diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-12-21 19:06:46 +0100 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2023-12-21 19:11:24 +0100 |
| commit | 9295e289cdb1b6cf2747ecf07054230e15edb385 (patch) | |
| tree | 8613e5635bde57a3a8cac551d9e8819a809fb1bc /docs | |
| parent | 374a628038474a45fab47dc7dfc3c3473332cd87 (diff) | |
Enforce that calling CheckAuthorization() with pidfd also is passed a uid
When unix-process is used and a uid is not passed, it will be derived from
the running process. But this is racy, as the identity can change over
time (e.g.: setuid binaries can be exec'ed). If the caller can securely
fetch the pidfd of a process (e.g.: via SO_PEERPIDFD), then it can also
securely fetch the uid (e.g.: via SO_PEERCRED), so enforce that they are
passed together to avoid possible races, in case a polkit rule performs
authorization based on the uid.
Follow-up for 374a628038474a45f
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml index b5cc195..2dd01a0 100644 --- a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml +++ b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml @@ -275,7 +275,7 @@ The authority supports temporary authorizations that can be obtained through aut } </programlisting> <para> -<para>This struct describes subjects such as UNIX processes. It is typically used to check if a given process is authorized for an action.</para><para>The following kinds of subjects are known:</para> <formalpara><title>Unix Process</title><para><literal>subject_kind</literal> should be set to <literal>unix-process</literal> with key <literal>pidfd</literal> (of type <literal>int32</literal>) (if the operating system supports ProcessID File Descriptors), or alternatively with keys <literal>pid</literal> (of type <literal>uint32</literal>) and <literal>start-time</literal> (of type <literal>uint64</literal>).</para></formalpara> <formalpara><title>Unix Session</title><para><literal>subject_kind</literal> should be set to <literal>unix-session</literal> with the key <literal>session-id</literal> (of type <literal>string</literal>).</para></formalpara> <formalpara><title>System Bus Name</title><para><literal>subject_kind</literal> should be set to <literal>system-bus-name</literal> with the key <literal>name</literal> (of type <literal>string</literal>).</para></formalpara> +<para>This struct describes subjects such as UNIX processes. It is typically used to check if a given process is authorized for an action.</para><para>The following kinds of subjects are known:</para> <formalpara><title>Unix Process</title><para><literal>subject_kind</literal> should be set to <literal>unix-process</literal> with keys <literal>pidfd</literal> (of type <literal>int32</literal>) and <literal>uid</literal> (of type <literal>int32</literal>) (if the operating system supports ProcessID File Descriptors), or alternatively with keys <literal>pid</literal> (of type <literal>uint32</literal>), <literal>uid</literal> (of type <literal>int32</literal>) and <literal>start-time</literal> (of type <literal>uint64</literal>).</para></formalpara> <formalpara><title>Unix Session</title><para><literal>subject_kind</literal> should be set to <literal>unix-session</literal> with the key <literal>session-id</literal> (of type <literal>string</literal>).</para></formalpara> <formalpara><title>System Bus Name</title><para><literal>subject_kind</literal> should be set to <literal>system-bus-name</literal> with the key <literal>name</literal> (of type <literal>string</literal>).</para></formalpara> </para> <variablelist role="struct"> <varlistentry> |