94cd941ed1
OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=e2454747306b6695ac34fd9eefb30e1b
62 lines
2.2 KiB
Diff
62 lines
2.2 KiB
Diff
From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001
|
||
From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
|
||
Date: Wed, 10 Mar 2010 17:46:19 +0000
|
||
Subject: Bug 26982 – pkexec information disclosure vulnerability
|
||
|
||
pkexec is vulnerable to a minor information disclosure vulnerability
|
||
that allows an attacker to verify whether or not arbitrary files
|
||
exist, violating directory permissions. I reproduced the issue on my
|
||
Karmic installation as follows:
|
||
|
||
$ mkdir secret
|
||
$ sudo chown root:root secret
|
||
$ sudo chmod 400 secret
|
||
$ sudo touch secret/hidden
|
||
$ pkexec /home/drosenbe/secret/hidden
|
||
(password prompt)
|
||
$ pkexec /home/drosenbe/secret/doesnotexist
|
||
Error getting information about /home/drosenbe/secret/doesnotexist: No such
|
||
file or directory
|
||
|
||
I've attached my patch for the issue. I replaced the stat() call
|
||
entirely with access() using F_OK, so rather than check that the
|
||
target exists, pkexec now checks if the user has permission to verify
|
||
the existence of the program. There might be another way of doing
|
||
this, such as chdir()'ing to the parent directory of the target and
|
||
calling lstat(), but this seemed like more code than necessary to
|
||
prevent such a minor problem. I see no reason to allow pkexec to
|
||
execute targets that are not accessible to the executing user because
|
||
of directory permissions. This is such a limited use case anyway that
|
||
this doesn't really affect functionality.
|
||
|
||
http://bugs.freedesktop.org/show_bug.cgi?id=26982
|
||
|
||
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
||
---
|
||
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
|
||
index 860e665..17c191e 100644
|
||
--- a/src/programs/pkexec.c
|
||
+++ b/src/programs/pkexec.c
|
||
@@ -411,7 +411,6 @@ main (int argc, char *argv[])
|
||
gchar *opt_user;
|
||
pid_t pid_of_caller;
|
||
uid_t uid_of_caller;
|
||
- struct stat statbuf;
|
||
|
||
ret = 127;
|
||
authority = NULL;
|
||
@@ -520,9 +519,9 @@ main (int argc, char *argv[])
|
||
g_free (path);
|
||
argv[n] = path = s;
|
||
}
|
||
- if (stat (path, &statbuf) != 0)
|
||
+ if (access (path, F_OK) != 0)
|
||
{
|
||
- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
|
||
+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
|
||
goto out;
|
||
}
|
||
command_line = g_strjoinv (" ", argv + n);
|
||
--
|
||
cgit v0.8.3-6-g21f6
|