summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Fix a memory leak on agent authentication cancellationgvariant-auditMiloslav Trmač2017-06-211-1/+6
| | | | | | | | (This is cancellation by the daemon, possibly requested by the client, not by the agent.) https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Fix a memory leak per agent authenticationMiloslav Trmač2017-06-211-3/+4
| | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Fix error handling in polkit_authority_enumerate_temporary_authorizations_finishMiloslav Trmač2017-06-211-1/+3
| | | | | | | | Fix memory leaks, and don't return a pointer to freed memory. https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Fix memory leaks in server_handle_*_temporary_authorizationsMiloslav Trmač2017-06-211-0/+2
| | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Fix a memory leak in server_handle_authentication_agent_response{,2}Miloslav Trmač2017-06-211-0/+2
| | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Fix a memory leak in server_handle_unregister_authentication_agentMiloslav Trmač2017-06-211-0/+1
| | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Fix a memory leak in server_handle_register_authentication_agent_with_optionsMiloslav Trmač2017-06-211-0/+1
| | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Fix a memory leak on an error path of lookup_asv (twice)Miloslav Trmač2017-06-212-0/+2
| | | | | | https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Simplify GVariant reference countingMiloslav Trmač2017-06-219-114/+49
| | | | | | | | | | | | For (non-public-API) *_to_gvariant, explicitly document that they return a floating value, and rely on it in callers to avoid a variable/sink/unref combo. This should not change behavior. https://bugs.freedesktop.org/show_bug.cgi?id=99741 Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* polkitpermission: Fix a memory leak on authority changesRui Matos2017-04-041-0/+1
| | | | | | Signed-off-by: Rui Matos <tiagomatos@gmail.com> https://bugs.freedesktop.org/show_bug.cgi?id=99741
* build: Pull in GCC warning infra from ostreeColin Walters2016-12-125-0/+5
| | | | | | | | | I'm trying to keep a relatively standard set around, and the code there is cleaner than what we had before. Also, injecting as WARN_CFLAGS rather than changing CFLAGS during autoconf avoids any surprises from new warnings breaking autoconf checks.
* Replace autocompartmentJeremy Linton2016-12-121-7/+8
| | | | | | | | The autocompartment definition in the previous patches seems to be fine, but constructing the autocompartment for the lifetime of the global object is probably a better way to handle this. Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
* Fix warnings caused by building with C++Jeremy Linton2016-12-122-70/+70
| | | | | | | | | C++ needs explicit casts for many pointer type conversions For example char * to void * should have a cast. Fix a number of these cases. Also, correct a white space indentation error left in the last patch for review clarity. Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
* Switch to hard requiring mozjs24Jeremy Linton2016-12-121-51/+23
| | | | | | | | | | | Remove mozjs185 and mozjs17 from autoconf and replace them with mozjs24. Now that polkitbackendjsauthority is compiling in C++ mode and the autoconf supports mozjs24, update the module so that it builds with mozjs24. Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
* change mozjs interface module to c++Jeremy Linton2016-12-122-1/+6
| | | | | | | | The JSAPI is now a full C++ interface. Convert the polkit to JavaScript interface module to C++ compilation in order to support newer versions of spidermonkey. Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
* data: Set GIO_USE_VFS=local in the environmentPhilip Withnall2016-06-065-0/+19
| | | | | | | | | | | | There is no need for polkit to ever use GVFS to load files from non-local sources, so it's best to avoid loading GVFS code, and to just rely on the local implementation in GIO instead. This reduces the attack surface of polkit. Implemented for the daemon, pkaction, pkcheck, pkexec and pkttyagent, because none of them need remote file access. https://bugs.freedesktop.org/show_bug.cgi?id=95487
* polkit: Add g_autoptr() support for GObject-derived polkit typesPhilip Withnall2016-05-041-0/+17
| | | | | | | | | | Add G_DEFINE_AUTOPTR_CLEANUP_FUNC calls to polkittypes.h, so that g_autoptr() can be used with polkit objects. This is conditional on GLib ≥ 2.44.0 being available. It does not bump polkit’s dependency on GLib. https://bugs.freedesktop.org/show_bug.cgi?id=95065
* Remove polkitbackendconfigsource.[ch]Miloslav Trmač2016-03-234-665/+0
| | | | | | | It is no longer used since the move to JavaScript, and we don't want to maintain it unnecessarily. https://bugs.freedesktop.org/show_bug.cgi?id=94670
* Fix a memory leak of PolkitAgentListener's Server objectMiloslav Trmač2016-03-121-0/+2
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=94506
* polkitagent: Fix access after dereference on hashtableStef Walter2016-03-121-3/+4
| | | | | | | | | If an authentication is going on while the agent listener is going away, then we access memory that has been freed. g_hash_table_lookup_node: assertion failed: (hash_table->ref_count > 0)' https://bugs.freedesktop.org/show_bug.cgi?id=94486
* Refactor send_to_helper usageDariusz Gadomski2015-11-181-55/+26
| | | | | | | There were duplicated pieces of code detecting EOLs and escaping the code. Those actions has been delegated to already-existing send_to_helper function. https://bugs.freedesktop.org/show_bug.cgi?id=92886
* Fix multi-line pam text info.Dariusz Gadomski2015-11-181-4/+9
| | | | | | | | | There are pam modules (e.g. pam_vas) that may attempt to display multi-line PAM_TEXT_INFO messages. Polkit was interpreting the lines after the first one as a separate message that was not recognized causing the authorization to fail. Escaping these strings and unescaping them fixes the issue. https://bugs.freedesktop.org/show_bug.cgi?id=92886
* Fix abnomal formatting of authentication header linesenkore2015-10-041-4/+4
|
* Add support for NetBSDOBATA Akio2015-10-012-7/+31
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=92046
* Consistently use HAVE_NETGROUP_H instead of HAVE_OPENBSDMiloslav Trmač2015-07-202-2/+2
| | | | | Cleanup for https://bugs.freedesktop.org/show_bug.cgi?id=75187
* Add support for OpenBSDAntoine Jacoutot2015-07-205-4/+217
| | | | | | | | | - OpenBSD does not use PAM nor SHADOW but bsd_auth(3) for authentication - get_kinfo_proc(): adapt FreeBSD code to OpenBSD - OpenBSD, get/setnetgrent are defined in netgroup.h and getnetgrent(3) takes a const char https://bugs.freedesktop.org/show_bug.cgi?id=75187
* Fix use-after-free in polkitagentsession.cMiloslav Trmač2015-06-231-1/+2
| | | | | | | | | | PolkitAgentTextListener's "completed" handler drops the last reference to the session; in fact this is explicitly recommended in the signal's documentation. So we must not access any members of session after emitting the signal. Found while dealing with https://bugs.freedesktop.org/show_bug.cgi?id=69501
* CVE-2015-3255 Fix GHashTable usage.Miloslav Trmač2015-06-231-5/+3
| | | | | | | | | | | | | | Don't assume that the hash table with free both the key and the value at the same time, supply proper deallocation functions for the key and value separately. Then drop ParsedAction::action_id which is no longer used for anything. https://bugs.freedesktop.org/show_bug.cgi?id=69501 and https://bugs.freedesktop.org/show_bug.cgi?id=83590 CVE: CVE-2015-3255
* Fix spurious timeout exceptions on GCMiloslav Trmač2015-06-191-0/+23
| | | | | | | | | | | | | | | The JS “Operation callback” can be called by the runtime for other reasons, not only when we trigger it by a timeout—notably as part of GC. So, make sure to only raise an exception if there actually was a timeout. Adding a whole extra mutex to protect a single boolean is somewhat of an overkill, but better than worrying about “subtle bugs and occasionally undefined behaviour” the g_atomic_* API is warning about. https://bugs.freedesktop.org/show_bug.cgi?id=69501 also https://bugs.freedesktop.org/show_bug.cgi?id=77524
* Clear the JS operation callback before invoking JS in the callbackMiloslav Trmač2015-06-191-0/+2
| | | | | | | | Setting the callback to NULL is required by https://developer.mozilla.org/en-US/docs/SpiderMonkey/JSAPI_Reference/JS_SetOperationCallback to avoid the possibility of recursion. https://bugs.freedesktop.org/show_bug.cgi?id=69501
* Prevent builds against SpiderMonkey with exact stack rootingMiloslav Trmač2015-06-191-0/+7
| | | | | | | | | | | | | “Exact stack rooting” means that every on-stack pointer to a JavaScript value needs to be registered with the runtime. The current code doesn't do this, so it is not safe to use against a runtime with this configuration. Luckily this configuration is not default. See https://developer.mozilla.org/en-US/docs/SpiderMonkey/Internals/GC/Exact_Stack_Rooting and other pages in the wiki for what the conversion would require. https://bugs.freedesktop.org/show_bug.cgi?id=69501
* Register heap-based JSObject pointers to GCMiloslav Trmač2015-06-191-0/+7
| | | | | | | This is necessary so that the GC can move the objects (though I haven't so far encountered this in testing). https://bugs.freedesktop.org/show_bug.cgi?id=69501
* Wrap all JS usage within “requests”Miloslav Trmač2015-06-191-2/+27
| | | | | | | | | Required by https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/JSAPI_reference/JS_THREADSAFE ; lack of requests causes assertion failures with a debug build of mozjs17. https://bugs.freedesktop.org/show_bug.cgi?id=69501
* Fix a memory leak when registering an authentication agentMiloslav Trmač2015-06-181-0/+1
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=69501
* Fix a per-authorization memory leakMiloslav Trmač2015-06-182-1/+5
| | | | | | | We were leaking PolkitAuthorizationResult on every request, primarily on the success path, but also on various error paths as well. https://bugs.freedesktop.org/show_bug.cgi?id=69501
* Don't store unrooted jsvals on heapMiloslav Trmač2015-06-181-7/+6
| | | | | | | | | | | | | Don't create a temporary array of jsvals on heap; the GC is not looking for GC roots there. Compare https://developer.mozilla.org/en-US/docs/SpiderMonkey/GC_Rooting_Guide and https://web.archive.org/web/20140305233124/https://developer.mozilla.org/en-US/docs/SpiderMonkey_Garbage_Collection_Tips . https://bugs.freedesktop.org/show_bug.cgi?id=69501
* Don't add extra NULL group to subject.groupsMiloslav Trmač2015-06-181-12/+6
| | | | | | | | | The NULL “terminator” of ‘groups’ was being passed to JavaScript. Drop it, and simplify by leting set_property_strv use the GPtrArray directly instead of the extra conversions “into” a strv and a completely dead g_strv_length(). https://bugs.freedesktop.org/show_bug.cgi?id=69501
* Don't pass an uninitialized JS parameterMiloslav Trmač2015-06-181-2/+2
| | | | | | | | Don't pass argc==3 when using a 2-member array in polkit_backend_js_authority_check_authorization_sync . To avoid such problems in the future, use G_N_ELEMENTS in both similar callers. https://bugs.freedesktop.org/show_bug.cgi?id=69501
* docs: Update for changes to uid binding/AuthenticationAgentResponse2Miloslav Trmač2015-06-173-6/+24
| | | | | | | | | | | | | | | | - Refer to PolkitAgentSession in general instead of to _response only - Revert to the original description of authentication cancellation, the agent really needs to return an error to the caller (in addition to dealing with the session if any). - Explicitly document the UID assumption; in the process fixing bug #69980. - Keep documenting that we need a sufficiently privileged caller. - Refer to the ...Response2 API in more places. - Also update docbook documentation. - Drop a paragraph suggesting non-PolkitAgentSession implementations are expected and commonplace. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837 Reviewed-by: Colin Walters <walters@redhat.com>
* CVE-2015-4625: Bind use of cookies to specific uidsColin Walters2015-06-174-8/+107
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html The "cookie" value that Polkit hands out is global to all polkit users. And when `AuthenticationAgentResponse` is invoked, we previously only received the cookie and *target* identity, and attempted to find an agent from that. The problem is that the current cookie is just an integer counter, and if it overflowed, it would be possible for an successful authorization in one session to trigger a response in another session. The overflow and ability to guess the cookie were fixed by the previous patch. This patch is conceptually further hardening on top of that. Polkit currently treats uids as equivalent from a security domain perspective; there is no support for SELinux/AppArmor/etc. differentiation. We can retrieve the uid from `getuid()` in the setuid helper, which allows us to ensure the uid invoking `AuthenticationAgentResponse2` matches that of the agent. Then the authority only looks at authentication sessions matching the cookie that were created by a matching uid, thus removing the ability for different uids to interfere with each other entirely. Several fixes to this patch were contributed by: Miloslav Trmač <mitr@redhat.com> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837 CVE: CVE-2015-4625 Reported-by: Tavis Ormandy <taviso@google.com> Reviewed-by: Miloslav Trmač <mitr@redhat.com> Signed-off-by: Colin Walters <walters@redhat.com>
* CVE-2015-4625: Use unpredictable cookie values, keep them secretColin Walters2015-06-176-39/+149
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tavis noted that it'd be possible with a 32 bit counter for someone to cause the cookie to wrap by creating Authentication requests in a loop. Something important to note here is that wrapping of signed integers is undefined behavior in C, so we definitely want to fix that. All counter integers used in this patch are unsigned. See the comment above `authentication_agent_generate_cookie` for details, but basically we're now using a cookie of the form: ``` <agent serial> - <agent random id> - <session serial> - <session random id> ``` Which has multiple 64 bit counters, plus unpredictable random 128 bit integer ids (effectively UUIDs, but we're not calling them that because we don't need to be globally unique. We further ensure that the cookies are not visible to other processes by changing the setuid helper to accept them over standard input. This means that an attacker would have to guess both ids. In any case, the security hole here is better fixed with the other change to bind user id (uid) of the agent with cookie lookups, making cookie guessing worthless. Nevertheless, I think it's worth doing this change too, for defense in depth. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90832 CVE: CVE-2015-4625 Reported-by: Tavis Ormandy <taviso@google.com> Reviewed-by: Miloslav Trmač <mitr@redhat.com> Signed-off-by: Colin Walters <walters@redhat.com>
* authority: Add a helper method for checking whether an identity is rootColin Walters2015-06-101-5/+13
| | | | We had lots of copies of this.
* Fix a crash when two authentication requests are in flight.Miloslav Trmač2015-06-081-2/+0
| | | | | | | | | | | | | | To reproduce: 1. pkttyagent -p $$ # or another suitable PID # Keep it running, then in another terminal: 2. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u # Keep it running, then in another terminal: 3. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u 4. Then, in the pkttyagent prompt, press Enter. polkit_agent_text_listener_initiate_authentication was already setting an appropriate error code, so the g_assert was unnecessary. https://bugs.freedesktop.org/show_bug.cgi?id=90879
* Fix duplicate GError use when "uid" is missingMiloslav Trmač2015-06-081-1/+1
| | | | | | | | | | | | Some GLib versions complain loudly about this. To reproduce, call e.g. RegisterAuthenticationAgent with the following parameters: ("unix-process", {"pid": __import__('gi.repository.GLib', globals(), locals(), ['Variant']).Variant("u", 1), "start-time": __import__('gi.repository.GLib', globals(), locals(), ['Variant']).Variant("t", 1)}), "cs", "/" https://bugs.freedesktop.org/show_bug.cgi?id=90877
* s/INCLUDES/AM_CPPFLAGS/gMiloslav Trmač2015-06-085-5/+5
| | | | | | | to silence warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS') https://bugs.freedesktop.org/show_bug.cgi?id=80767
* Fix a typo, s/Evaluting/Evaluating/gMiloslav Trmač2015-06-081-2/+2
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=80767
* Simplify forced error domain registrationMiloslav Trmač2015-06-081-2/+1
| | | | | | POLKIT_ERROR is a function call which we need for the side effect. https://bugs.freedesktop.org/show_bug.cgi?id=80767
* Remove a redundant assignment.Miloslav Trmač2015-06-061-1/+1
| | | | | | | Instead of a nonsensical (data = data), use the more customary ((void)data) to silence the warning about an unused parameter. https://bugs.freedesktop.org/show_bug.cgi?id=80767
* Fix a possible NULL dereference.Miloslav Trmač2015-06-061-1/+5
| | | | | | | | | polkit_backend_session_monitor_get_user_for_subject() may return NULL (and because it is using external processes, we can’t really rule it out). The code was already anticipating NULL in the cleanup section, so handle it also when actually using the value. https://bugs.freedesktop.org/show_bug.cgi?id=80767
* Revert "authority: Avoid cookie wrapping by using u64 counter"Colin Walters2015-06-031-22/+7
| | | | | | This was accidentally committed. This reverts commit 87b2290c03f28841594451c7276e0ca44970c1fe.
View Lorry Controller Status