I was contacted privately about a potential vulnerability in polkitd and pkexec. Briefly, the problem is that the UID for the parent process of pkexec(1) is read from /proc by stat(2)'ing /proc/PID. The problem with this is that this returns the effective uid of the process which can easily be set to 0 by invoking a setuid-root binary such as /usr/bin/chsh in the parent process of pkexec(1). Instead we are really interested in the real-user-id. While there's a check in pkexec.c to avoid this problem (by comparing it to what we expect the uid to be - namely that of the pkexec.c process itself which is the uid of the parent process at pkexec-spawn-time), there is still a short window where an attacker can fool pkexec/polkitd into thinking that the parent process has uid 0 and is therefore authorized. It's pretty hard to hit this window - I actually don't know if it can be made to work in practice. Either way, if exploitable (which I think it is), this bug is a local root exploit so we should treat it like that. Now that there is no vendor-sec list anymore, I don't know what it means wrt to embargoing? (so far this issue has been kept confidential - and the patches fixing this are not yet publicly available) I already have patches for polkit master to fix this problem (to look up the right uid) and also avoid having to look up the UID in /proc/PID at all (doing so is generally causes TOCTTOU bugs). These patches should all work in the polkit versions shipped in supported versions of Fedora. I am right now working on patches for RHEL6.
Created attachment 489458 [details] Patch 1/4
Created attachment 489461 [details] Patch 2/4
Created attachment 489462 [details] Patch 3/4
Created attachment 489463 [details] Patch 4/4
Created attachment 491306 [details] polkit 0.96 patch 1/4
Created attachment 491307 [details] polkit 0.96 patch 2/4
Created attachment 491308 [details] polkit 0.96 patch 3/4
Created attachment 491309 [details] polkit 0.96 patch 4/4
polkit 0.96, as shipped in RHEL6, is a bit different from git master. I've attached the patches for 0.96 in comment 9, comment 10, comment 11 and comment 12. These patches will appear in a polkit-0-96 branch in the upstream git repo once the embargo has been lifted.
Acknowledgements: Red Hat would like to thank Neel Mehta of Google for reporting this issue.
Created polkit tracking bugs for this issue Affects: fedora-all [bug 697951]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0455 https://rhn.redhat.com/errata/RHSA-2011-0455.html