diff options
Diffstat (limited to 'community/libvirt/0003-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch')
| -rw-r--r-- | community/libvirt/0003-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/community/libvirt/0003-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch b/community/libvirt/0003-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch new file mode 100644 index 000000000..8882f1227 --- /dev/null +++ b/community/libvirt/0003-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch @@ -0,0 +1,159 @@ +From 4a061ec8fe94857dd21acf401c66195ec51b1234 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Wed, 28 Aug 2013 15:25:40 +0100
+Subject: [PATCH 3/3] Add support for using 3-arg pkcheck syntax for process
+
+With the existing pkcheck (pid, start time) tuple for identifying
+the process, there is a race condition, where a process can make
+a libvirt RPC call and in another thread exec a setuid application,
+causing it to change to effective UID 0. This in turn causes polkit
+to do its permission check based on the wrong UID.
+
+To address this, libvirt must get the UID the caller had at time
+of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
+triple to the pkcheck program.
+
+Signed-off-by: Colin Walters <walters@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ configure.ac | 8 ++++++++
+ daemon/remote.c | 21 +++++++++++++++++---
+ src/access/viraccessdriverpolkit.c | 40 +++++++++++++++++++++++++++++++++-----
+ 3 files changed, 61 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 94a2e19..3dfbb4d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1184,6 +1184,14 @@ if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then
+ AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
+ if test "x$PKCHECK_PATH" != "x" ; then
+ AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
++ AC_MSG_CHECKING([whether pkcheck supports uid value])
++ pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
++ if test "x$pkcheck_supports_uid" = "xtrue"; then
++ AC_MSG_RESULT([yes])
++ AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck])
++ else
++ AC_MSG_RESULT([no])
++ fi
+ AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
+ [use PolicyKit for UNIX socket access checks])
+ AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1,
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 03d5557..6132091 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -2731,10 +2731,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
+ int status = -1;
+ char *ident = NULL;
+ bool authdismissed = 0;
++ bool supportsuid = 0;
+ char *pkout = NULL;
+ struct daemonClientPrivate *priv =
+ virNetServerClientGetPrivateData(client);
+ virCommandPtr cmd = NULL;
++ static bool polkitInsecureWarned = false;
+
+ virMutexLock(&priv->lock);
+ action = virNetServerClientGetReadonly(client) ?
+@@ -2756,14 +2758,27 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
+ goto authfail;
+ }
+
++ if (timestamp == 0) {
++ VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time",
++ (long long)callerPid);
++ goto authfail;
++ }
++
+ VIR_INFO("Checking PID %lld running as %d",
+ (long long) callerPid, callerUid);
+
+ virCommandAddArg(cmd, "--process");
+- if (timestamp != 0) {
+- virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
++# ifdef PKCHECK_SUPPORTS_UID
++ supportsuid = 1;
++# endif
++ if (supportsuid) {
++ virCommandAddArgFormat(cmd, "%lld,%llu,%lu", (long long) callerPid, timestamp, (unsigned long) callerUid);
+ } else {
+- virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
++ if (!polkitInsecureWarned) {
++ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
++ polkitInsecureWarned = true;
++ }
++ virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
+ }
+ virCommandAddArg(cmd, "--allow-user-interaction");
+
+diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
+index 4c76e64..d980820 100644
+--- a/src/access/viraccessdriverpolkit.c
++++ b/src/access/viraccessdriverpolkit.c
+@@ -72,8 +72,12 @@ static char *
+ virAccessDriverPolkitFormatProcess(const char *actionid)
+ {
+ virIdentityPtr identity = virIdentityGetCurrent();
+- const char *process = NULL;
++ const char *callerPid = NULL;
++ const char *callerTime = NULL;
++ const char *callerUid = NULL;
+ char *ret = NULL;
++ bool supportsuid = 0;
++ static bool polkitInsecureWarned = false;
+
+ if (!identity) {
+ virAccessError(VIR_ERR_ACCESS_DENIED,
+@@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const char *actionid)
+ actionid);
+ return NULL;
+ }
+- if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0)
++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0)
++ goto cleanup;
++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0)
++ goto cleanup;
++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0)
+ goto cleanup;
+
+- if (!process) {
++ if (!callerPid) {
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No UNIX process ID available"));
+ goto cleanup;
+ }
+-
+- if (VIR_STRDUP(ret, process) < 0)
++ if (!callerTime) {
++ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
++ _("No UNIX process start time available"));
++ goto cleanup;
++ }
++ if (!callerUid) {
++ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
++ _("No UNIX caller UID available"));
+ goto cleanup;
++ }
++
++#ifdef PKCHECK_SUPPORTS_UID
++ supportsuid = 1;
++#endif
++ if (supportsuid) {
++ if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0)
++ goto cleanup;
++ } else {
++ if (!polkitInsecureWarned) {
++ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
++ polkitInsecureWarned = true;
++ }
++ if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0)
++ goto cleanup;
++ }
+
+ cleanup:
+ virObjectUnref(identity);
+--
+1.8.3.1
+
|