![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package PolicyKit checked in at Mon Oct 6 19:08:31 CEST 2008. -------- --- PolicyKit/PolicyKit.changes 2008-09-10 14:07:57.000000000 +0200 +++ /mounts/work_src_done/STABLE/PolicyKit/PolicyKit.changes 2008-10-02 16:51:23.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Oct 2 16:50:41 CEST 2008 - lnussel@suse.de + +- don't set exe constraints if the resolve-exe-helper isn't setuid root +- fix permissions to match new setting in level 'secure' + +------------------------------------------------------------------- PolicyKit-doc.changes: same change calling whatdependson for head-i586 New: ---- PolicyKit-0.9-pidconstraint.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ PolicyKit-doc.spec ++++++ --- /var/tmp/diff_new_pack.f23541/_old 2008-10-06 19:07:14.000000000 +0200 +++ /var/tmp/diff_new_pack.f23541/_new 2008-10-06 19:07:14.000000000 +0200 @@ -40,7 +40,7 @@ License: X11/MIT Group: Documentation/Other Version: 0.9 -Release: 9 +Release: 12 AutoReqProv: on Summary: Documentation for PolicyKit BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -52,6 +52,7 @@ %endif Source: PolicyKit-%{version}.tar.bz2 Patch0: pedantic-headers.diff +Patch1: PolicyKit-0.9-pidconstraint.diff %description PolicyKit is a toolkit for defining and handling authorizations. It is @@ -90,6 +91,7 @@ %prep %setup -q -n PolicyKit-%{version} %patch0 +%patch1 -p1 %build %configure \ @@ -186,25 +188,25 @@ %config(noreplace) %{_sysconfdir}/PolicyKit/PolicyKit.conf %config(noreplace) %{_sysconfdir}/pam.d/polkit %dir %{_prefix}/lib/PolicyKit -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-set-default-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-read-auth-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-revoke-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-explicit-grant-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-grant-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-grant-helper-pam +%verify(not mode) %attr(4755,polkituser,root) %{_prefix}/lib/PolicyKit/polkit-set-default-helper +%verify(not mode) %attr(2755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-read-auth-helper +%verify(not mode) %attr(2755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-revoke-helper +%verify(not mode) %attr(2755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-explicit-grant-helper +%verify(not mode) %attr(2755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-grant-helper +%verify(not mode) %attr(4750,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-grant-helper-pam %verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-resolve-exe-helper %attr(0770,polkituser,polkituser) %dir %{_localstatedir}/run/PolicyKit %attr(0770,polkituser,polkituser) %dir %{_localstatedir}/lib/PolicyKit %attr(0775,polkituser,polkituser) %dir %{_localstatedir}/lib/PolicyKit-public -%attr(0775,polkituser,polkituser) %{_localstatedir}/lib/misc/PolicyKit.reload +%attr(0664,polkituser,polkituser) %{_localstatedir}/lib/misc/PolicyKit.reload %dir %{_datadir}/PolicyKit %dir %{_datadir}/PolicyKit/policy %{_datadir}/PolicyKit/policy/org.freedesktop.policykit.policy %{_datadir}/PolicyKit/config.dtd %{_datadir}/dbus-1/system-services/org.freedesktop.PolicyKit.service -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit.conf +%config %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit.conf %{_prefix}/lib/PolicyKit/polkitd -%{_sysconfdir}/profile.d/polkit-bash-completion.sh +%attr(644,root,root) %{_sysconfdir}/profile.d/polkit-bash-completion.sh %files -n PolicyKit-devel %defattr(-,root,root) @@ -215,6 +217,9 @@ %endif %changelog +* Thu Oct 02 2008 lnussel@suse.de +- don't set exe constraints if the resolve-exe-helper isn't setuid root +- fix permissions to match new setting in level 'secure' * Wed Sep 10 2008 lnussel@suse.de - conditional SELinux support to allow build on older distros * Fri Aug 29 2008 jpr@suse.de ++++++ PolicyKit.spec ++++++ --- /var/tmp/diff_new_pack.f23541/_old 2008-10-06 19:07:15.000000000 +0200 +++ /var/tmp/diff_new_pack.f23541/_new 2008-10-06 19:07:15.000000000 +0200 @@ -36,11 +36,11 @@ %if !%build_doc PreReq: permissions /usr/sbin/groupadd /usr/sbin/useradd %endif -Url: http://www.freedesktop.org/wiki/Software/hal +Url: http://www.freedesktop.org/wiki/Software/PolicyKit License: X11/MIT Group: System/Libraries Version: 0.9 -Release: 8 +Release: 11 AutoReqProv: on Summary: Authorization Toolkit BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -52,6 +52,7 @@ %endif Source: PolicyKit-%{version}.tar.bz2 Patch0: pedantic-headers.diff +Patch1: PolicyKit-0.9-pidconstraint.diff %description PolicyKit is a toolkit for defining and handling authorizations. It is @@ -90,6 +91,7 @@ %prep %setup -q -n PolicyKit-%{version} %patch0 +%patch1 -p1 %build %configure \ @@ -186,25 +188,25 @@ %config(noreplace) %{_sysconfdir}/PolicyKit/PolicyKit.conf %config(noreplace) %{_sysconfdir}/pam.d/polkit %dir %{_prefix}/lib/PolicyKit -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-set-default-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-read-auth-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-revoke-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-explicit-grant-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-grant-helper -%verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-grant-helper-pam +%verify(not mode) %attr(4755,polkituser,root) %{_prefix}/lib/PolicyKit/polkit-set-default-helper +%verify(not mode) %attr(2755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-read-auth-helper +%verify(not mode) %attr(2755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-revoke-helper +%verify(not mode) %attr(2755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-explicit-grant-helper +%verify(not mode) %attr(2755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-grant-helper +%verify(not mode) %attr(4750,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-grant-helper-pam %verify(not mode) %attr(0755,root,polkituser) %{_prefix}/lib/PolicyKit/polkit-resolve-exe-helper %attr(0770,polkituser,polkituser) %dir %{_localstatedir}/run/PolicyKit %attr(0770,polkituser,polkituser) %dir %{_localstatedir}/lib/PolicyKit %attr(0775,polkituser,polkituser) %dir %{_localstatedir}/lib/PolicyKit-public -%attr(0775,polkituser,polkituser) %{_localstatedir}/lib/misc/PolicyKit.reload +%attr(0664,polkituser,polkituser) %{_localstatedir}/lib/misc/PolicyKit.reload %dir %{_datadir}/PolicyKit %dir %{_datadir}/PolicyKit/policy %{_datadir}/PolicyKit/policy/org.freedesktop.policykit.policy %{_datadir}/PolicyKit/config.dtd %{_datadir}/dbus-1/system-services/org.freedesktop.PolicyKit.service -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit.conf +%config %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit.conf %{_prefix}/lib/PolicyKit/polkitd -%{_sysconfdir}/profile.d/polkit-bash-completion.sh +%attr(644,root,root) %{_sysconfdir}/profile.d/polkit-bash-completion.sh %files -n PolicyKit-devel %defattr(-,root,root) @@ -215,6 +217,9 @@ %endif %changelog +* Thu Oct 02 2008 lnussel@suse.de +- don't set exe constraints if the resolve-exe-helper isn't setuid root +- fix permissions to match new setting in level 'secure' * Wed Sep 10 2008 lnussel@suse.de - conditional SELinux support to allow build on older distros * Fri Aug 29 2008 jpr@suse.de ++++++ PolicyKit-0.9-pidconstraint.diff ++++++ Don't resolve pid->exe unless the exe resolve helper is setuid root. Otherwise pid constraints might get added to obtained privileges although unprivileged programs can't ever verify them. Index: PolicyKit-0.9/src/polkit/polkit-authorization-constraint.c =================================================================== --- PolicyKit-0.9.orig/src/polkit/polkit-authorization-constraint.c +++ PolicyKit-0.9/src/polkit/polkit-authorization-constraint.c @@ -545,6 +545,23 @@ out: return ret; } + +/* check whether binary is setuid root and executable for anyone */ +static polkit_bool_t +_check_setuid_root(const char* path) +{ + struct stat stb; + + if(stat(path, &stb) == 0 + && S_ISREG(stb.st_mode) + && (stb.st_mode & 04111) == 04111 + && stb.st_uid == 0) { + return TRUE; + } + + return FALSE; +} + /** * polkit_authorization_constraint_get_from_caller: * @caller: caller @@ -621,7 +638,18 @@ polkit_authorization_constraint_get_from * * An example of this is pulseaudio... */ - n = polkit_sysdeps_get_exe_for_pid_with_helper (pid, path, sizeof (path)); + + /* HOWEVER don't set pid contraints if the exe helper isn't + * setuid root to ensure that unprivileged programs will + * actually be able to check such constraints later. + * XXX: should be a sysdeps function. Upstream disagrees with + * me about that feature anyways so let's live with the hack + */ + n = -1; + if(_check_setuid_root(PACKAGE_LIBEXEC_DIR "/polkit-resolve-exe-helper")) { + n = polkit_sysdeps_get_exe_for_pid_with_helper (pid, path, sizeof (path)); + } + if (n != -1 && n < (int) sizeof (path)) { PolKitAuthorizationConstraint *c; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de