); + user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL, NULL); if (user_of_caller == NULL) { g_set_error (error, @@ -2373,7 +2381,7 @@ polkit_backend_interactive_authority_reg "Cannot determine user of caller"); goto out; } - user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); + user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, &user_of_subject_matches, NULL); if (user_of_subject == NULL) { g_set_error (error, @@ -2382,7 +2390,8 @@ polkit_backend_interactive_authority_reg "Cannot determine user of subject"); goto out; } - if (!polkit_identity_equal (user_of_caller, user_of_subject)) + if (!user_of_subject_matches + || !polkit_identity_equal (user_of_caller, user_of_subject)) { if (POLKIT_IS_UNIX_USER (user_of_caller) && polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_caller)) == 0) { @@ -2475,6 +2484,7 @@ polkit_backend_interactive_authority_unr PolkitSubject *session_for_caller; PolkitIdentity *user_of_caller; PolkitIdentity *user_of_subject; + gboolean user_of_subject_matches; AuthenticationAgent *agent; gboolean ret; gchar *scope_str; @@ -2523,7 +2533,7 @@ polkit_backend_interactive_authority_unr goto out; } - user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL); + user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL, NULL); if (user_of_caller == NULL) { g_set_error (error, @@ -2532,7 +2542,7 @@ polkit_backend_interactive_authority_unr "Cannot determine user of caller"); goto out; } - user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); + user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, &user_of_subject_matches, NULL); if (user_of_subject == NULL) { g_set_error (error, @@ -2541,7 +2551,8 @@ polkit_backend_interactive_authority_unr "Cannot determine user of subject"); goto out; } - if (!polkit_identity_equal (user_of_caller, user_of_subject)) + if (!user_of_subject_matches + || !polkit_identity_equal (user_of_caller, user_of_subject)) { if (POLKIT_IS_UNIX_USER (user_of_caller) && polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_caller)) == 0) { @@ -2651,7 +2662,7 @@ polkit_backend_interactive_authority_aut identity_str); user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, - caller, + caller, NULL, error); if (user_of_caller == NULL) goto out; Index: policykit-1-0.105/src/polkitbackend/polkitbackendsessionmonitor-systemd.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 2018-07-13 09:45:29.751973426 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 2018-07-13 09:45:29.751973426 -0400 @@ -29,6 +29,7 @@ #include #include +#include #include "polkitbackendsessionmonitor.h" /* @@ -246,26 +247,40 @@ polkit_backend_session_monitor_get_sessi * polkit_backend_session_monitor_get_user: * @monitor: A #PolkitBackendSessionMonitor. * @subject: A #PolkitSubject. + * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state. * @error: Return location for error. * * Gets the user corresponding to @subject or %NULL if no user exists. * + * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may + * come from e.g. a D-Bus client), so it may not correspond to the actual UID + * of the referenced process (at any point in time). This is indicated by + * setting @result_matches to %FALSE; the caller may reject such subjects or + * require additional privileges. @result_matches == %TRUE only indicates that + * the UID matched the underlying process at ONE point in time, it may not match + * later. + * * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref(). */ PolkitIdentity * polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, PolkitSubject *subject, + gboolean *result_matches, GError **error) { PolkitIdentity *ret; - guint32 uid; + gboolean matches; ret = NULL; + matches = FALSE; if (POLKIT_IS_UNIX_PROCESS (subject)) { - uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); - if ((gint) uid == -1) + gint subject_uid, current_uid; + GError *local_error; + + subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); + if (subject_uid == -1) { g_set_error (error, POLKIT_ERROR, @@ -273,11 +288,20 @@ polkit_backend_session_monitor_get_user_ "Unix process subject does not have uid set"); goto out; } - ret = polkit_unix_user_new (uid); + local_error = NULL; + current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error); + if (local_error != NULL) + { + g_propagate_error (error, local_error); + goto out; + } + ret = polkit_unix_user_new (subject_uid); + matches = (subject_uid == current_uid); } else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) { GVariant *result; + guint32 uid; result = g_dbus_connection_call_sync (monitor->system_bus, "org.freedesktop.DBus", @@ -296,9 +320,11 @@ polkit_backend_session_monitor_get_user_ g_variant_unref (result); ret = polkit_unix_user_new (uid); + matches = TRUE; } else if (POLKIT_IS_UNIX_SESSION (subject)) { + uid_t uid; if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0) { @@ -310,9 +336,14 @@ polkit_backend_session_monitor_get_user_ } ret = polkit_unix_user_new (uid); + matches = TRUE; } out: + if (result_matches != NULL) + { + *result_matches = matches; + } return ret; } Index: policykit-1-0.105/src/polkitbackend/polkitbackendsessionmonitor.c =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendsessionmonitor.c 2018-07-13 09:45:29.751973426 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendsessionmonitor.c 2018-07-13 09:46:22.504184975 -0400 @@ -27,6 +27,7 @@ #include #include +#include #include "polkitbackendsessionmonitor.h" #define CKDB_PATH "/var/run/ConsoleKit/database" @@ -273,28 +274,40 @@ polkit_backend_session_monitor_get_sessi * polkit_backend_session_monitor_get_user: * @monitor: A #PolkitBackendSessionMonitor. * @subject: A #PolkitSubject. + * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state. * @error: Return location for error. * * Gets the user corresponding to @subject or %NULL if no user exists. * + * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may + * come from e.g. a D-Bus client), so it may not correspond to the actual UID + * of the referenced process (at any point in time). This is indicated by + * setting @result_matches to %FALSE; the caller may reject such subjects or + * require additional privileges. @result_matches == %TRUE only indicates that + * the UID matched the underlying process at ONE point in time, it may not match + * later. + * * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref(). */ PolkitIdentity * polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, PolkitSubject *subject, + gboolean *result_matches, GError **error) { PolkitIdentity *ret; + gboolean matches; GError *local_error; - gchar *group; - guint32 uid; ret = NULL; + matches = FALSE; if (POLKIT_IS_UNIX_PROCESS (subject)) { - uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); - if ((gint) uid == -1) + gint subject_uid, current_uid; + + subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); + if (subject_uid == -1) { g_set_error (error, POLKIT_ERROR, @@ -302,11 +315,20 @@ polkit_backend_session_monitor_get_user_ "Unix process subject does not have uid set"); goto out; } - ret = polkit_unix_user_new (uid); + local_error = NULL; + current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error); + if (local_error != NULL) + { + g_propagate_error (error, local_error); + goto out; + } + ret = polkit_unix_user_new (subject_uid); + matches = (subject_uid == current_uid); } else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) { GVariant *result; + guint32 uid; result = g_dbus_connection_call_sync (monitor->system_bus, "org.freedesktop.DBus", @@ -325,9 +347,13 @@ polkit_backend_session_monitor_get_user_ g_variant_unref (result); ret = polkit_unix_user_new (uid); + matches = TRUE; } else if (POLKIT_IS_UNIX_SESSION (subject)) { + gint uid; + gchar *group; + if (!ensure_database (monitor, error)) { g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": "); @@ -346,9 +372,14 @@ polkit_backend_session_monitor_get_user_ g_free (group); ret = polkit_unix_user_new (uid); + matches = TRUE; } out: + if (result_matches != NULL) + { + *result_matches = matches; + } return ret; } Index: policykit-1-0.105/src/polkitbackend/polkitbackendsessionmonitor.h =================================================================== --- policykit-1-0.105.orig/src/polkitbackend/polkitbackendsessionmonitor.h 2018-07-13 09:45:29.751973426 -0400 +++ policykit-1-0.105/src/polkitbackend/polkitbackendsessionmonitor.h 2018-07-13 09:45:29.751973426 -0400 @@ -47,6 +47,7 @@ GList *polkit_back PolkitIdentity *polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, PolkitSubject *subject, + gboolean *result_matches, GError **error); PolkitSubject *polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMonitor *monitor, debian/patches/05_revert-admin-identities-unix-group-wheel.patch0000644000000000000000000000322512227267237022127 0ustar From 1892aeb9c13841335a4ac383e8a787a3c2728c45 Mon Sep 17 00:00:00 2001 From: Michael Biebl Date: Fri, 9 Dec 2011 00:31:21 +0100 Subject: [PATCH] Revert "Default to AdminIdentities=unix-group:wheel for local authority" This reverts commit 763faf434b445c20ae9529100d3ef5290976d0c9. --- docs/man/pklocalauthority.xml | 4 ++-- src/polkitbackend/50-localauthority.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) Index: policykit/docs/man/pklocalauthority.xml =================================================================== --- policykit.orig/docs/man/pklocalauthority.xml 2012-01-06 10:34:01.830221577 +0100 +++ policykit/docs/man/pklocalauthority.xml 2012-01-06 10:39:24.206237179 +0100 @@ -385,10 +385,10 @@ [Configuration] -AdminIdentities=unix-group:staff +AdminIdentities=unix-group:desktop_admin_r - specifies that any user in the staff UNIX + that any user in the desktop_admin_r UNIX group can be used for authentication when administrator authentication is needed. This file would typically be installed in the /etc/polkit-1/localauthority.conf.d Index: policykit/src/polkitbackend/50-localauthority.conf =================================================================== --- policykit.orig/src/polkitbackend/50-localauthority.conf 2012-01-06 10:33:58.254221404 +0100 +++ policykit/src/polkitbackend/50-localauthority.conf 2012-01-06 10:39:24.210237180 +0100 @@ -7,4 +7,4 @@ # [Configuration] -AdminIdentities=unix-group:wheel +AdminIdentities=unix-user:0 debian/patches/cve-2013-4288.patch0000644000000000000000000001254712227267237013424 0ustar From 52c927893a2ab135462b616c2e00fec377da9885 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Mon, 19 Aug 2013 12:16:11 -0400 Subject: [PATCH 2/4] pkcheck: Support --process=pid,start-time,uid syntax too The uid is a new addition; this allows callers such as libvirt to close a race condition in reading the uid of the process talking to them. They can read it via getsockopt(SO_PEERCRED) or equivalent, rather than having pkcheck look at /proc later after the fact. Programs which invoke pkcheck but need to know beforehand (i.e. at compile time) whether or not it supports passing the uid can use: pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1) test x$pkcheck_supports_uid = xyes --- data/polkit-gobject-1.pc.in | 3 +++ docs/man/pkcheck.xml | 29 ++++++++++++++++++++--------- src/programs/pkcheck.c | 9 +++++++-- 3 files changed, 30 insertions(+), 11 deletions(-) Index: policykit-1-0.105/data/polkit-gobject-1.pc.in =================================================================== --- policykit-1-0.105.orig/data/polkit-gobject-1.pc.in 2013-09-11 09:40:56.604225567 -0400 +++ policykit-1-0.105/data/polkit-gobject-1.pc.in 2013-09-11 09:40:56.596225567 -0400 @@ -11,3 +11,6 @@ Libs: -L${libdir} -lpolkit-gobject-1 Cflags: -I${includedir}/polkit-1 Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18 +# Programs using pkcheck can use this to determine +# whether or not it can be passed a uid. +pkcheck_supports_uid=true Index: policykit-1-0.105/docs/man/pkcheck.xml =================================================================== --- policykit-1-0.105.orig/docs/man/pkcheck.xml 2013-09-11 09:40:56.604225567 -0400 +++ policykit-1-0.105/docs/man/pkcheck.xml 2013-09-11 09:42:28.272223569 -0400 @@ -55,6 +55,9 @@ pid,pid-start-time + + pid,pid-start-time,uid + @@ -90,7 +93,7 @@ DESCRIPTION pkcheck is used to check whether a process, specified by - either or , + either (see below) or , is authorized for action. The option can be used zero or more times to pass details about action. If is passed, pkcheck blocks @@ -160,17 +163,25 @@ NOTES - Since process identifiers can be recycled, the caller should always use - pid,pid-start-time to specify the process - to check for authorization when using the option. - The value of pid-start-time - can be determined by consulting e.g. the + Do not use either the bare pid or + pid,start-time syntax forms for + . There are race conditions in both. + New code should always use + pid,pid-start-time,uid. The value of + start-time can be determined by + consulting e.g. the proc5 - file system depending on the operating system. If only pid - is passed to the option, then pkcheck - will look up the start time itself but note that this may be racy. + file system depending on the operating system. If fewer than 3 + arguments are passed, pkcheck will attempt to + look up them up internally, but note that this may be racy. + + + If your program is a daemon with e.g. a custom Unix domain + socket, you should determine the uid + parameter via operating system mechanisms such as + PEERCRED. Index: policykit-1-0.105/src/programs/pkcheck.c =================================================================== --- policykit-1-0.105.orig/src/programs/pkcheck.c 2013-09-11 09:40:56.604225567 -0400 +++ policykit-1-0.105/src/programs/pkcheck.c 2013-09-11 09:40:56.600225567 -0400 @@ -372,6 +372,7 @@ else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0) { gint pid; + guint uid; guint64 pid_start_time; n++; @@ -381,7 +382,11 @@ goto out; } - if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) + if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3) + { + subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid); + } + else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) { subject = polkit_unix_process_new_full (pid, pid_start_time); } debian/patches/CVE-2018-19788-3.patch0000644000000000000000000000364313417357015013515 0ustar From bd4b563afe3f13e865805d731a3e6af09bd3649a Mon Sep 17 00:00:00 2001 From: Matthew Leeds Date: Tue, 11 Dec 2018 12:04:26 -0800 Subject: [PATCH] Allow uid of -1 for a PolkitUnixProcess Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and PolkitUnixProcess to allow negative values for their uid/gid properties, since these are values above INT_MAX which wrap around but are still valid, with the exception of -1 which is not valid. However, PolkitUnixProcess allows a uid of -1 to be passed to polkit_unix_process_new_for_owner() which means polkit is expected to figure out the uid on its own (this happens in the _constructed function). So this commit removes the check in polkit_unix_process_set_property() so that new_for_owner() can be used as documented without producing a critical error message. This does not affect the protection against CVE-2018-19788 which is based on creating a user with a UID up to but not including 4294967295 (-1). --- src/polkit/polkitunixprocess.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) Index: policykit-1-0.105/src/polkit/polkitunixprocess.c =================================================================== --- policykit-1-0.105.orig/src/polkit/polkitunixprocess.c 2019-01-15 08:20:11.413040155 -0500 +++ policykit-1-0.105/src/polkit/polkitunixprocess.c 2019-01-15 08:20:11.413040155 -0500 @@ -147,14 +147,9 @@ polkit_unix_process_set_property (GObjec polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); break; - case PROP_UID: { - gint val; - - val = g_value_get_int (value); - g_return_if_fail (val != -1); - polkit_unix_process_set_uid (unix_process, val); + case PROP_UID: + polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); break; - } case PROP_START_TIME: polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); debian/patches/06_systemd-service.patch0000644000000000000000000000070712227267237015307 0ustar Index: policykit-1/data/org.freedesktop.PolicyKit1.service.in =================================================================== --- policykit-1.orig/data/org.freedesktop.PolicyKit1.service.in 2012-02-01 01:54:58.291191682 +0100 +++ policykit-1/data/org.freedesktop.PolicyKit1.service.in 2012-02-11 23:45:15.946856853 +0100 @@ -2,3 +2,4 @@ Name=org.freedesktop.PolicyKit1 Exec=@libexecdir@/polkitd --no-debug User=root +SystemdService=polkitd.service debian/libpolkit-gobject-1-dev.install0000644000000000000000000000024412227267237015106 0ustar usr/lib/*/libpolkit-gobject*.so usr/lib/*/libpolkit-gobject*.a usr/lib/*/pkgconfig/polkit-gobject*.pc usr/include/polkit-1/polkit/ usr/share/gir-1.0/Polkit-1.0.gir debian/policykit-1.install0000644000000000000000000000035212227267237012735 0ustar etc/pam.d/ etc/dbus-1/ etc/polkit-1/ usr/bin/ usr/lib/*/polkit-1/extensions/*.so usr/lib/policykit-1/ usr/share/man/ usr/share/polkit-1/ usr/share/dbus-1/ usr/share/locale/ var/lib/polkit-1/ debian/polkitd.service lib/systemd/system/ debian/policykit-1.postinst0000644000000000000000000000374112234310757013151 0ustar #!/bin/sh # postinst script for policykit-1 # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package set_perms() { USER=$1 GROUP=$2 MODE=$3 FILE=$4 if ! dpkg-statoverride --list $FILE > /dev/null 2>&1; then chown $USER:$GROUP $FILE chmod $MODE $FILE fi } get_pid() { [ -n "$1" ] || return [ -S /var/run/dbus/system_bus_socket ] || return dbus-send --system --dest=org.freedesktop.DBus --print-reply \ /org/freedesktop/DBus org.freedesktop.DBus.GetConnectionUnixProcessID \ string:$1 2>/dev/null | awk '/uint32/ {print $2}' } case "$1" in configure) set_perms root root 700 /var/lib/polkit-1 set_perms root root 700 /etc/polkit-1/localauthority set_perms root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1 set_perms root root 4755 /usr/bin/pkexec # Kill the old polkitd daemon on upgrade, to ensure that the new # version will be used at the next occasion; but don't do this across # the ConsoleKit -> logind transition, as we need to keep the old CK # polkit running until reboot if dpkg --compare-versions "$2" ge "0.105-1ubuntu2"; then kill $(get_pid org.freedesktop.PolicyKit1) 2>/dev/null || true fi ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/libpolkit-gobject-1-0.symbols0000644000000000000000000001550313322124511014475 0ustar libpolkit-gobject-1.so.0 libpolkit-gobject-1-0 #MINVER# polkit_action_description_get_action_id@Base 0.94 polkit_action_description_get_annotation@Base 0.94 polkit_action_description_get_annotation_keys@Base 0.94 polkit_action_description_get_description@Base 0.94 polkit_action_description_get_icon_name@Base 0.94 polkit_action_description_get_implicit_active@Base 0.94 polkit_action_description_get_implicit_any@Base 0.94 polkit_action_description_get_implicit_inactive@Base 0.94 polkit_action_description_get_message@Base 0.94 polkit_action_description_get_type@Base 0.94 polkit_action_description_get_vendor_name@Base 0.94 polkit_action_description_get_vendor_url@Base 0.94 polkit_action_description_new@Base 0.99 polkit_action_description_new_for_gvariant@Base 0.99 polkit_action_description_to_gvariant@Base 0.99 polkit_authority_authentication_agent_response@Base 0.94 polkit_authority_authentication_agent_response_finish@Base 0.94 polkit_authority_authentication_agent_response_sync@Base 0.94 polkit_authority_check_authorization@Base 0.94 polkit_authority_check_authorization_finish@Base 0.94 polkit_authority_check_authorization_sync@Base 0.94 polkit_authority_enumerate_actions@Base 0.94 polkit_authority_enumerate_actions_finish@Base 0.94 polkit_authority_enumerate_actions_sync@Base 0.94 polkit_authority_enumerate_temporary_authorizations@Base 0.94 polkit_authority_enumerate_temporary_authorizations_finish@Base 0.94 polkit_authority_enumerate_temporary_authorizations_sync@Base 0.94 polkit_authority_features_get_type@Base 0.95 polkit_authority_get@Base 0.94 polkit_authority_get_async@Base 0.99 polkit_authority_get_backend_features@Base 0.95 polkit_authority_get_backend_name@Base 0.95 polkit_authority_get_backend_version@Base 0.95 polkit_authority_get_finish@Base 0.99 polkit_authority_get_owner@Base 0.99 polkit_authority_get_sync@Base 0.99 polkit_authority_get_type@Base 0.94 polkit_authority_register_authentication_agent@Base 0.94 polkit_authority_register_authentication_agent_finish@Base 0.94 polkit_authority_register_authentication_agent_sync@Base 0.94 polkit_authority_register_authentication_agent_with_options@Base 0.105 polkit_authority_register_authentication_agent_with_options_finish@Base 0.105 polkit_authority_register_authentication_agent_with_options_sync@Base 0.105 polkit_authority_revoke_temporary_authorization_by_id@Base 0.94 polkit_authority_revoke_temporary_authorization_by_id_finish@Base 0.94 polkit_authority_revoke_temporary_authorization_by_id_sync@Base 0.94 polkit_authority_revoke_temporary_authorizations@Base 0.94 polkit_authority_revoke_temporary_authorizations_finish@Base 0.94 polkit_authority_revoke_temporary_authorizations_sync@Base 0.94 polkit_authority_unregister_authentication_agent@Base 0.94 polkit_authority_unregister_authentication_agent_finish@Base 0.94 polkit_authority_unregister_authentication_agent_sync@Base 0.94 polkit_authorization_result_get_details@Base 0.94 polkit_authorization_result_get_dismissed@Base 0.101 polkit_authorization_result_get_is_authorized@Base 0.94 polkit_authorization_result_get_is_challenge@Base 0.94 polkit_authorization_result_get_retains_authorization@Base 0.94 polkit_authorization_result_get_temporary_authorization_id@Base 0.94 polkit_authorization_result_get_type@Base 0.94 polkit_authorization_result_new@Base 0.94 polkit_authorization_result_new_for_gvariant@Base 0.99 polkit_authorization_result_to_gvariant@Base 0.99 polkit_check_authorization_flags_get_type@Base 0.94 polkit_details_get_keys@Base 0.94 polkit_details_get_type@Base 0.94 polkit_details_insert@Base 0.94 polkit_details_lookup@Base 0.94 polkit_details_new@Base 0.94 polkit_details_new_for_gvariant@Base 0.99 polkit_details_to_gvariant@Base 0.99 polkit_error_get_type@Base 0.94 polkit_error_quark@Base 0.94 polkit_identity_equal@Base 0.94 polkit_identity_from_string@Base 0.94 polkit_identity_get_type@Base 0.94 polkit_identity_hash@Base 0.94 polkit_identity_new_for_gvariant@Base 0.99 polkit_identity_to_gvariant@Base 0.99 polkit_identity_to_string@Base 0.94 polkit_implicit_authorization_from_string@Base 0.94 polkit_implicit_authorization_get_type@Base 0.94 polkit_implicit_authorization_to_string@Base 0.94 polkit_permission_get_action_id@Base 0.99 polkit_permission_get_subject@Base 0.99 polkit_permission_get_type@Base 0.99 polkit_permission_new@Base 0.99 polkit_permission_new_finish@Base 0.99 polkit_permission_new_sync@Base 0.99 polkit_subject_equal@Base 0.94 polkit_subject_exists@Base 0.94 polkit_subject_exists_finish@Base 0.94 polkit_subject_exists_sync@Base 0.94 polkit_subject_from_string@Base 0.94 polkit_subject_get_type@Base 0.94 polkit_subject_hash@Base 0.94 polkit_subject_new_for_gvariant@Base 0.99 polkit_subject_to_gvariant@Base 0.99 polkit_subject_to_string@Base 0.94 polkit_system_bus_name_get_name@Base 0.94 polkit_system_bus_name_get_process_sync@Base 0.95 polkit_system_bus_name_get_type@Base 0.94 polkit_system_bus_name_new@Base 0.94 polkit_system_bus_name_set_name@Base 0.94 polkit_temporary_authorization_get_action_id@Base 0.94 polkit_temporary_authorization_get_id@Base 0.94 polkit_temporary_authorization_get_subject@Base 0.94 polkit_temporary_authorization_get_time_expires@Base 0.94 polkit_temporary_authorization_get_time_obtained@Base 0.94 polkit_temporary_authorization_get_type@Base 0.94 polkit_temporary_authorization_new@Base 0.94 polkit_temporary_authorization_new_for_gvariant@Base 0.99 polkit_temporary_authorization_to_gvariant@Base 0.99 polkit_unix_group_get_gid@Base 0.94 polkit_unix_group_get_type@Base 0.94 polkit_unix_group_new@Base 0.94 polkit_unix_group_new_for_name@Base 0.94 polkit_unix_group_set_gid@Base 0.94 polkit_unix_netgroup_get_name@Base 0.104 polkit_unix_netgroup_get_type@Base 0.104 polkit_unix_netgroup_new@Base 0.104 polkit_unix_netgroup_set_name@Base 0.104 polkit_unix_process_get_owner@Base 0.94 polkit_unix_process_get_pid@Base 0.94 polkit_unix_process_get_racy_uid__@Base 0.105-4ubuntu3.14.04.2 polkit_unix_process_get_start_time@Base 0.94 polkit_unix_process_get_type@Base 0.94 polkit_unix_process_get_uid@Base 0.101 polkit_unix_process_new@Base 0.94 polkit_unix_process_new_for_owner@Base 0.101 polkit_unix_process_new_full@Base 0.94 polkit_unix_process_set_pid@Base 0.94 polkit_unix_process_set_start_time@Base 0.101 polkit_unix_process_set_uid@Base 0.101 polkit_unix_session_get_session_id@Base 0.94 polkit_unix_session_get_type@Base 0.94 polkit_unix_session_new@Base 0.94 polkit_unix_session_new_for_process@Base 0.94 polkit_unix_session_new_for_process_finish@Base 0.94 polkit_unix_session_new_for_process_sync@Base 0.94 polkit_unix_session_set_session_id@Base 0.94 polkit_unix_user_get_name@Base 0.104 polkit_unix_user_get_type@Base 0.94 polkit_unix_user_get_uid@Base 0.94 polkit_unix_user_new@Base 0.94 polkit_unix_user_new_for_name@Base 0.94 polkit_unix_user_set_uid@Base 0.94 debian/policykit-1-doc.links0000644000000000000000000000010412227267237013145 0ustar usr/share/doc/policykit-1-doc/html/ usr/share/gtk-doc/html/polkit-1 debian/libpolkit-agent-1-0.symbols0000644000000000000000000000133612227267237014175 0ustar libpolkit-agent-1.so.0 libpolkit-agent-1-0 #MINVER# polkit_agent_listener_get_type@Base 0.94 polkit_agent_listener_initiate_authentication@Base 0.94 polkit_agent_listener_initiate_authentication_finish@Base 0.94 polkit_agent_listener_register@Base 0.99 polkit_agent_listener_register_with_options@Base 0.105 polkit_agent_listener_unregister@Base 0.99 polkit_agent_register_flags_get_type@Base 0.99 polkit_agent_register_listener@Base 0.94 polkit_agent_session_cancel@Base 0.94 polkit_agent_session_get_type@Base 0.94 polkit_agent_session_initiate@Base 0.94 polkit_agent_session_new@Base 0.94 polkit_agent_session_response@Base 0.94 polkit_agent_text_listener_get_type@Base 0.99 polkit_agent_text_listener_new@Base 0.99 debian/compat0000644000000000000000000000000212227267237010376 0ustar 9 debian/copyright0000644000000000000000000000346012227267237011136 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: polkit Source: http://www.freedesktop.org/software/polkit/releases/ Files: * Copyright: 2008-2011 Red Hat, Inc. License: LGPL-2.0+ Files: test/* Copyright: 2011 Google Inc. License: LGPL-2.0+ Files: test/mocklibc/src/* Copyright: 2011 Google Inc. License: Apache-2.0 License: LGPL-2.0+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU Lesser General Public License can be found in "/usr/share/common-licenses/LGPL-2". License: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian systems, the complete text of the Apache version 2.0 license can be found in "/usr/share/common-licenses/Apache-2.0" debian/polkitd.service0000644000000000000000000000026612227267237012234 0ustar [Unit] Description=Authenticate and Authorize Users to Run Privileged Tasks [Service] Type=dbus BusName=org.freedesktop.PolicyKit1 ExecStart=/usr/lib/policykit-1/polkitd --no-debug debian/source/0000755000000000000000000000000012227267237010500 5ustar debian/source/format0000644000000000000000000000001412227267237011706 0ustar 3.0 (quilt) debian/gir1.2-polkit-1.0.install0000644000000000000000000000003212227267237013361 0ustar usr/lib/girepository-1.0/ debian/libpolkit-backend-1-0.symbols0000644000000000000000000000502412227267237014464 0ustar libpolkit-backend-1.so.0 libpolkit-backend-1-0 #MINVER# polkit_backend_action_lookup_get_details@Base 0.94 polkit_backend_action_lookup_get_icon_name@Base 0.94 polkit_backend_action_lookup_get_message@Base 0.94 polkit_backend_action_lookup_get_type@Base 0.94 polkit_backend_action_pool_get_action@Base 0.94 polkit_backend_action_pool_get_all_actions@Base 0.94 polkit_backend_action_pool_get_type@Base 0.94 polkit_backend_action_pool_new@Base 0.94 polkit_backend_authority_authentication_agent_response@Base 0.94 polkit_backend_authority_check_authorization@Base 0.94 polkit_backend_authority_check_authorization_finish@Base 0.94 polkit_backend_authority_enumerate_actions@Base 0.94 polkit_backend_authority_enumerate_temporary_authorizations@Base 0.94 polkit_backend_authority_get@Base 0.94 polkit_backend_authority_get_features@Base 0.95 polkit_backend_authority_get_name@Base 0.95 polkit_backend_authority_get_type@Base 0.94 polkit_backend_authority_get_version@Base 0.95 polkit_backend_authority_log@Base 0.96 polkit_backend_authority_register@Base 0.99 polkit_backend_authority_register_authentication_agent@Base 0.94 polkit_backend_authority_revoke_temporary_authorization_by_id@Base 0.94 polkit_backend_authority_revoke_temporary_authorizations@Base 0.94 polkit_backend_authority_unregister@Base 0.99 polkit_backend_authority_unregister_authentication_agent@Base 0.94 polkit_backend_config_source_get_boolean@Base 0.94 polkit_backend_config_source_get_double@Base 0.94 polkit_backend_config_source_get_integer@Base 0.94 polkit_backend_config_source_get_string@Base 0.94 polkit_backend_config_source_get_string_list@Base 0.94 polkit_backend_config_source_get_type@Base 0.94 polkit_backend_config_source_new@Base 0.94 polkit_backend_interactive_authority_check_authorization_sync@Base 0.94 polkit_backend_interactive_authority_get_admin_identities@Base 0.94 polkit_backend_interactive_authority_get_type@Base 0.94 polkit_backend_local_authority_get_type@Base 0.94 polkit_backend_local_authorization_store_get_type@Base 0.94 polkit_backend_local_authorization_store_lookup@Base 0.94 polkit_backend_local_authorization_store_new@Base 0.94 polkit_backend_session_monitor_get_session_for_subject@Base 0.94 polkit_backend_session_monitor_get_sessions@Base 0.94 polkit_backend_session_monitor_get_type@Base 0.94 polkit_backend_session_monitor_get_user_for_subject@Base 0.94 polkit_backend_session_monitor_is_session_active@Base 0.94 polkit_backend_session_monitor_is_session_local@Base 0.94 polkit_backend_session_monitor_new@Base 0.94 debian/policykit-1.docs0000644000000000000000000000001412227267237012212 0ustar NEWS README debian/libpolkit-backend-1-0.install0000644000000000000000000000004312227267237014436 0ustar usr/lib/*/libpolkit-backend-1.so.* debian/libpolkit-agent-1-dev.install0000644000000000000000000000025012227267237014564 0ustar usr/lib/*/libpolkit-agent*.so usr/lib/*/libpolkit-agent*.a usr/lib/*/pkgconfig/polkit-agent*.pc usr/include/polkit-1/polkitagent/ usr/share/gir-1.0/PolkitAgent-1.0.gir debian/libpolkit-gobject-1-0.install0000644000000000000000000000004312227267237014464 0ustar usr/lib/*/libpolkit-gobject-1.so.* debian/policykit-1-doc.install0000644000000000000000000000010712227267237013476 0ustar usr/share/gtk-doc/html/polkit-1/* /usr/share/doc/policykit-1-doc/html/ debian/libpolkit-backend-1-dev.install0000644000000000000000000000021212227267237015053 0ustar usr/lib/*/libpolkit-backend*.so usr/lib/*/libpolkit-backend*.a usr/lib/*/pkgconfig/polkit-backend*.pc usr/include/polkit-1/polkitbackend/ debian/changelog0000644000000000000000000006730313446700547011063 0ustar policykit-1 (0.105-4ubuntu3.14.04.6) trusty-security; urgency=medium * SECURITY UPDATE: start time protection mechanism bypass - debian/patches/CVE-2019-6133.patch: Compare PolkitUnixProcess uids for temporary authorizations in src/polkit/polkitsubject.c, src/polkit/polkitunixprocess.c, src/polkitbackend/polkitbackendinteractiveauthority.c. - CVE-2019-6133 -- Marc Deslauriers Wed, 27 Mar 2019 09:57:59 -0400 policykit-1 (0.105-4ubuntu3.14.04.5) trusty-security; urgency=medium * SECURITY UPDATE: authorization bypass with large uid - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c, src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c. - debian/patches/CVE-2018-19788-2.patch: add tests to test/data/etc/group, test/data/etc/passwd, test/data/etc/polkit-1/localauthority/10-test/com.example.pkla, test/polkitbackend/polkitbackendlocalauthoritytest.c. - debian/patches/CVE-2018-19788-3.patch: allow uid of -1 for a PolkitUnixProcess in src/polkit/polkitunixprocess.c. - CVE-2018-19788 -- Marc Deslauriers Tue, 15 Jan 2019 08:20:15 -0500 policykit-1 (0.105-4ubuntu3.14.04.2) trusty-security; urgency=medium * SECURITY UPDATE: DoS via invalid object path - debian/patches/CVE-2015-3218.patch: handle invalid object paths in src/polkitbackend/polkitbackendinteractiveauthority.c. - CVE-2015-3218 * SECURITY UPDATE: privilege escalation via duplicate action IDs - debian/patches/CVE-2015-3255.patch: fix GHashTable usage in src/polkitbackend/polkitbackendactionpool.c. - CVE-2015-3255 * SECURITY UPDATE: privilege escalation via duplicate cookie values - debian/patches/CVE-2015-4625-1.patch: use unpredictable cookie values in configure.ac, src/polkitagent/polkitagenthelper-pam.c, src/polkitagent/polkitagenthelper-shadow.c, src/polkitagent/polkitagenthelperprivate.c, src/polkitagent/polkitagenthelperprivate.h, src/polkitagent/polkitagentsession.c, src/polkitbackend/polkitbackendinteractiveauthority.c. - debian/patches/CVE-2015-4625-2.patch: bind use of cookies to specific uids in data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml, data/org.freedesktop.PolicyKit1.Authority.xml, docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml, docs/polkit/overview.xml, src/polkit/polkitauthority.c, src/polkitbackend/polkitbackendauthority.c, src/polkitbackend/polkitbackendauthority.h, src/polkitbackend/polkitbackendinteractiveauthority.c. - debian/patches/CVE-2015-4625-3.patch: update docs in data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml, data/org.freedesktop.PolicyKit1.Authority.xml, docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml, docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml, docs/polkit/overview.xml, src/polkit/polkitauthority.c, src/polkitagent/polkitagentlistener.c, src/polkitbackend/polkitbackendauthority.c. - CVE-2015-4625 * SECURITY UPDATE: DoS and information disclosure - debian/patches/CVE-2018-1116.patch: properly check UID in src/polkit/polkitprivate.h, src/polkit/polkitunixprocess.c, src/polkitbackend/polkitbackendinteractiveauthority.c, src/polkitbackend/polkitbackendsessionmonitor-systemd.c, src/polkitbackend/polkitbackendsessionmonitor.c, src/polkitbackend/polkitbackendsessionmonitor.h. - debian/libpolkit-gobject-1-0.symbols: updated for new private symbol. - CVE-2018-1116 -- Marc Deslauriers Fri, 13 Jul 2018 07:53:14 -0400 policykit-1 (0.105-4ubuntu3.14.04.1) trusty; urgency=medium * Fix handling of multi-line helper output. (LP: #1510824) -- Dariusz Gadomski Fri, 20 Nov 2015 15:36:30 +0100 policykit-1 (0.105-4ubuntu2.14.04.1) trusty; urgency=medium * debian/patches/fix_memleak.patch: authority: Fix memory leak in EnumerateActions call results handler (lp: #1417637) -- Luis Lucas Tue, 03 Feb 2015 17:15:02 +0000 policykit-1 (0.105-4ubuntu2) trusty; urgency=medium * debian/patches/git_type_registration.patch: "Use GOnce for interface type registration. Static local variable may not be enough since it doesn't provide locking." That should fix some frequent udisks segfaults issues (lp: #1236510) -- Sebastien Bacher Tue, 11 Feb 2014 19:26:03 +0100 policykit-1 (0.105-4ubuntu1) trusty; urgency=low * Merge with Debian unstable. Remaining Ubuntu changes: - Switch to using logind for session tracking. Depend on libpam-systemd instead of consolekit, and add libsystemd-login-dev build dependency. - debian/policykit-1.postinst: Don't restart polkitd if we are upgrading from a version that uses ConsoleKit. We need to keep the old daemon running until the next reboot, as all the current user sessions still have a CK session and no logind cgroup yet. - Build using autoreconf to update config.{guess,sub} files. - Configure with --disable-silent-rules. -- Marc Deslauriers Wed, 30 Oct 2013 16:10:44 -0700 policykit-1 (0.105-4) unstable; urgency=low * Acknowledge non-maintainer upload for CVE-2013-4288. * Also cherry-pick the upstream commit which deprecates the racy APIs. * debian/patches/09_pam_environment.patch: set process environment from pam_getenvlist(). * debian/patches/01_pam_polkit.patch: adjust patch to invoke pam_env, so our global settings from /etc/environment are applied correctly. * The two changes above fix pkexec to properly export the pam environment. Thanks Steve Langasek for the patch. (Closes: #692340) -- Michael Biebl Tue, 15 Oct 2013 18:34:24 +0200 policykit-1 (0.105-3+nmu1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix cve-2013-4288: race condition in pkcheck.c (closes: #723717). -- Michael Gilbert Mon, 14 Oct 2013 00:08:43 +0000 policykit-1 (0.105-3ubuntu3) saucy; urgency=low * SECURITY UPDATE: use of pkcheck without specifying uid is racy, possibly leading to privilege escalation - debian/patches/CVE-2013-4288.patch: implement pid,start-time,uid syntax so callers have a non-racy way of using pkcheck. - CVE-2013-4288 -- Marc Deslauriers Wed, 18 Sep 2013 12:38:05 -0400 policykit-1 (0.105-3ubuntu2) saucy; urgency=low * Build using autoreconf to update config.{guess,sub} files. * Configure with --disable-silent-rules. -- Matthias Klose Fri, 26 Jul 2013 14:07:45 +0200 policykit-1 (0.105-3ubuntu1) saucy; urgency=low * Merge with Debian unstable. Remaining Ubuntu changes: - debian/patches/07_pam_environment.patch: set process environment from pam_getenvlist(). - debian/patches/01_pam_polkit.patch: adjust patch to invoke pam_env, so our global settings from /etc/environment are applied correctly. - Switch to using logind for session tracking. Depend on libpam-systemd instead of consolekit, and add libsystemd-login-dev build dependency. - debian/policykit-1.postinst: Don't restart polkitd if we are upgrading from a version that uses ConsoleKit. We need to keep the old daemon running until the next reboot, as all the current user sessions still have a CK session and no logind cgroup yet. -- Martin Pitt Wed, 01 May 2013 16:22:36 -0700 policykit-1 (0.105-3) unstable; urgency=low * 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY environment variable to its default value $HOME/.Xauthority if unset. Some display managers, like KDM, do not set the XAUTHORITY variable, so starting graphical applications via pkexec was broken in those environments. (Closes: #671497) -- Michael Biebl Thu, 20 Dec 2012 18:55:14 +0100 policykit-1 (0.105-2) unstable; urgency=low * Change the permissions of /etc/polkit-1/localauthority to 700, this directory is not supposed to be readable by everyone. -- Michael Biebl Mon, 17 Dec 2012 17:02:06 +0100 policykit-1 (0.105-1ubuntu3) saucy; urgency=low * debian/policykit-1.postinst: Don't restart polkitd if we are upgrading from a version that uses ConsoleKit. We need to keep the old daemon running until the next reboot, as all the current user sessions still have a CK session and no logind cgroup yet. -- Martin Pitt Mon, 29 Apr 2013 15:21:39 -0700 policykit-1 (0.105-1ubuntu2) saucy; urgency=low * Switch to using logind for session tracking. Depend on libpam-systemd instead of consolekit, and add libsystemd-login-dev build dependency. -- Martin Pitt Sun, 28 Apr 2013 06:57:06 -0700 policykit-1 (0.105-1ubuntu1) raring; urgency=low * Merge from Debian unstable, remaining changes: - debian/patches/07_pam_environment.patch: set process environment from pam_getenvlist(). - debian/patches/01_pam_polkit.patch: adjust patch to invoke pam_env, so our global settings from /etc/environment are applied correctly. -- Steve Langasek Sun, 04 Nov 2012 23:17:59 -0800 policykit-1 (0.105-1) unstable; urgency=low * New upstream release. * debian/watch: Update URL, the tarballs are hosted on freedesktop.org now. * Update symbols file for libpolkit-gobject-1-0 and libpolkit-agent-1-0. * Update debian/copyright using the machine-readable copyright format 1.0. * Bump Standards-Version to 3.9.3. * Bump Build-Depends on debhelper to (>= 9). -- Michael Biebl Tue, 24 Apr 2012 21:06:04 +0200 policykit-1 (0.104-2ubuntu1) quantal; urgency=low * debian/patches/07_pam_environment.patch: set process environment from pam_getenvlist(). Closes LP: #982684. * debian/patches/01_pam_polkit.patch: adjust patch to invoke pam_env, so our global settings from /etc/environment are applied correctly. -- Steve Langasek Tue, 15 May 2012 15:15:52 -0700 policykit-1 (0.104-2) unstable; urgency=low * debian/control: Add Build-Depends on libglib2.0-doc and libgtk-3-doc for proper cross-references in the gtk-doc API documentation. * Install systemd service file for polkitd. -- Michael Biebl Sat, 11 Feb 2012 23:48:29 +0100 policykit-1 (0.104-1) unstable; urgency=low * New upstream release. - Add support for netgroups. (LP: #724052) * debian/rules: Disable systemd support, continue to work with ConsokeKit. * 05_revert-admin-identities-unix-group-wheel.patch: Refresh to apply cleanly. * debian/libpolkit-gobject-1-0.symbols: Add new symbols from this new release. * debian/rules: Do not let test failures fail the build. The new test suite also runs a test against the system D-BUS/ConsoleKit, which can't work on buildds. -- Martin Pitt Fri, 06 Jan 2012 12:28:54 +0100 policykit-1 (0.103-1) unstable; urgency=low * New upstream release. * debian/control: Change section of gir1.2-polkit-1.0 to introspection. * 05_revert-admin-identities-unix-group-wheel.patch: Revert upstream change to make group wheel the default admin identity since we already use group sudo resp. group admin for that. -- Michael Biebl Fri, 09 Dec 2011 00:48:17 +0100 policykit-1 (0.102-2) unstable; urgency=low * 02_gettext.patch: Explicitly #include to fix non-optimized build. Thanks Ivan Krasilnikov for pointing this out. * debian/rules: When building on Ubuntu, also consider the "sudo" group as administrator, for compatibility with Debian and sudo itself. Keep "admin" for existing systems. (LP: #893842) * Convert to Multi-Arch and dh compat 9. Thanks Daniel Schaal for the patch! (Closes: #636196) -- Martin Pitt Fri, 25 Nov 2011 07:44:09 +0100 policykit-1 (0.102-1) unstable; urgency=low * New upstream release. * debian/patches/00git_fix_proc_race.patch: Removed, merged upstream. * debian/patches/04_ignore_quilt_po.patch: Removed, merged upstream. * debian/patches/03_complete_session.patch: Refreshed. * debian/patches/04_get_cwd.patch: Use g_get_current_dir() to determine the current working directory. This fixes another PATH_MAX related FTBFS on hurd. Thanks Emilio Pozuelo Monfort for the patch. (Closes: #623017) -- Michael Biebl Tue, 02 Aug 2011 03:17:20 +0200 policykit-1 (0.101-4) unstable; urgency=high Urgency high due to security fix. * Add 00git_fix_proc_race.patch: Avoid /proc race conditions when checking privileges for pkexec. Patch taken from https://bugzilla.redhat.com/show_bug.cgi?id=692922, now also landed in upstream git. [CVE-2011-1485] * debian/libpolkit-gobject-1-0.symbols: Update for new symbols. * Add 04_ignore_quilt_po.patch: Ignore .po/ for intltool. This avoids build failures if quilt patches change files with translatable strings. Thanks to Kees Cook for the patch! -- Martin Pitt Wed, 20 Apr 2011 12:11:38 +0200 policykit-1 (0.101-3) unstable; urgency=low * debian/control - Add Depends on gir1.2-polkit-1.0 (= ${binary:Version}) to libpolkit-gobject-1-dev and libpolkit-agent-1-dev to comply with the updated GObject introspection policy. - Bump Standards-Version to 3.9.2. No further changes. -- Michael Biebl Sun, 10 Apr 2011 20:34:03 +0200 policykit-1 (0.101-2) unstable; urgency=low * Upload to unstable. -- Michael Biebl Fri, 25 Mar 2011 02:19:51 +0100 policykit-1 (0.101-1) experimental; urgency=low * New upstream release. * Update patches - Drop debian/patches/04_test_signalfd.patch, merged upstream. - Refresh other patches to apply cleanly. * debian/libpolkit-gobject-1-0.symbols - Add polkit_authorization_result_get_dismissed. * debian/control - Bump Build-Depends on libglib2.0-dev to (>= 2.28.0). * debian/rules - Don't build example programs. -- Michael Biebl Thu, 03 Mar 2011 23:50:17 +0100 policykit-1 (0.100-1) experimental; urgency=low * New upstream release. * Refresh debian/patches/03_complete_session.patch. * Replace debian/patches/04_test_signalfd.patch with a patch that was merged upstream. This also allows to drop debian/patches/99_autoreconf.patch. * Switch from cdbs to dh. * Bump debhelper compatibility level to 8. * Install documentation using debian/policykit-1.docs. * Enable gobject introspection support. - Add Build-Depends on libgirepository1.0-dev (>= 0.9.12), gobject-introspection (>= 0.9.12-4~) and gir1.2-glib-2.0. - Add package gir1.2-polkit-1.0 containing the typelib files. - Install gir files in libpolkit-agent-1-dev.install and libpolkit-gobject-1-dev.install. - Call dh_girepository in debian/rules. -- Michael Biebl Wed, 23 Feb 2011 19:51:17 +0100 policykit-1 (0.99-3) unstable; urgency=low * Upload to unstable. -- Michael Biebl Thu, 10 Feb 2011 19:21:36 +0100 policykit-1 (0.99-2) experimental; urgency=low [ Michael Biebl ] * Merge sudo group changes from unstable branch. [ Martin Pitt ] * debian/rules: Use dpkg-vendor instead of lsb_release. Drop lsb-release build dependency. * Add 04_test_signalfd.patch: Allow building on Non-Linux platforms without signalfd(). (Closes: #602476) * Add 99_autoreconf.patch: Pick up autoreconf changes from previous patch. -- Martin Pitt Mon, 06 Dec 2010 16:28:11 +0100 policykit-1 (0.99-1) experimental; urgency=low [ Michael Biebl ] * New upstream release. * debian/patches/00git-fix-error-freeing.patch - Remove, fixed upstream. * debian/patches/00git-pkexec-information-disclosure.patch - Remove, merged upstream. * debian/control - Drop Build-Depends on libeggdbus-1-dev. - Bump Build-Depends on libglib2.0-dev to (>= 2.25.12) for GDBus. * Switch to source format 3.0 (quilt). - Add debian/source/format. - Drop Build-Depends on quilt. - Remove /usr/share/cdbs/1/rules/patchsys-quilt.mk from debian/rules. - Remove debian/README.source. [ Robert Ancell ] * Add debian/patches/02_gettext.patch: Use gettext for translations in .policy files if they specify a gettext domain. [ James Westby ] * Add debian/patches/03_complete_session.patch: Fix the race that leads to the password box disappearing, but the dialog remaining. [ Martin Pitt ] * debian/rules: Set DPKG_GENSYMBOLS_CHECK_LEVEL to 4 to point out outdated .symbols files more strongly. -- Michael Biebl Thu, 04 Nov 2010 17:27:09 -0400 policykit-1 (0.96-4) unstable; urgency=low * debian/rules - When building for Debian, install a localauthority.conf.d configuration file which considers "sudo" group users as administrators. (Closes: #532499) -- Michael Biebl Tue, 16 Nov 2010 23:21:50 +0100 policykit-1 (0.96-3) unstable; urgency=low * debian/control - Use architecture wildcard linux-any for libselinux1-dev. - Bump Standards-Version to 3.9.1. * debian/policykit-1.postinst - Query D-Bus to find out the correct pid of the process claiming org.freedesktop.PolicyKit1. This way we do not accidentally kill the wrong process when being installed in a chroot. (Closes: #595030) * debian/policykit-1.prerm - Stop polkitd on remove. (Closes: #595031) -- Michael Biebl Thu, 16 Sep 2010 23:27:56 +0200 policykit-1 (0.96-2) unstable; urgency=medium * Urgency medium, just two small, but important bug fixes. * Add 00git-pkexec-information-disclosure.patch: Fix information disclosure vulnerability that allows an attacker to verify whether or not arbitrary files exist, violating directory permissions. * 00git-fix-error-freeing.patch: Fix crash when calling CheckAuthorization() with an invalid PID. (LP: #540464) -- Martin Pitt Fri, 09 Apr 2010 12:09:53 +0200 policykit-1 (0.96-1) unstable; urgency=low * New upstream release. * debian/libpolkit-backend-1-0.symbols - Update for new API addition. -- Michael Biebl Sat, 16 Jan 2010 00:05:48 +0100 policykit-1 (0.95-1) unstable; urgency=low * New upstream release. * Remove patches - debian/patches/02_dont_export_private_symbols.patch (merged upstream) - debian/patches/03_path_max.patch (merged upstream) - debian/patches/04-ref-authority.patch (merged upstream) - debian/patches/05-pkexec-env.patch (merged upstream) - debian/patches/99_autoreconf.patch (obsolete) * debian/control - Bump Build-Depends on libeggbus-1-dev to (>= 0.6). * debian/rules - The example application is no longer built by default so we don't need to manually remove it anymore. * debian/libpolkit-{backend,gobject}-1-0.symbols - Update for new API additions. -- Michael Biebl Sat, 14 Nov 2009 05:33:34 +0100 policykit-1 (0.94-6) unstable; urgency=low * debian/policykit-1.postinst - Use start-stop-daemon instead of kill+pidof to stop the running polkitd daemon on upgrades. * Remove our workaround for kfreebsd again now that eglibc 2.10 has entered unstable. (Closes: #552605) -- Michael Biebl Mon, 09 Nov 2009 01:09:07 +0100 policykit-1 (0.94-5) unstable; urgency=low * Add debian/patches/04-ref-authority.patch: Ref the instance returned by polkit_authority_get(), since the documentation says that it needs to be unref'ed after usage. This fixes crashes in NetworkManager and probably other programs, too. (LP: #438574, #432452, fd.o #24566) * Add debian/patches/05-pkexec-env.patch: Add missing comma so that pkexec saves both LANG and LANGUAGE, not LANGLANGUAGE. (Cherrypicked from trunk) * Add myself to Uploaders: with Michael's consent. -- Martin Pitt Tue, 03 Nov 2009 12:28:09 +0100 policykit-1 (0.94-4) unstable; urgency=low * debian/patches/03_path_max.patch - Update patch to fix implicit pointer conversion for get_current_dir_name. (Closes: #550901) -- Michael Biebl Wed, 14 Oct 2009 14:00:40 +0200 policykit-1 (0.94-3) unstable; urgency=low * debian/patches/03_path_max.patch - Fix FTBFS on hurd-i386 where PATH_MAX is not defined. (Closes:#550800) Thanks to Samuel Thibault for the patch. * debian/policykit-1.postinst: - Kill the old polkitd daemon on upgrade, to ensure that the new version will be used at the next occasion. -- Michael Biebl Tue, 13 Oct 2009 14:32:25 +0200 policykit-1 (0.94-2) unstable; urgency=low * Fix build failures on kfreebsd. Add Build-Depends on libfreebsd-dev and link against -lfreebsd for sysctlnametomib. When glibc 2.10 enters unstable this workaround can be removed again. -- Michael Biebl Tue, 13 Oct 2009 00:29:47 +0200 policykit-1 (0.94-1) unstable; urgency=low * Rename package to policykit-1. Upstream (at least temporarily) forked the project to make it installable in parallel with policykit 0.9, until all programs are ported to the new API. * Drop all patches except 01_pam_polkit.patch. * Refresh debian/patches/01_pam_polkit.patch. * debian/control - Update Build-Depends + Drop libdbus-1-dev, libdbus-glib-1-dev. + Add libeggdbus-1-dev (>= 0.5) and lsb-release. + Bump libglib2-dev dependency to (>= 2.21.4). - Update list of binary packages and their package descriptions. - Drop dependency on adduser. - Bump Standards-Version to 3.8.3. + Add README.source which refers to the quilt documentation. - Update Vcs-* fields. Package is now managed using Git and hosted on git.debian.org. * Update shared library structure: libpolkit-{dbus,grant} → libpolkit-{agent,backend,gobject}-1. * Rename policykit, policykit-doc → policykit-1, policykit-1-doc. * Update and revise all *.install files. * debian/rules, debian/policykit.init: Drop init script, package doesn't use /var/run any more. * debian/policykit-1.postinst: Don't create "polkituser" system user, it's not used any more. * Update watch file. * debian/patches/02_dont_export_private_symbols.patch - Don't export private symbols in the libraries. * debian/patches/99_autoreconf.patch - Update the autotools files as the previous patch also touches the build system. * Add symbols files for libpolkit-{agent,backend,gobject}-1 for improved shlibs dependencies. * debian/rules - Disable introspection support. - When building for Ubuntu, install a localauthority.conf.d configuration file which considers "admin" group users as administrators. - Don't install example application. * debian/copyright - Update copyright holder. - License was changed to LGPL 2.1+. -- Michael Biebl Sun, 27 Sep 2009 21:35:18 +0200 policykit (0.9-4) unstable; urgency=low * Add support for /var/run being a tmpfs. (Closes: #532101) - Create /var/run/PolicyKit dynamically on boot by using an init script. Original patch by Martin Pitt, thanks. Updated patch to only run the init script in runlevel S at priority 75. - Do no longer ship /var/run/PolicyKit in the package itself. * debian/control - Bump Standards-Version to 3.8.1. * debian/patches/04_entry_leak.patch - Plug a memory leak. Patch pulled from Fedora. * debian/patches/05_manpage_typo_fix.patch - Fix a small typo in the polkit-auth man page. (Closes: #523565) * debian/patches/06_no_inotify_or_path_max.patch - Add support for systems which don't support inotify (like hurd) and don't use PATH_MAX unconditionally, instead use dynamically growing buffers. (Closes: #521756) Patch by Samuel Thibault, thanks. -- Michael Biebl Thu, 18 Jun 2009 09:55:34 +0200 policykit (0.9-3) unstable; urgency=low * Switch patch management system to quilt. * debian/control - Wrap Build-Depends. - Demote Recommends: policykit-gnome to Suggests. (Closes: #513758) - Bump Build-Depends on debhelper to (>= 7). * debian/compat - Bump debhelper compat level to 7. * debian/rules - Include debhelper.mk before any other files as recommended by the cdbs documentation. * debian/patches/03_consolekit0.3-api.patch - Try both the ConsoleKit 0.3 and the older 0.2 API, to work with either. Patch pulled from Ubuntu. -- Michael Biebl Wed, 18 Feb 2009 17:25:52 +0100 policykit (0.9-2) unstable; urgency=high [ Simon McVittie ] * Add patch committed in Fedora (although not upstream) by the upstream maintainer, to allow PolicyKit to be used when CVE-2008-4311 has been fixed in dbus-daemon. (Closes: #510646) [ Michael Biebl ] * debian/control - Add ${misc:Depends} to all binary packages. -- Michael Biebl Wed, 07 Jan 2009 18:18:56 +0100 policykit (0.9-1) unstable; urgency=low * New upstream release. * debian/control - Bump Standards-Version to 3.8.0. No further changes. -- Michael Biebl Sun, 03 Aug 2008 10:53:11 +0200 policykit (0.8-2) unstable; urgency=low * Add symbols files for libpolkit2, libpolkit-grant2 and libpolkit-dbus2. * debian/policykit.postinst - Set correct permissions for all files. (Closes: #482064) - Define a small helper function to apply the permissions. This makes it more concise and readable. -- Michael Biebl Fri, 23 May 2008 04:33:48 +0200 policykit (0.8-1) unstable; urgency=medium * New upstream release. - SECURITY - CVE-2008-1658: Fixes format string vulnerability in the grant helper. (Closes: #476615) * debian/control - Add Build-Depends on pkg-config. -- Michael Biebl Fri, 18 Apr 2008 01:39:08 +0200 policykit (0.7-2) unstable; urgency=low * Upload to unstable. -- Michael Biebl Fri, 11 Jan 2008 01:02:59 +0100 policykit (0.7-1) experimental; urgency=low * New upstream release. (Closes: #455874) * debian/control - Bump Standards-Version to 3.7.3. No further changes required. - Add Build-Depends on libdbus-glib-1-dev (>= 0.73). - Change Homepage URL to http://hal.freedesktop.org/docs/PolicyKit/. (Closes: #446504) - Improve package description. (Closes: #446554) * debian/copyright - All code is now licensed under the MIT/X11 license. Update the copyright notice accordingly. * debian/policykit.dirs - Add the directory /var/lib/PolicyKit-public. * debian/policykit.install - Install the D-Bus config and service files for the PolicyKit system service. - Install /var/lib/misc/PolicyKit.reload. * debian/rules - Fix the permissions of /var/lib/misc/PolicyKit.reload. * debian/policykit.postinst - Use dpkg-statoverride to check for local modifications before setting the SUID/SGID bits. -- Michael Biebl Thu, 20 Dec 2007 18:01:38 +0100 policykit (0.6-1) experimental; urgency=low * New upstream release. * debian/control - Use new "Homepage:" field to specify the upstream URL. - The Vcs-* fields are now officially supported, so remove the XS- prefix. - Add a Recommends: policykit-gnome to the policykit package. - Enable SELinux support by adding a Build-Depends on libselinux1-dev for all supported platforms. * debian/policykit.postinst - Install polkit-grant-helper-pam with the correct permissions. -- Michael Biebl Sat, 03 Nov 2007 00:02:33 +0100 policykit (0.5-1) experimental; urgency=low * Initial release. (Closes: #397087) -- Michael Biebl Tue, 02 Oct 2007 22:38:04 +0200