Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
gvfs
gvfs-CVE-2019-3827.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gvfs-CVE-2019-3827.patch of Package gvfs
From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001 From: Ondrej Holy <oholy@redhat.com> Date: Wed, 2 Jan 2019 17:13:27 +0100 Subject: admin: Prevent access if any authentication agent isn't available The backend currently allows to access and modify files without prompting for password if any polkit authentication agent isn't available. This seems isn't usually problem, because polkit agents are integral parts of graphical environments / linux distributions. The agents can't be simply disabled without root permissions and are automatically respawned. However, this might be a problem in some non-standard cases. This affects only users which belong to wheel group (i.e. those who are already allowed to use sudo). It doesn't allow privilege escalation for users, who don't belong to that group. Let's return permission denied error also when the subject can't be authorized by any polkit agent to prevent this behavior. Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355 --- daemon/gvfsbackendadmin.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c index ec0f2392..0f849008 100644 --- a/daemon/gvfsbackendadmin.c +++ b/daemon/gvfsbackendadmin.c @@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self, return FALSE; } - is_authorized = polkit_authorization_result_get_is_authorized (result) || - polkit_authorization_result_get_is_challenge (result); + is_authorized = polkit_authorization_result_get_is_authorized (result); g_object_unref (result); -- 2.16.4 From 04325119859b9eb41c9db97f1c315f3c9ab3d95b Mon Sep 17 00:00:00 2001 From: Ondrej Holy <oholy@redhat.com> Date: Fri, 4 Jan 2019 12:58:27 +0100 Subject: admin: Add comment to .rules file Add comment to polkit org.gtk.vfs.file-operations.rules file explaining the rule which allows starting gvfsd-admin without password for users belonging to wheel group. --- daemon/org.gtk.vfs.file-operations.rules | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules index fb8d54ae..6e528e93 100644 --- a/daemon/org.gtk.vfs.file-operations.rules +++ b/daemon/org.gtk.vfs.file-operations.rules @@ -1,3 +1,8 @@ +// Allows users belonging to wheel group to start gvfsd-admin without +// authorization. This prevents redundant password prompt when starting +// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown +// for each client process using the different action id and for the subject +// based on the client process. polkit.addRule(function(action, subject) { if ((action.id == "org.gtk.vfs.file-operations-helper") && subject.local && -- 2.16.4 From cadb8377a849dfb3a815d05b50a75049095a8d2f Mon Sep 17 00:00:00 2001 From: Ondrej Holy <oholy@redhat.com> Date: Mon, 14 Jan 2019 14:02:23 +0100 Subject: admin: Add comments to .policy file Add comments to polkit org.gtk.vfs.file-operations.policy file explaining the purpose of the different actions. --- daemon/org.gtk.vfs.file-operations.policy.in.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in index f48a923b..02a7b2ce 100644 --- a/daemon/org.gtk.vfs.file-operations.policy.in.in +++ b/daemon/org.gtk.vfs.file-operations.policy.in.in @@ -8,6 +8,7 @@ <vendor>GVfs</vendor> <vendor_url>http://git.gnome.org/browse/gvfs</vendor_url> + <!-- This action is used when starting gvfsd-admin. --> <action id="org.gtk.vfs.file-operations-helper"> <description>Perform file operations</description> <message>Authentication is required to perform file operations</message> @@ -19,6 +20,7 @@ <annotate key="org.freedesktop.policykit.exec.path">@libexecdir@/gvfsd-admin</annotate> </action> + <!-- This action is used to authorize gvfsd-admin operations. --> <action id="org.gtk.vfs.file-operations"> <description>Perform file operations</description> <message>Authentication is required to perform file operations</message> -- 2.16.4 From a0e015cbd76715fbee407557c676a038f164c605 Mon Sep 17 00:00:00 2001 From: Ondrej Holy <oholy@redhat.com> Date: Mon, 14 Jan 2019 14:04:58 +0100 Subject: admin: Update message in .policy Update message for org.gtk.vfs.file-operations-helper action in polkit org.gtk.vfs.file-operations.rules file to be obvious that it is used when starting gvfsd-admin. --- daemon/org.gtk.vfs.file-operations.policy.in.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in index 02a7b2ce..7acfbfd5 100644 --- a/daemon/org.gtk.vfs.file-operations.policy.in.in +++ b/daemon/org.gtk.vfs.file-operations.policy.in.in @@ -11,7 +11,7 @@ <!-- This action is used when starting gvfsd-admin. --> <action id="org.gtk.vfs.file-operations-helper"> <description>Perform file operations</description> - <message>Authentication is required to perform file operations</message> + <message>Authentication is required to run gvfsd-admin daemon</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> -- 2.16.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor