Bug 26982 - pkexec information disclosure vulnerability
Summary: pkexec information disclosure vulnerability
Alias: None
Product: PolicyKit
Classification: Unclassified
Component: libpolkit (show other bugs)
Version: unspecified
Hardware: All All
: low normal
Assignee: David Zeuthen (not reading bugmail)
QA Contact: David Zeuthen (not reading bugmail)
Depends on:
Reported: 2010-03-09 11:17 UTC by Dan Rosenberg
Modified: 2010-03-10 09:48 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Patch for pkexec info disclosure (699 bytes, patch)
2010-03-09 11:17 UTC, Dan Rosenberg
Details | Splinter Review

Description Dan Rosenberg 2010-03-09 11:17:50 UTC
Created attachment 33901 [details] [review]
Patch for pkexec info disclosure

pkexec is vulnerable to a minor information disclosure vulnerability that allows an attacker to verify whether or not arbitrary files exist, violating directory permissions. I reproduced the issue on my Karmic installation as follows:

$ mkdir secret
$ sudo chown root:root secret
$ sudo chmod 400 secret
$ sudo touch secret/hidden
$ pkexec /home/drosenbe/secret/hidden
(password prompt)
$ pkexec /home/drosenbe/secret/doesnotexist
Error getting information about /home/drosenbe/secret/doesnotexist: No such file or directory

I've attached my patch for the issue. I replaced the stat() call entirely with access() using F_OK, so rather than check that the target exists, pkexec now checks if the user has permission to verify the existence of the program. There might be another way of doing this, such as chdir()'ing to the parent directory of the target and calling lstat(), but this seemed like more code than necessary to prevent such a minor problem.  I see no reason to allow pkexec to execute targets that are not accessible to the executing user because of directory permissions. This is such a limited use case anyway that this doesn't really affect functionality.
Comment 1 David Zeuthen (not reading bugmail) 2010-03-10 09:48:49 UTC
Nice catch, committed.



Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.