Re: systemd-devel Digest, Vol 155, Issue 8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sa, 11.03.23 08:29, Lal, Arun (arun.lal@xxxxxxxxx) wrote:

> Hi Lennart Poettering,
>
> Can you give me some more clarity on why this cannot safely be
> implemented?

> Do you mean the use of polkit?

No. I mean authentication via linux process credentials cannot work in
userspace.

Let's say some service asks polkit to authenticate some client. Now
polkit wants to check if the client as the right caps. It could read
them from the client's /proc/$PID/status file, looking for the
"CapEff" field. But doing so would be a vulnerability because it is
asynchronous in nature.

Consider this attack: an unpriv client issues a request to the service
for some privileged operation, enqueuing a request for that into dbus,
and then immediately issuing execve() on /usr/bin/sudo (which famously
is a suid program and thus will run with full capabilities). Now
the service gets the request, passes it on to polkit. Now polkit reads
the caps info from /proc/, and will now see sudo's caps, and not the
one from the original unpriv process. And will allow the access, even
if it really shouldn#t have.

This would only be secure if the caps at the moment of the original
sending of the message would be transferred along with it. But Linux
does not offer that functionality.

Hence, auth-by-caps in userspace via things like polkit cannot be
done. It's simply not safe.

Lennart

--
Lennart Poettering, Berlin
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux