Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)

With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.

To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.

This fix requires that libvirt is re-built against a version of
polkit that has the fix for its CVE-2013-4288, so that libvirt
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'

Signed-off-by: Colin Walters <walters@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 922b7fda77b094dbf022d625238262ea05335666)
Signed-off-by: Eric Blake <eblake@redhat.com>
Conflicts:
	configure.ac - context
	libvirt.spec.in - context of indentation
	src/access/viraccessdriverpolkit.c - not present on this branch

diff --git a/configure.ac b/configure.ac
index fa9d5373ac046ce50de02f31f2b000894aeb83ef..73a335e05f9dcc7f8ac0abf31084835c58a051de 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1160,6 +1160,14 @@ if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then
   AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
   if test "x$PKCHECK_PATH" != "x" ; then
     AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
+    AC_MSG_CHECKING([whether pkcheck supports uid value])
+    pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1`
+    if test "x$pkcheck_supports_uid" = "xtrue"; then
+      AC_MSG_RESULT([yes])
+      AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck])
+    else
+      AC_MSG_RESULT([no])
+    fi
     AC_DEFINE_UNQUOTED([HAVE_POLKIT], 1,
         [use PolicyKit for UNIX socket access checks])
     AC_DEFINE_UNQUOTED([HAVE_POLKIT1], 1,

diff --git a/daemon/remote.c b/daemon/remote.c
index c65e4e4a9433bcf3b036365e77235b71c7756669..2cdb0790fd417664bd95e370ef7d088820c16f27 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -2560,10 +2560,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
     int status = -1;
     char *ident = NULL;
     bool authdismissed = 0;
+    bool supportsuid = false;
     char *pkout = NULL;
     struct daemonClientPrivate *priv =
         virNetServerClientGetPrivateData(client);
     virCommandPtr cmd = NULL;
+    static bool polkitInsecureWarned;
 
     virMutexLock(&priv->lock);
     action = virNetServerClientGetReadonly(client) ?
@@ -2585,14 +2587,28 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
         goto authfail;
     }
 
+    if (timestamp == 0) {
+        VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time",
+                 (long long)callerPid);
+        goto authfail;
+    }
+
     VIR_INFO("Checking PID %lld running as %d",
              (long long) callerPid, callerUid);
 
     virCommandAddArg(cmd, "--process");
-    if (timestamp != 0) {
-        virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
+# ifdef PKCHECK_SUPPORTS_UID
+    supportsuid = true;
+# endif
+    if (supportsuid) {
+        virCommandAddArgFormat(cmd, "%lld,%llu,%lu",
+                               (long long) callerPid, timestamp, (unsigned long) callerUid);
     } else {
-        virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
+        if (!polkitInsecureWarned) {
+            VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
+            polkitInsecureWarned = true;
+        }
+        virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
     }
     virCommandAddArg(cmd, "--allow-user-interaction");
 

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 2e08abba2044bd8c15e10e89c96c87b5d58b6acf..09272d4e3e8639b14029856c7ad98e7a7b065006 100644 (file)
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -364,8 +364,7 @@ BuildRequires: cyrus-sasl-devel
 %endif
 %if %{with_polkit}
 %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
-# Only need the binary, not -devel
-BuildRequires: polkit >= 0.93
+BuildRequires: polkit-devel >= 0.93
 %else
 BuildRequires: PolicyKit-devel >= 0.6
 %endif