From 476538e8ae905e2ebf247f380b2da75feedab2e5 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 3 Jun 2015 18:50:40 -0400 Subject: [PATCH] CVE-XXX-XXXX: Bind use of cookies to specific uids Note: CVE not assigned yet http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html The "cookie" value that Polkit hands out is global to all polkit users. And when `AuthenticationAgentResponse` is invoked, we previously only received the cookie and target identity, and attempted to find an agent from that. The problem is that the current cookie is just an integer counter, and if it overflowed, it would be possible for an successful authorization in one session to trigger a response in another session. One way to fix this would be to make the cookie unforgeable, but this approach passes through the uid of the caller from the setuid binary, ensuring that we only look up `AuthenticationAgent`s that were created by a matching uid. Signed-off-by: Colin Walters --- ...g.freedesktop.PolicyKit1.AuthenticationAgent.xml | 2 +- data/org.freedesktop.PolicyKit1.Authority.xml | 9 ++++++++- ...terface-org.freedesktop.PolicyKit1.Authority.xml | 10 +++++++--- docs/polkit/overview.xml | 18 ++++++++++-------- src/polkit/polkitauthority.c | 11 ++++++++++- src/polkitbackend/polkitbackendauthority.c | 9 +++++++-- src/polkitbackend/polkitbackendauthority.h | 2 ++ .../polkitbackendinteractiveauthority.c | 21 ++++++++++++++++++--- 8 files changed, 63 insertions(+), 19 deletions(-) diff --git a/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml b/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml index 3b519c2..d9b7fcd 100644 --- a/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml +++ b/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml @@ -8,7 +8,7 @@ - + diff --git a/data/org.freedesktop.PolicyKit1.Authority.xml b/data/org.freedesktop.PolicyKit1.Authority.xml index fbfb9cd..ce71401 100644 --- a/data/org.freedesktop.PolicyKit1.Authority.xml +++ b/data/org.freedesktop.PolicyKit1.Authority.xml @@ -313,7 +313,14 @@ - + + + + + diff --git a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml index 6525e25..90ff6cd 100644 --- a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml +++ b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml @@ -40,7 +40,7 @@ Structure TemporaryAuth IN Dict<String,Variant> options) UnregisterAuthenticationAgent (IN Subject subject, IN String object_path) -AuthenticationAgentResponse (IN String cookie, +AuthenticationAgentResponse (IN int uid, IN String cookie, IN Identity identity) EnumerateTemporaryAuthorizations (IN Subject subject, OUT Array<TemporaryAuthorization> temporary_authorizations) @@ -773,11 +773,15 @@ The object_path passed to AuthenticationAgentResponse () -AuthenticationAgentResponse (IN String cookie, +AuthenticationAgentResponse (IN int32 uid, + IN String cookie, IN Identity identity) -Method for authentication agents to invoke on successful authentication. This method will fail unless a sufficiently privileged caller invokes it. +Method for authentication agents to invoke on successful +authentication, intended only for use by a privileged helper process +internal to polkit. Note the signature for this method changed in +0.114. diff --git a/docs/polkit/overview.xml b/docs/polkit/overview.xml index 150a7bc..176d2ea 100644 --- a/docs/polkit/overview.xml +++ b/docs/polkit/overview.xml @@ -314,16 +314,18 @@ Authentication agents are provided by desktop environments. When an user session starts, the agent registers with the polkit - Authority using - the RegisterAuthenticationAgent() + Authority using the RegisterAuthenticationAgent() method. When services are needed, the authority will invoke - methods on - the org.freedesktop.PolicyKit1.AuthenticationAgent + methods on the org.freedesktop.PolicyKit1.AuthenticationAgent D-Bus interface. Once the user is authenticated, (a privileged - part of) the agent invokes - the AuthenticationAgentResponse() - method. Note that the polkit Authority itself does not care - how the agent authenticates the user. + part of) the agent invokes the AuthenticationAgentResponse() + method. This method should be treated as an internal + implementation detail, and callers should use the public shared + library API to invoke it, which currently uses a setuid helper + program. The libpolkit-agent-1 diff --git a/src/polkit/polkitauthority.c b/src/polkit/polkitauthority.c index ab6d3cd..0f04bcf 100644 --- a/src/polkit/polkitauthority.c +++ b/src/polkit/polkitauthority.c @@ -1492,6 +1492,14 @@ polkit_authority_authentication_agent_response (PolkitAuthority *authority, gpointer user_data) { GVariant *identity_value; + /* Note that in reality, this API is only accessible to root, and + * only called from the setuid helper `polkit-agent-helper-1`. + * + * However, because this is currently public API, we avoid + * triggering warnings from ABI diff type programs by just grabbing + * the real uid of the caller here. + */ + int uid = (int) getuid (); g_return_if_fail (POLKIT_IS_AUTHORITY (authority)); g_return_if_fail (cookie != NULL); @@ -1502,7 +1510,8 @@ polkit_authority_authentication_agent_response (PolkitAuthority *authority, g_variant_ref_sink (identity_value); g_dbus_proxy_call (authority->proxy, "AuthenticationAgentResponse", - g_variant_new ("(s@(sa{sv}))", + g_variant_new ("(is@(sa{sv}))", + uid, cookie, identity_value), G_DBUS_CALL_FLAGS_NONE, diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c index 601a974..db6cec8 100644 --- a/src/polkitbackend/polkitbackendauthority.c +++ b/src/polkitbackend/polkitbackendauthority.c @@ -355,6 +355,7 @@ polkit_backend_authority_unregister_authentication_agent (PolkitBackendAuthority gboolean polkit_backend_authority_authentication_agent_response (PolkitBackendAuthority *authority, PolkitSubject *caller, + gint uid, const gchar *cookie, PolkitIdentity *identity, GError **error) @@ -373,7 +374,7 @@ polkit_backend_authority_authentication_agent_response (PolkitBackendAuthority } else { - return klass->authentication_agent_response (authority, caller, cookie, identity, error); + return klass->authentication_agent_response (authority, caller, uid, cookie, identity, error); } } @@ -584,6 +585,7 @@ static const gchar *server_introspection_data = " " " " " " + " " " " " " " " @@ -1014,11 +1016,13 @@ server_handle_authentication_agent_response (Server *server, GVariant *identity_gvariant; PolkitIdentity *identity; GError *error; + int uid; identity = NULL; g_variant_get (parameters, - "(&s@(sa{sv}))", + "(i&s@(sa{sv}))", + &uid, &cookie, &identity_gvariant); @@ -1035,6 +1039,7 @@ server_handle_authentication_agent_response (Server *server, error = NULL; if (!polkit_backend_authority_authentication_agent_response (server->authority, caller, + uid, cookie, identity, &error)) diff --git a/src/polkitbackend/polkitbackendauthority.h b/src/polkitbackend/polkitbackendauthority.h index f9f7385..4a30446 100644 --- a/src/polkitbackend/polkitbackendauthority.h +++ b/src/polkitbackend/polkitbackendauthority.h @@ -147,6 +147,7 @@ struct _PolkitBackendAuthorityClass gboolean (*authentication_agent_response) (PolkitBackendAuthority *authority, PolkitSubject *caller, + gint uid, const gchar *cookie, PolkitIdentity *identity, GError **error); @@ -249,6 +250,7 @@ gboolean polkit_backend_authority_unregister_authentication_agent (PolkitBackend gboolean polkit_backend_authority_authentication_agent_response (PolkitBackendAuthority *authority, PolkitSubject *caller, + gint uid, const gchar *cookie, PolkitIdentity *identity, GError **error); diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c index aae8cfb..2e29520 100644 --- a/src/polkitbackend/polkitbackendinteractiveauthority.c +++ b/src/polkitbackend/polkitbackendinteractiveauthority.c @@ -169,6 +169,7 @@ static gboolean polkit_backend_interactive_authority_unregister_authentication_a static gboolean polkit_backend_interactive_authority_authentication_agent_response (PolkitBackendAuthority *authority, PolkitSubject *caller, + gint uid, const gchar *cookie, PolkitIdentity *identity, GError **error); @@ -431,6 +432,7 @@ struct AuthenticationAgent { volatile gint ref_count; + gint creator_uid; PolkitSubject *scope; gchar *locale; @@ -1548,6 +1550,7 @@ authentication_agent_unref (AuthenticationAgent *agent) static AuthenticationAgent * authentication_agent_new (PolkitSubject *scope, + gint creator_uid, const gchar *unique_system_bus_name, const gchar *locale, const gchar *object_path, @@ -1582,6 +1585,7 @@ authentication_agent_new (PolkitSubject *scope, agent = g_new0 (AuthenticationAgent, 1); agent->ref_count = 1; agent->scope = g_object_ref (scope); + agent->creator_uid = creator_uid; agent->object_path = g_strdup (object_path); agent->unique_system_bus_name = g_strdup (unique_system_bus_name); agent->locale = g_strdup (locale); @@ -1661,8 +1665,9 @@ get_authentication_agent_for_subject (PolkitBackendInteractiveAuthority *authori } static AuthenticationSession * -get_authentication_session_for_cookie (PolkitBackendInteractiveAuthority *authority, - const gchar *cookie) +get_authentication_session_for_uid_and_cookie (PolkitBackendInteractiveAuthority *authority, + guint32 uid, + const gchar *cookie) { PolkitBackendInteractiveAuthorityPrivate *priv; GHashTableIter hash_iter; @@ -1680,6 +1685,14 @@ get_authentication_session_for_cookie (PolkitBackendInteractiveAuthority *author { GList *l; + /* We need to ensure that if somehow we have duplicate cookies + * due to wrapping, that the cookie used is matched to the user + * who called AuthenticationAgentResponse. See + * http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html + */ + if (agent->creator_uid != uid) + continue; + for (l = agent->active_sessions; l != NULL; l = l->next) { AuthenticationSession *session = l->data; @@ -2479,6 +2492,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken } agent = authentication_agent_new (subject, + caller_uid, polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)), locale, object_path, @@ -2692,6 +2706,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack static gboolean polkit_backend_interactive_authority_authentication_agent_response (PolkitBackendAuthority *authority, PolkitSubject *caller, + gint uid, const gchar *cookie, PolkitIdentity *identity, GError **error) @@ -2734,7 +2749,7 @@ polkit_backend_interactive_authority_authentication_agent_response (PolkitBacken } /* find the authentication session */ - session = get_authentication_session_for_cookie (interactive_authority, cookie); + session = get_authentication_session_for_uid_and_cookie (interactive_authority, uid, cookie); if (session == NULL) { g_set_error (error, -- 1.8.3.1