File gvfs-CVE-2019-3827.patch of Package gvfs.11406

Overview Repositories Revisions Requests Users Attributes Meta

File gvfs-CVE-2019-3827.patch of Package gvfs.11406

From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Wed, 2 Jan 2019 17:13:27 +0100
Subject: admin: Prevent access if any authentication agent isn't available

The backend currently allows to access and modify files without prompting
for password if any polkit authentication agent isn't available. This seems
isn't usually problem, because polkit agents are integral parts of
graphical environments / linux distributions. The agents can't be simply
disabled without root permissions and are automatically respawned. However,
this might be a problem in some non-standard cases.

This affects only users which belong to wheel group (i.e. those who are
already allowed to use sudo). It doesn't allow privilege escalation for
users, who don't belong to that group.

Let's return permission denied error also when the subject can't be
authorized by any polkit agent to prevent this behavior.

Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
---
 daemon/gvfsbackendadmin.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index ec0f2392..0f849008 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
       return FALSE;
     }
 
-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
-    polkit_authorization_result_get_is_challenge (result);
+  is_authorized = polkit_authorization_result_get_is_authorized (result);
 
   g_object_unref (result);
 
-- 
2.16.4

From 04325119859b9eb41c9db97f1c315f3c9ab3d95b Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Fri, 4 Jan 2019 12:58:27 +0100
Subject: admin: Add comment to .rules file

Add comment to polkit org.gtk.vfs.file-operations.rules file explaining
the rule which allows starting gvfsd-admin without password for users
belonging to wheel group.
---
 daemon/org.gtk.vfs.file-operations.rules | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules
index fb8d54ae..6e528e93 100644
--- a/daemon/org.gtk.vfs.file-operations.rules
+++ b/daemon/org.gtk.vfs.file-operations.rules
@@ -1,3 +1,8 @@
+// Allows users belonging to wheel group to start gvfsd-admin without
+// authorization. This prevents redundant password prompt when starting
+// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown
+// for each client process using the different action id and for the subject
+// based on the client process.
 polkit.addRule(function(action, subject) {
         if ((action.id == "org.gtk.vfs.file-operations-helper") &&
             subject.local &&
-- 
2.16.4

From cadb8377a849dfb3a815d05b50a75049095a8d2f Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 14 Jan 2019 14:02:23 +0100
Subject: admin: Add comments to .policy file

Add comments to polkit org.gtk.vfs.file-operations.policy file explaining
the purpose of the different actions.
---
 daemon/org.gtk.vfs.file-operations.policy.in.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in
index f48a923b..02a7b2ce 100644
--- a/daemon/org.gtk.vfs.file-operations.policy.in.in
+++ b/daemon/org.gtk.vfs.file-operations.policy.in.in
@@ -8,6 +8,7 @@
   <vendor>GVfs</vendor>
   <vendor_url>http://git.gnome.org/browse/gvfs</vendor_url>
 
+  
   <action id="org.gtk.vfs.file-operations-helper">
     <description>Perform file operations</description>
     <message>Authentication is required to perform file operations</message>
@@ -19,6 +20,7 @@
     <annotate key="org.freedesktop.policykit.exec.path">@libexecdir@/gvfsd-admin</annotate>
   </action>
 
+  
   <action id="org.gtk.vfs.file-operations">
     <description>Perform file operations</description>
     <message>Authentication is required to perform file operations</message>
-- 
2.16.4

From a0e015cbd76715fbee407557c676a038f164c605 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 14 Jan 2019 14:04:58 +0100
Subject: admin: Update message in .policy

Update message for org.gtk.vfs.file-operations-helper action in
polkit org.gtk.vfs.file-operations.rules file to be obvious that it is
used when starting gvfsd-admin.
---
 daemon/org.gtk.vfs.file-operations.policy.in.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in
index 02a7b2ce..7acfbfd5 100644
--- a/daemon/org.gtk.vfs.file-operations.policy.in.in
+++ b/daemon/org.gtk.vfs.file-operations.policy.in.in
@@ -11,7 +11,7 @@
   
   <action id="org.gtk.vfs.file-operations-helper">
     <description>Perform file operations</description>
-    <message>Authentication is required to perform file operations</message>
+    <message>Authentication is required to run gvfsd-admin daemon</message>
     <defaults>
       <allow_any>no</allow_any>
       <allow_inactive>no</allow_inactive>
-- 
2.16.4

Places

File gvfs-CVE-2019-3827.patch of Package gvfs.11406

Places