mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 21:55:25 +00:00
Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.
To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.
Signed-off-by: Colin Walters <walters@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 922b7fda77
)
Conflicts:
src/access/viraccessdriverpolkit.c
Resolution:
Dropped file that does not exist in this branch.
This commit is contained in:
parent
65f7c07c9f
commit
a01514b25d
@ -1118,6 +1118,14 @@ if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then
|
|||||||
AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
|
AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
|
||||||
if test "x$PKCHECK_PATH" != "x" ; then
|
if test "x$PKCHECK_PATH" != "x" ; then
|
||||||
AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
|
AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
|
||||||
|
AC_MSG_CHECKING([whether pkcheck supports uid value])
|
||||||
|
pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1`
|
||||||
|
if test "x$pkcheck_supports_uid" = "xtrue"; then
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck])
|
||||||
|
else
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
fi
|
||||||
AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
|
AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
|
||||||
[use PolicyKit for UNIX socket access checks])
|
[use PolicyKit for UNIX socket access checks])
|
||||||
AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1,
|
AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1,
|
||||||
|
@ -2811,10 +2811,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
int status = -1;
|
int status = -1;
|
||||||
char *ident = NULL;
|
char *ident = NULL;
|
||||||
bool authdismissed = 0;
|
bool authdismissed = 0;
|
||||||
|
bool supportsuid = false;
|
||||||
char *pkout = NULL;
|
char *pkout = NULL;
|
||||||
struct daemonClientPrivate *priv =
|
struct daemonClientPrivate *priv =
|
||||||
virNetServerClientGetPrivateData(client);
|
virNetServerClientGetPrivateData(client);
|
||||||
virCommandPtr cmd = NULL;
|
virCommandPtr cmd = NULL;
|
||||||
|
static bool polkitInsecureWarned;
|
||||||
|
|
||||||
virMutexLock(&priv->lock);
|
virMutexLock(&priv->lock);
|
||||||
action = virNetServerClientGetReadonly(client) ?
|
action = virNetServerClientGetReadonly(client) ?
|
||||||
@ -2836,14 +2838,28 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
|
|||||||
goto authfail;
|
goto authfail;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (timestamp == 0) {
|
||||||
|
VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time",
|
||||||
|
(long long)callerPid);
|
||||||
|
goto authfail;
|
||||||
|
}
|
||||||
|
|
||||||
VIR_INFO("Checking PID %lld running as %d",
|
VIR_INFO("Checking PID %lld running as %d",
|
||||||
(long long) callerPid, callerUid);
|
(long long) callerPid, callerUid);
|
||||||
|
|
||||||
virCommandAddArg(cmd, "--process");
|
virCommandAddArg(cmd, "--process");
|
||||||
if (timestamp != 0) {
|
# ifdef PKCHECK_SUPPORTS_UID
|
||||||
virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
|
supportsuid = true;
|
||||||
|
# endif
|
||||||
|
if (supportsuid) {
|
||||||
|
virCommandAddArgFormat(cmd, "%lld,%llu,%lu",
|
||||||
|
(long long) callerPid, timestamp, (unsigned long) callerUid);
|
||||||
} else {
|
} else {
|
||||||
virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
|
if (!polkitInsecureWarned) {
|
||||||
|
VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
|
||||||
|
polkitInsecureWarned = true;
|
||||||
|
}
|
||||||
|
virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
|
||||||
}
|
}
|
||||||
virCommandAddArg(cmd, "--allow-user-interaction");
|
virCommandAddArg(cmd, "--allow-user-interaction");
|
||||||
|
|
||||||
|
@ -470,8 +470,7 @@ BuildRequires: cyrus-sasl-devel
|
|||||||
%endif
|
%endif
|
||||||
%if %{with_polkit}
|
%if %{with_polkit}
|
||||||
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
|
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
|
||||||
# Only need the binary, not -devel
|
BuildRequires: polkit-devel >= 0.93
|
||||||
BuildRequires: polkit >= 0.93
|
|
||||||
%else
|
%else
|
||||||
BuildRequires: PolicyKit-devel >= 0.6
|
BuildRequires: PolicyKit-devel >= 0.6
|
||||||
%endif
|
%endif
|
||||||
|
Loading…
Reference in New Issue
Block a user