Hello, I've been browsing the reference code and have a question about
how the session cookies are maintained. It looks like the cookie
generator can wrap and two identical cookies could exist
simultaneously in the active sessions list.
static gchar * authentication_agent_new_cookie (AuthenticationAgent *agent)
{
static gint counter = 0;
return g_strdup_printf ("cookie%d", counter++);
}
You can imagine how one client gets a cookie but just waits and
doesn't arrange for AuthenticationAgentResponse to be called. It's my
understanding that sessions never timeout, they're just cleaned up
when D-Bus indicates a client disconnects. Therefore another process
can generate 2^32 authentication sessions and just disconnect
immediately. The counter gets incremented but the cookies never get
removed from the list, until eventually counter wraps and a second
cookie is minted.
My question is, what are the implications of that? Is it a security
vulnerability?
I guess the first matching cookie will be used when
AuthenticationAgentResponse is called for the second cookie, so
someone might see a different action displayed by the agent than they
thought they were authenticating? Is that the worst possible outcome?
I also noticed a crash while implementing an agent, which would also
allow the same cookie to be issued twice (cookie0 => crash =>
cookie0). I'll post the bug report in another mail, but does it make
sense for the cookies to be larger (perhaps 64bit, like D-Bus unique
addresses) and include the pid:start-time of polkitd?
Thanks, Tavis.
_______________________________________________
polkit-devel mailing list
polkit-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/polkit-devel
