From 85ca41529db49a5e0ff633eaa891136218c03645 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Wed, 28 Aug 2013 15:25:40 +0100 Subject: [PATCH] Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311) With the existing pkcheck (pid, start time) tuple for identifying the process, there is a race condition, where a process can make a libvirt RPC call and in another thread exec a setuid application, causing it to change to effective UID 0. This in turn causes polkit to do its permission check based on the wrong UID. To address this, libvirt must get the UID the caller had at time of connect() (from SO_PEERCRED) and pass a (pid, start time, uid) triple to the pkcheck program. Signed-off-by: Colin Walters Signed-off-by: Daniel P. Berrange (cherry picked from commit 922b7fda77b094dbf022d625238262ea05335666) Conflicts: src/access/viraccessdriverpolkit.c Resolution: Dropped file that does not exist in this branch. --- configure.ac | 8 ++++++++ daemon/remote.c | 22 +++++++++++++++++++--- libvirt.spec.in | 3 +-- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index a0590b8b1f..f59996a2b9 100644 --- a/configure.ac +++ b/configure.ac @@ -1122,6 +1122,14 @@ if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH]) if test "x$PKCHECK_PATH" != "x" ; then AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program]) + AC_MSG_CHECKING([whether pkcheck supports uid value]) + pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1` + if test "x$pkcheck_supports_uid" = "xtrue"; then + AC_MSG_RESULT([yes]) + AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck]) + else + AC_MSG_RESULT([no]) + fi AC_DEFINE_UNQUOTED([WITH_POLKIT], 1, [use PolicyKit for UNIX socket access checks]) AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1, diff --git a/daemon/remote.c b/daemon/remote.c index cf43f04640..29ec1f52f2 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -2809,10 +2809,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, int status = -1; char *ident = NULL; bool authdismissed = 0; + bool supportsuid = false; char *pkout = NULL; struct daemonClientPrivate *priv = virNetServerClientGetPrivateData(client); virCommandPtr cmd = NULL; + static bool polkitInsecureWarned; virMutexLock(&priv->lock); action = virNetServerClientGetReadonly(client) ? @@ -2834,14 +2836,28 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, goto authfail; } + if (timestamp == 0) { + VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time", + (long long)callerPid); + goto authfail; + } + VIR_INFO("Checking PID %lld running as %d", (long long) callerPid, callerUid); virCommandAddArg(cmd, "--process"); - if (timestamp != 0) { - virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); +# ifdef PKCHECK_SUPPORTS_UID + supportsuid = true; +# endif + if (supportsuid) { + virCommandAddArgFormat(cmd, "%lld,%llu,%lu", + (long long) callerPid, timestamp, (unsigned long) callerUid); } else { - virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); + if (!polkitInsecureWarned) { + VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); + polkitInsecureWarned = true; + } + virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); } virCommandAddArg(cmd, "--allow-user-interaction"); diff --git a/libvirt.spec.in b/libvirt.spec.in index e76a430535..38c99afcb5 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -474,8 +474,7 @@ BuildRequires: cyrus-sasl-devel %endif %if %{with_polkit} %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 -# Only need the binary, not -devel -BuildRequires: polkit >= 0.93 +BuildRequires: polkit-devel >= 0.93 %else BuildRequires: PolicyKit-devel >= 0.6 %endif -- GitLab