1
From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001
2
From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
3
Date: Wed, 10 Mar 2010 12:46:19 -0500
4
Subject: [PATCH 1/2] =?UTF-8?q?Bug=2026982=20=E2=80=93=20pkexec=20information=20disclosure=20vulnerability?=
6
Content-Type: text/plain; charset=UTF-8
7
Content-Transfer-Encoding: 8bit
9
pkexec is vulnerable to a minor information disclosure vulnerability
10
that allows an attacker to verify whether or not arbitrary files
11
exist, violating directory permissions. I reproduced the issue on my
12
Karmic installation as follows:
15
$ sudo chown root:root secret
16
$ sudo chmod 400 secret
17
$ sudo touch secret/hidden
18
$ pkexec /home/drosenbe/secret/hidden
20
$ pkexec /home/drosenbe/secret/doesnotexist
21
Error getting information about /home/drosenbe/secret/doesnotexist: No such
24
I've attached my patch for the issue. I replaced the stat() call
25
entirely with access() using F_OK, so rather than check that the
26
target exists, pkexec now checks if the user has permission to verify
27
the existence of the program. There might be another way of doing
28
this, such as chdir()'ing to the parent directory of the target and
29
calling lstat(), but this seemed like more code than necessary to
30
prevent such a minor problem. I see no reason to allow pkexec to
31
execute targets that are not accessible to the executing user because
32
of directory permissions. This is such a limited use case anyway that
33
this doesn't really affect functionality.
35
http://bugs.freedesktop.org/show_bug.cgi?id=26982
37
Signed-off-by: David Zeuthen <davidz@redhat.com>
39
src/programs/pkexec.c | 5 ++---
40
1 files changed, 2 insertions(+), 3 deletions(-)
42
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
43
index 860e665..17c191e 100644
44
--- a/src/programs/pkexec.c
45
+++ b/src/programs/pkexec.c
46
@@ -411,7 +411,6 @@ main (int argc, char *argv[])
50
- struct stat statbuf;
54
@@ -520,9 +519,9 @@ main (int argc, char *argv[])
58
- if (stat (path, &statbuf) != 0)
59
+ if (access (path, F_OK) != 0)
61
- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
62
+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
65
command_line = g_strjoinv (" ", argv + n);