On 15.08.2014 18:56, Lennart Poettering wrote: > On Fri, 15.08.14 18:25, Stef Walter (st...@redhat.com) wrote: > >> >> On 13.08.2014 20:27, Lennart Poettering wrote: >>> On Wed, 06.08.14 13:23, Stef Walter (st...@redhat.com) wrote: >>> >>>> I've done initial work on adding polkit support to systemd1 DBus >>>> methods. You can see it here: >> >> Thanks for the review. Worked on this a bit more. >> >> I might drop off the face of the earth for a couple weeks. In case I do, >> I thought I'd update my public branch. But if I'm around, I'll test and >> prepare a patch set early next week. >> >>>> https://github.com/stefwalter/systemd/commits/polkit-systemd1 > > Hmm, yuck. There's a security issue here... Reading the capabilities > from the sender on dbus1 is racy, since we have to read it from > /proc/$PID/stat and don't get it sent along with the message, like we do > on kdbus. A rogue client could send a message, quickly invoke some suid > binary, and we'd consider the client trusted. > > Now for the low-level implementation of the vtable bit we are actually > smart, and check by UID on dbus1, and by cap on kdbus, in order to avoid > the vulnerability. > > Hmm, now I wonder how to best handle this for cases like this, we > probably need some generic way how clients can make this decision in an > always safe way... > > I need to think more about this...
By the way, there's some similar problematic code in the modified KillUnit() method implementation ... changed from specifying the CAP_KILL in the vtable, and now it does a manual check. > Patch set looks great otherwise. I'll come up with something for the > security issue, then adapt your patch, and merge it. I haven't tested the updated branch at all :) So it may go boom... Stef _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel