| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
(This is cancellation by the daemon, possibly requested by the client, not by the agent.)
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
|
|
| |
Fix memory leaks, and don't return a pointer to freed memory.
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For (non-public-API) *_to_gvariant, explicitly document that they return
a floating value, and rely on it in callers to avoid a
variable/sink/unref combo.
This should not change behavior.
https://bugs.freedesktop.org/show_bug.cgi?id=99741
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
|
| |
Signed-off-by: Rui Matos <tiagomatos@gmail.com>
https://bugs.freedesktop.org/show_bug.cgi?id=99741
|
|
|
|
|
|
|
|
|
| |
I'm trying to keep a relatively standard set around, and the code
there is cleaner than what we had before.
Also, injecting as WARN_CFLAGS rather than changing CFLAGS during
autoconf avoids any surprises from new warnings breaking autoconf
checks.
|
|
|
|
|
|
|
|
| |
The autocompartment definition in the previous patches seems to be fine, but
constructing the autocompartment for the lifetime of the global object is probably
a better way to handle this.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
|
|
|
|
|
|
|
|
|
| |
C++ needs explicit casts for many pointer type conversions
For example char * to void * should have a cast. Fix a
number of these cases. Also, correct a white space indentation
error left in the last patch for review clarity.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Remove mozjs185 and mozjs17 from autoconf and replace them
with mozjs24.
Now that polkitbackendjsauthority is compiling in C++ mode
and the autoconf supports mozjs24, update the module so
that it builds with mozjs24.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
|
|
|
|
|
|
|
|
| |
The JSAPI is now a full C++ interface. Convert the polkit
to JavaScript interface module to C++ compilation in order to
support newer versions of spidermonkey.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no need for polkit to ever use GVFS to load files from
non-local sources, so it's best to avoid loading GVFS code, and to just
rely on the local implementation in GIO instead. This reduces the attack
surface of polkit.
Implemented for the daemon, pkaction, pkcheck, pkexec and pkttyagent,
because none of them need remote file access.
https://bugs.freedesktop.org/show_bug.cgi?id=95487
|
|
|
|
|
|
|
|
|
|
| |
Add G_DEFINE_AUTOPTR_CLEANUP_FUNC calls to polkittypes.h, so that
g_autoptr() can be used with polkit objects.
This is conditional on GLib ≥ 2.44.0 being available. It does not bump
polkit’s dependency on GLib.
https://bugs.freedesktop.org/show_bug.cgi?id=95065
|
|
|
|
|
|
|
| |
It is no longer used since the move to JavaScript, and we don't want to
maintain it unnecessarily.
https://bugs.freedesktop.org/show_bug.cgi?id=94670
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=94506
|
|
|
|
|
|
|
|
|
| |
If an authentication is going on while the agent listener is
going away, then we access memory that has been freed.
g_hash_table_lookup_node: assertion failed: (hash_table->ref_count > 0)'
https://bugs.freedesktop.org/show_bug.cgi?id=94486
|
|
|
|
|
|
|
| |
There were duplicated pieces of code detecting EOLs and escaping the code.
Those actions has been delegated to already-existing send_to_helper function.
https://bugs.freedesktop.org/show_bug.cgi?id=92886
|
|
|
|
|
|
|
|
|
| |
There are pam modules (e.g. pam_vas) that may attempt to display multi-line
PAM_TEXT_INFO messages. Polkit was interpreting the lines after the first one
as a separate message that was not recognized causing the authorization
to fail. Escaping these strings and unescaping them fixes the issue.
https://bugs.freedesktop.org/show_bug.cgi?id=92886
|
| |
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=92046
|
|
|
|
|
| |
Cleanup for
https://bugs.freedesktop.org/show_bug.cgi?id=75187
|
|
|
|
|
|
|
|
|
| |
- OpenBSD does not use PAM nor SHADOW but bsd_auth(3) for authentication
- get_kinfo_proc(): adapt FreeBSD code to OpenBSD
- OpenBSD, get/setnetgrent are defined in netgroup.h and getnetgrent(3) takes a
const char
https://bugs.freedesktop.org/show_bug.cgi?id=75187
|
|
|
|
|
|
|
|
|
|
| |
PolkitAgentTextListener's "completed" handler drops the last reference
to the session; in fact this is explicitly recommended in the signal's
documentation. So we must not access any members of session after
emitting the signal.
Found while dealing with
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't assume that the hash table with free both the key and the value
at the same time, supply proper deallocation functions for the key
and value separately.
Then drop ParsedAction::action_id which is no longer used for anything.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
and
https://bugs.freedesktop.org/show_bug.cgi?id=83590
CVE: CVE-2015-3255
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The JS “Operation callback” can be called by the runtime for other
reasons, not only when we trigger it by a timeout—notably as part of GC.
So, make sure to only raise an exception if there actually was a
timeout.
Adding a whole extra mutex to protect a single boolean is somewhat of an
overkill, but better than worrying about “subtle bugs and occasionally
undefined behaviour” the g_atomic_* API is warning about.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
also
https://bugs.freedesktop.org/show_bug.cgi?id=77524
|
|
|
|
|
|
|
|
| |
Setting the callback to NULL is required by
https://developer.mozilla.org/en-US/docs/SpiderMonkey/JSAPI_Reference/JS_SetOperationCallback
to avoid the possibility of recursion.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
“Exact stack rooting” means that every on-stack pointer to a JavaScript
value needs to be registered with the runtime. The current code doesn't
do this, so it is not safe to use against a runtime with this
configuration. Luckily this configuration is not default.
See
https://developer.mozilla.org/en-US/docs/SpiderMonkey/Internals/GC/Exact_Stack_Rooting
and other pages in the wiki for what the conversion would require.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
| |
This is necessary so that the GC can move the objects (though I haven't
so far encountered this in testing).
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
|
|
| |
Required by
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/JSAPI_reference/JS_THREADSAFE
; lack of requests causes assertion failures with a debug build of
mozjs17.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
| |
We were leaking PolkitAuthorizationResult on every request, primarily on
the success path, but also on various error paths as well.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't create a temporary array of jsvals on heap; the GC is not looking
for GC roots there.
Compare
https://developer.mozilla.org/en-US/docs/SpiderMonkey/GC_Rooting_Guide
and
https://web.archive.org/web/20140305233124/https://developer.mozilla.org/en-US/docs/SpiderMonkey_Garbage_Collection_Tips
.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
|
|
| |
The NULL “terminator” of ‘groups’ was being passed to JavaScript. Drop
it, and simplify by leting set_property_strv use the GPtrArray directly
instead of the extra conversions “into” a strv and a completely dead
g_strv_length().
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
|
| |
Don't pass argc==3 when using a 2-member array in
polkit_backend_js_authority_check_authorization_sync . To avoid such
problems in the future, use G_N_ELEMENTS in both similar callers.
https://bugs.freedesktop.org/show_bug.cgi?id=69501
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Refer to PolkitAgentSession in general instead of to _response only
- Revert to the original description of authentication cancellation, the
agent really needs to return an error to the caller (in addition to dealing
with the session if any).
- Explicitly document the UID assumption; in the process fixing bug #69980.
- Keep documenting that we need a sufficiently privileged caller.
- Refer to the ...Response2 API in more places.
- Also update docbook documentation.
- Drop a paragraph suggesting non-PolkitAgentSession implementations are
expected and commonplace.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
Reviewed-by: Colin Walters <walters@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html
The "cookie" value that Polkit hands out is global to all polkit
users. And when `AuthenticationAgentResponse` is invoked, we
previously only received the cookie and *target* identity, and
attempted to find an agent from that.
The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.
The overflow and ability to guess the cookie were fixed by the
previous patch.
This patch is conceptually further hardening on top of that. Polkit
currently treats uids as equivalent from a security domain
perspective; there is no support for
SELinux/AppArmor/etc. differentiation.
We can retrieve the uid from `getuid()` in the setuid helper, which
allows us to ensure the uid invoking `AuthenticationAgentResponse2`
matches that of the agent.
Then the authority only looks at authentication sessions matching the
cookie that were created by a matching uid, thus removing the ability
for different uids to interfere with each other entirely.
Several fixes to this patch were contributed by:
Miloslav Trmač <mitr@redhat.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
CVE: CVE-2015-4625
Reported-by: Tavis Ormandy <taviso@google.com>
Reviewed-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Colin Walters <walters@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tavis noted that it'd be possible with a 32 bit counter for someone to
cause the cookie to wrap by creating Authentication requests in a
loop.
Something important to note here is that wrapping of signed integers
is undefined behavior in C, so we definitely want to fix that. All
counter integers used in this patch are unsigned.
See the comment above `authentication_agent_generate_cookie` for
details, but basically we're now using a cookie of the form:
```
<agent serial> - <agent random id> - <session serial> - <session
random id>
```
Which has multiple 64 bit counters, plus unpredictable random 128 bit
integer ids (effectively UUIDs, but we're not calling them that
because we don't need to be globally unique.
We further ensure that the cookies are not visible to other processes
by changing the setuid helper to accept them over standard input. This
means that an attacker would have to guess both ids.
In any case, the security hole here is better fixed with the other
change to bind user id (uid) of the agent with cookie lookups, making
cookie guessing worthless.
Nevertheless, I think it's worth doing this change too, for defense in
depth.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90832
CVE: CVE-2015-4625
Reported-by: Tavis Ormandy <taviso@google.com>
Reviewed-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Colin Walters <walters@redhat.com>
|
|
|
|
| |
We had lots of copies of this.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To reproduce:
1. pkttyagent -p $$ # or another suitable PID
# Keep it running, then in another terminal:
2. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u
# Keep it running, then in another terminal:
3. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u
4. Then, in the pkttyagent prompt, press Enter.
polkit_agent_text_listener_initiate_authentication was already setting
an appropriate error code, so the g_assert was unnecessary.
https://bugs.freedesktop.org/show_bug.cgi?id=90879
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some GLib versions complain loudly about this.
To reproduce, call e.g. RegisterAuthenticationAgent with the following
parameters:
("unix-process", {"pid": __import__('gi.repository.GLib', globals(),
locals(), ['Variant']).Variant("u", 1), "start-time":
__import__('gi.repository.GLib', globals(), locals(),
['Variant']).Variant("t", 1)}), "cs", "/"
https://bugs.freedesktop.org/show_bug.cgi?id=90877
|
|
|
|
|
|
|
| |
to silence
warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
https://bugs.freedesktop.org/show_bug.cgi?id=80767
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=80767
|
|
|
|
|
|
| |
POLKIT_ERROR is a function call which we need for the side effect.
https://bugs.freedesktop.org/show_bug.cgi?id=80767
|
|
|
|
|
|
|
| |
Instead of a nonsensical (data = data), use the more customary
((void)data) to silence the warning about an unused parameter.
https://bugs.freedesktop.org/show_bug.cgi?id=80767
|
|
|
|
|
|
|
|
|
| |
polkit_backend_session_monitor_get_user_for_subject() may return NULL
(and because it is using external processes, we can’t really rule it
out). The code was already anticipating NULL in the cleanup section, so
handle it also when actually using the value.
https://bugs.freedesktop.org/show_bug.cgi?id=80767
|
|
|
|
|
|
| |
This was accidentally committed.
This reverts commit 87b2290c03f28841594451c7276e0ca44970c1fe.
|