Commit 264e9762 authored by Albert Astals Cid's avatar Albert Astals Cid
Browse files

Verify that whoever is calling us is actually who he says he is

CVE-2017-8422
parent 92273b7d
......@@ -54,6 +54,11 @@ void AuthBackend::setCapabilities(AuthBackend::Capabilities capabilities)
d->capabilities = capabilities;
}
AuthBackend::ExtraCallerIDVerificationMethod AuthBackend::extraCallerIDVerificationMethod() const
{
return NoExtraCallerIDVerificationMethod;
}
bool AuthBackend::actionExists(const QString& action)
{
Q_UNUSED(action);
......
......@@ -43,6 +43,12 @@ public:
};
Q_DECLARE_FLAGS(Capabilities, Capability)
enum ExtraCallerIDVerificationMethod {
NoExtraCallerIDVerificationMethod,
VerifyAgainstDBusServiceName,
VerifyAgainstDBusServicePid,
};
AuthBackend();
virtual ~AuthBackend();
virtual void setupAction(const QString &action) = 0;
......@@ -50,6 +56,7 @@ public:
virtual Action::AuthStatus authorizeAction(const QString &action) = 0;
virtual Action::AuthStatus actionStatus(const QString &action) = 0;
virtual QByteArray callerID() const = 0;
virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
virtual bool isCallerAuthorized(const QString &action, QByteArray callerID) = 0;
virtual bool actionExists(const QString &action);
......
......@@ -271,6 +271,29 @@ void DBusHelperProxy::performActions(QByteArray blob, const QByteArray &callerID
}
}
bool DBusHelperProxy::isCallerAuthorized(const QString &action, const QByteArray &callerID)
{
// Check the caller is really who it says it is
switch (BackendsManager::authBackend()->extraCallerIDVerificationMethod()) {
case AuthBackend::NoExtraCallerIDVerificationMethod:
break;
case AuthBackend::VerifyAgainstDBusServiceName:
if (message().service().toUtf8() != callerID) {
return false;
}
break;
case AuthBackend::VerifyAgainstDBusServicePid:
if (connection().interface()->servicePid(message().service()).value() != callerID.toUInt()) {
return false;
}
break;
}
return BackendsManager::authBackend()->isCallerAuthorized(action, callerID);
}
QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArray &callerID, QByteArray arguments)
{
if (!responder) {
......@@ -295,7 +318,7 @@ QByteArray DBusHelperProxy::performAction(const QString &action, const QByteArra
QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
timer->stop();
if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
if (isCallerAuthorized(action, callerID)) {
QString slotname = action;
if (slotname.startsWith(m_name + QLatin1Char('.'))) {
slotname = slotname.right(slotname.length() - m_name.length() - 1);
......@@ -338,7 +361,7 @@ uint DBusHelperProxy::authorizeAction(const QString& action, const QByteArray& c
QTimer *timer = responder->property("__KAuth_Helper_Shutdown_Timer").value<QTimer*>();
timer->stop();
if (BackendsManager::authBackend()->isCallerAuthorized(action, callerID)) {
if (isCallerAuthorized(action, callerID)) {
retVal = static_cast<uint>(Action::Authorized);
} else {
retVal = static_cast<uint>(Action::Denied);
......
......@@ -21,6 +21,7 @@
#ifndef DBUS_HELPER_PROXY_H
#define DBUS_HELPER_PROXY_H
#include <QDBusContext>
#include <QVariant>
#include "HelperProxy.h"
#include "kauthactionreply.h"
......@@ -28,7 +29,7 @@
namespace KAuth
{
class DBusHelperProxy : public HelperProxy
class DBusHelperProxy : public HelperProxy, protected QDBusContext
{
Q_OBJECT
Q_INTERFACES(KAuth::HelperProxy)
......@@ -73,6 +74,9 @@ signals:
private slots:
void remoteSignalReceived(int type, const QString &action, QByteArray blob);
private:
bool isCallerAuthorized(const QString &action, const QByteArray &callerID);
};
} // namespace Auth
......
......@@ -78,6 +78,11 @@ QByteArray PolicyKitBackend::callerID() const
return a;
}
AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
{
return VerifyAgainstDBusServicePid;
}
bool PolicyKitBackend::isCallerAuthorized(const QString &action, QByteArray callerID)
{
QDataStream s(&callerID, QIODevice::ReadOnly);
......
......@@ -40,6 +40,7 @@ public:
virtual Action::AuthStatus authorizeAction(const QString&);
virtual Action::AuthStatus actionStatus(const QString&);
virtual QByteArray callerID() const;
virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
private Q_SLOTS:
......
......@@ -163,6 +163,11 @@ QByteArray Polkit1Backend::callerID() const
return QDBusConnection::systemBus().baseService().toUtf8();
}
AuthBackend::ExtraCallerIDVerificationMethod Polkit1Backend::extraCallerIDVerificationMethod() const
{
return VerifyAgainstDBusServiceName;
}
bool Polkit1Backend::isCallerAuthorized(const QString &action, QByteArray callerID)
{
PolkitQt1::SystemBusNameSubject subject(QString::fromUtf8(callerID));
......
......@@ -48,6 +48,7 @@ public:
virtual Action::AuthStatus authorizeAction(const QString&);
virtual Action::AuthStatus actionStatus(const QString&);
virtual QByteArray callerID() const;
virtual ExtraCallerIDVerificationMethod extraCallerIDVerificationMethod() const;
virtual bool isCallerAuthorized(const QString &action, QByteArray callerID);
virtual bool actionExists(const QString& action);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment