← Back to branch summary

~stgraber/ubuntu/trusty/systemd/logind-cgroup-controllers

« back to all changes in this revision

Viewing changes to src/shared/polkit.c

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2013-09-18 13:19:40 UTC
  • Revision ID: package-import@ubuntu.com-20130918131940-4yc1tlgxk36z178x
Tags: 204-0ubuntu12
* SECURITY UPDATE: possible privilege escalation via policykit UID lookup
  race.
  - debian/patches/0027-CVE-2013-4327.patch: pass system-bus-name as a
    subject instead of pid so policykit can get the information from the
    system bus in src/shared/polkit.c.
  - CVE-2013-4327

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/shared/polkit.c
38
38
 
39
39
#ifdef ENABLE_POLKIT
40
40
        DBusMessage *m = NULL, *reply = NULL;
41
 
        const char *unix_process = "unix-process", *pid = "pid", *starttime = "start-time", *cancel_id = "";
 
41
        const char *system_bus_name = "system-bus-name", *name = "name", *cancel_id = "";
42
42
        uint32_t flags = interactive ? 1 : 0;
43
 
        pid_t pid_raw;
44
 
        uint32_t pid_u32;
45
43
        unsigned long long starttime_raw;
46
 
        uint64_t starttime_u64;
47
44
        DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
48
45
        int r;
49
46
        dbus_bool_t authorized = FALSE, challenge = FALSE;
68
65
 
69
66
#ifdef ENABLE_POLKIT
70
67
 
71
 
        pid_raw = bus_get_unix_process_id(c, sender, error);
72
 
        if (pid_raw == 0)
73
 
                return -EINVAL;
74
 
 
75
 
        r = get_starttime_of_pid(pid_raw, &starttime_raw);
76
 
        if (r < 0)
77
 
                return r;
78
 
 
79
68
        m = dbus_message_new_method_call(
80
69
                        "org.freedesktop.PolicyKit1",
81
70
                        "/org/freedesktop/PolicyKit1/Authority",
86
75
 
87
76
        dbus_message_iter_init_append(m, &iter_msg);
88
77
 
89
 
        pid_u32 = (uint32_t) pid_raw;
90
 
        starttime_u64 = (uint64_t) starttime_raw;
91
 
 
92
78
        if (!dbus_message_iter_open_container(&iter_msg, DBUS_TYPE_STRUCT, NULL, &iter_struct) ||
93
 
            !dbus_message_iter_append_basic(&iter_struct, DBUS_TYPE_STRING, &unix_process) ||
 
79
            !dbus_message_iter_append_basic(&iter_struct, DBUS_TYPE_STRING, &system_bus_name) ||
94
80
            !dbus_message_iter_open_container(&iter_struct, DBUS_TYPE_ARRAY, "{sv}", &iter_array) ||
95
81
            !dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict) ||
96
 
            !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &pid) ||
97
 
            !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant) ||
98
 
            !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &pid_u32) ||
99
 
            !dbus_message_iter_close_container(&iter_dict, &iter_variant) ||
100
 
            !dbus_message_iter_close_container(&iter_array, &iter_dict) ||
101
 
            !dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict) ||
102
 
            !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &starttime) ||
103
 
            !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "t", &iter_variant) ||
104
 
            !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT64, &starttime_u64) ||
 
82
            !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &name) ||
 
83
            !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "s", &iter_variant) ||
 
84
            !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_STRING, &sender) ||
105
85
            !dbus_message_iter_close_container(&iter_dict, &iter_variant) ||
106
86
            !dbus_message_iter_close_container(&iter_array, &iter_dict) ||
107
87
            !dbus_message_iter_close_container(&iter_struct, &iter_array) ||