[Pkg-utopia-maintainers] Bug#482064: Bug#482064: policykit: some files have different permissions from those recommended by upstream

Michael Biebl biebl at debian.org
Tue May 20 23:00:35 UTC 2008 

tags 482064 -patch
thanks

James Westby wrote:
> Package: policykit
> Severity: normal
> Version: 0.8-1
> Tags: patch
> User: ubuntu-devel at lists.ubuntu.com
> Usertags: origin-ubuntu intrepid ubuntu-patch
> 
> Hi,
> 
> In the 0.8 release of policykit the text at the end of the ./configure
> output saying that certain files should have certain permissions has
> changed, but the postinst wasn't changed to match. I haven't tested
> to check whether if this has any effect on the functionality, but
> presumably the requirements are there for a reason.
> 
> I am attaching the Ubuntu diff that changes it to match what is in 
> Fedora, as that is slightly more precise than the ./configure text,
> and was done by upstream himself.
> 
> However the patch does include a change that the fix from bug 452198
> makes unneeded. If you don't want the patch in 452198, or at least
> don't want to apply them both at the same time then I would be happy
> to update the patch to not include that part.

Hi James,

thanks for filing this bug report. As it happens, I already noticed that 
  issue myself and have discussed that extensively with upstream.
There is currently a discrepancy between the configure output, the 
actual rules in the makefiles and how the rpm installs it.
Your proposed patch is not quite correct (you will see that if you read 
the following discussion), so I'm removing the "patch" tag.
I already have a correct fix ready and will provide updated packages soon.

FWIW here is an excerpt of the discussion I had with David Zeuthen:

> On Wed, 2008-04-23 at 01:02 +0200, Michael Biebl wrote:
>> > Hi David,
>> > 
>> > as I'm generally a bit paranoid regarding suid/sgid binaries, and as I 
>> > noticed some 	discrepancies between the ./configure message, the 
>> > installed files and the permissions as installed by the fedora package, 
>> > I'd like to ask you for clarification.
> 
> First of all, I'm glad someone is reviewing this (the SUSE and RH
> security teams have been reviewing it as well). So thanks for taking the
> time to look through it. 
> 
> One thing I want to do is to include a section in the docs detailing how
> the 'default' backend works including security notes. Is that something
> you would like to help with based on my explanations below?
> 
>> > (this is policykit 0.8)
>> > 
>> > ./configure says (condensed)
>> > 
>> > 1.1  770  root       polkituser /var/run/PolicyKit
>> > 1.2  770  root       polkituser /var/lib/PolicyKit
>> > 1.3  755  polkituser root       /var/run/PolicyKit-public
>> > 1.4  775  polkituser polkituser /var/lib/misc/PolicyKit.reload
>> > 1.5  4755 polkituser root       /libexec/polkit-set-default-helper
>> > 1.6  2755 root       polkituser /libexec/polkit-read-auth-helper
>> > 1.7  2755 root       polkituser /libexec/polkit-revoke-helper
>> > 1.8  2755 root       polkituser /libexec/polkit-grant-helper
>> > 1.9  2755 root       polkituser /libexec/polkit-explicit-grant-helper
>> > 1.10 4754 root       polkituser /libexec/polkit-grant-helper-pam
>> > 1.11 4755 root       root       /libexec/polkit-resolve-exe-helper
>> > 
>> > make install creates
>> > 
>> > 2.1  770  root       polkituser /var/run/PolicyKit
>> > 2.2  770  root       polkituser /var/lib/PolicyKit
>> > 2.3  755  polkituser root       /var/lib/PolicyKit-public
>> > 2.4  775  polkituser polkituser /var/lib/misc/PolicyKit.reload
>> > 2.5  4755 polkituser root       /libexec/polkit-set-default-helper
>> > 2.6  2755 root       polkituser /libexec/polkit-read-auth-helper
>> > 2.7  2755 root       polkituser /libexec/polkit-revoke-helper
>> > 2.8  2755 root       polkituser /libexec/polkit-grant-helper
>> > 2.9  2755 root       polkituser /libexec/polkit-explicit-grant-helper
>> > 2.10 4754 root       polkituser /libexec/polkit-grant-helper-pam
>> > 2.11 4755 root       root       /libexec/polkit-resolve-exe-helper
>> > 
>> > fedora rpm has
>> > 
>> > 3.1  770  polkituser polkituser /var/run/PolicyKit
>> > 3.2  770  polkituser polkituser /var/lib/PolicyKit
>> > 3.3  755  polkituser polkituser /var/lib/PolicyKit-public
>> > 3.4  775  polkituser polkituser /var/lib/misc/PolicyKit.reload
>> > 3.5  4755 polkituser root       /libexec/polkit-set-default-helper
>> > 3.6  2755 root       polkituser /libexec/polkit-read-auth-helper
>> > 3.7  2755 root       polkituser /libexec/polkit-revoke-helper
>> > 3.8  2755 root       polkituser /libexec/polkit-grant-helper
>> > 3.9  2755 root       polkituser /libexec/polkit-explicit-grant-helper
>> > 3.10 4754 root       polkituser /libexec/polkit-grant-helper-pam
>> > 3.11 4755 root       root       /libexec/polkit-resolve-exe-helper
>> > 
>> > 1.) 1.3 has /var/run/PolicyKit-public, in 2.3, 3.3 it is in /var/lib
> 
> That's a bug in 1.3; need to fix the configure output.
> 
>> > 2.) fedora has a different owner for 3.1, 3.2 resp group for 3.3
> 
> That's a bug in the fedora rpm. I'll fix that.
> 
>> > 3.) It's not clear to me, why we need a user *and* group polkituser.
> 
> See below.
> 
>> > And why 1.5, 1.10 and 1.11 have somewhat strange suid/sgid bits and 
>> > owners. Could you elaborate in detail for each binary why those 
>> > different ownerships and suid/sgid bits are necessary?
> 
> Right, I'll go through them one by one based on the output of make
> install.
> 
> 2.1  770  root       polkituser /var/run/PolicyKit
> 2.2  770  root       polkituser /var/lib/PolicyKit
> 
> We store authorizations for each user here. Since we don't want user A
> to know what authorizations other users have no one can read these
> files. However, when checking authorizations we need to be able to read
> from here; we use this helper
> 
> 2.6  2755 root       polkituser /libexec/polkit-read-auth-helper
> 
> which can read from here since it's setgid polkituser. This helper will
> refuse to return authorizations for other users than the calling user
> except if the calling user is authorized for org.fd.pk.read.
> 
> We also want to be able to grant authorizations through authentication.
> That happens with this helper
> 
> 2.8  2755 root       polkituser /libexec/polkit-grant-helper
> 
> This program is setgid 'polkituser' so it can write files
> in /var/{run,lib}/PolicyKit. Note that these files are created with mode
> 464. 
> 
> To do the actual authentication check, polkit-grant-helper uses another
> helper
>  
> 2.10 4754 root       polkituser /libexec/polkit-grant-helper-pam
> 
> This one is setuid root because checking authentications might need
> require that (you may be checking the root password). The reason 2.10 is
> is owned by group 'polkituser' is to ensure that random users can't
> execute it; only setgid polkituser programs (e.g. 2.8).  Which adds a
> little extra security but strictly it's not necessary.
> 
> On to
> 
> 2.7  2755 root       polkituser /libexec/polkit-revoke-helper
> 
> This one is used to revoke authorizations. It will only allow uid 0 and
> users with the org.fd.pk.revoke authorization to do so. It needs to be
> setgid polkituser to be able to modify authorization files
> in /var/{run,lib}/PolicyKit.
> 
> 2.9  2755 root       polkituser /libexec/polkit-explicit-grant-helper
> 
> Same story as for polkit-revoke-helper only this grants authorizations.
> Only allowed for uid 0 and users with the org.fd.pk.grant authorization.
> 
> 2.3  755  polkituser root       /var/lib/PolicyKit-public
> 
> This is where we store modifications to the defaults. Anyone should be
> able to read these files. They are created with mode 644. These files
> are written / modified by this helper
> 
> 2.5  4755 polkituser root       /libexec/polkit-set-default-helper
> 
> which is setuid polkituser to be able to write/modify files.
> 
> On to
> 
> 2.11 4755 root       root       /libexec/polkit-resolve-exe-helper
> 
> This is used to find the executable name for a process. On Linux this is
> the /proc/<pid>/exe symlink and you can only do this for processes you
> own. This helper finds the executable name for processes not owned by
> you but only if you have the org.fd.pk.read authorization. This is
> important to let e.g. user 'haldaemon' check authorizations for a user
> requesting service.
> 
> 2.4  775  polkituser polkituser /var/lib/misc/PolicyKit.reload
> 
> This file is used by libpolkit to detect when something has changed
> (authorizations granted/revoked, defaults changed etc.). It is writable
> by both user 'polkituser' and group 'polkituser' because we have helpers
> running with both euid 'polkituser' and egid 'polkituser'.
> 
> The permissions on this should be 664 instead.
> 
> Does all this make sense now?
> 
>      David
> 
> 
> 


Cheers,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20080521/8a3edef0/attachment.pgp

More information about the Pkg-utopia-maintainers mailing list