Debian Bug report logs - #482064
policykit: some files have different permissions from those recommended by upstream

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: James Westby <jw+debian@jameswestby.net>

To: submit@bugs.debian.org

Subject: policykit: some files have different permissions from those recommended by upstream

Date: Tue, 20 May 2008 17:19:03 +0200

[Message part 1 (text/plain, inline)]

Package: policykit
Severity: normal
Version: 0.8-1
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu intrepid ubuntu-patch

Hi,

In the 0.8 release of policykit the text at the end of the ./configure
output saying that certain files should have certain permissions has
changed, but the postinst wasn't changed to match. I haven't tested
to check whether if this has any effect on the functionality, but
presumably the requirements are there for a reason.

I am attaching the Ubuntu diff that changes it to match what is in 
Fedora, as that is slightly more precise than the ./configure text,
and was done by upstream himself.

However the patch does include a change that the fix from bug 452198
makes unneeded. If you don't want the patch in 452198, or at least
don't want to apply them both at the same time then I would be happy
to update the patch to not include that part.

Thanks,

James

[policykit.diff (text/x-patch, attachment)]

Message #10 received at 482064@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: James Westby <jw+debian@jameswestby.net>, 482064@bugs.debian.org, control@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#482064: policykit: some files have different permissions from those recommended by upstream

Date: Wed, 21 May 2008 01:00:35 +0200

[Message part 1 (text/plain, inline)]

tags 482064 -patch
thanks

James Westby wrote:
> Package: policykit
> Severity: normal
> Version: 0.8-1
> Tags: patch
> User: ubuntu-devel@lists.ubuntu.com
> Usertags: origin-ubuntu intrepid ubuntu-patch
> 
> Hi,
> 
> In the 0.8 release of policykit the text at the end of the ./configure
> output saying that certain files should have certain permissions has
> changed, but the postinst wasn't changed to match. I haven't tested
> to check whether if this has any effect on the functionality, but
> presumably the requirements are there for a reason.
> 
> I am attaching the Ubuntu diff that changes it to match what is in 
> Fedora, as that is slightly more precise than the ./configure text,
> and was done by upstream himself.
> 
> However the patch does include a change that the fix from bug 452198
> makes unneeded. If you don't want the patch in 452198, or at least
> don't want to apply them both at the same time then I would be happy
> to update the patch to not include that part.

Hi James,

thanks for filing this bug report. As it happens, I already noticed that 
 issue myself and have discussed that extensively with upstream.
There is currently a discrepancy between the configure output, the 
actual rules in the makefiles and how the rpm installs it.
Your proposed patch is not quite correct (you will see that if you read 
the following discussion), so I'm removing the "patch" tag.
I already have a correct fix ready and will provide updated packages soon.

FWIW here is an excerpt of the discussion I had with David Zeuthen:

> On Wed, 2008-04-23 at 01:02 +0200, Michael Biebl wrote:
>> > Hi David,
>> > 
>> > as I'm generally a bit paranoid regarding suid/sgid binaries, and as I 
>> > noticed some 	discrepancies between the ./configure message, the 
>> > installed files and the permissions as installed by the fedora package, 
>> > I'd like to ask you for clarification.
> 
> First of all, I'm glad someone is reviewing this (the SUSE and RH
> security teams have been reviewing it as well). So thanks for taking the
> time to look through it. 
> 
> One thing I want to do is to include a section in the docs detailing how
> the 'default' backend works including security notes. Is that something
> you would like to help with based on my explanations below?
> 
>> > (this is policykit 0.8)
>> > 
>> > ./configure says (condensed)
>> > 
>> > 1.1  770  root       polkituser /var/run/PolicyKit
>> > 1.2  770  root       polkituser /var/lib/PolicyKit
>> > 1.3  755  polkituser root       /var/run/PolicyKit-public
>> > 1.4  775  polkituser polkituser /var/lib/misc/PolicyKit.reload
>> > 1.5  4755 polkituser root       /libexec/polkit-set-default-helper
>> > 1.6  2755 root       polkituser /libexec/polkit-read-auth-helper
>> > 1.7  2755 root       polkituser /libexec/polkit-revoke-helper
>> > 1.8  2755 root       polkituser /libexec/polkit-grant-helper
>> > 1.9  2755 root       polkituser /libexec/polkit-explicit-grant-helper
>> > 1.10 4754 root       polkituser /libexec/polkit-grant-helper-pam
>> > 1.11 4755 root       root       /libexec/polkit-resolve-exe-helper
>> > 
>> > make install creates
>> > 
>> > 2.1  770  root       polkituser /var/run/PolicyKit
>> > 2.2  770  root       polkituser /var/lib/PolicyKit
>> > 2.3  755  polkituser root       /var/lib/PolicyKit-public
>> > 2.4  775  polkituser polkituser /var/lib/misc/PolicyKit.reload
>> > 2.5  4755 polkituser root       /libexec/polkit-set-default-helper
>> > 2.6  2755 root       polkituser /libexec/polkit-read-auth-helper
>> > 2.7  2755 root       polkituser /libexec/polkit-revoke-helper
>> > 2.8  2755 root       polkituser /libexec/polkit-grant-helper
>> > 2.9  2755 root       polkituser /libexec/polkit-explicit-grant-helper
>> > 2.10 4754 root       polkituser /libexec/polkit-grant-helper-pam
>> > 2.11 4755 root       root       /libexec/polkit-resolve-exe-helper
>> > 
>> > fedora rpm has
>> > 
>> > 3.1  770  polkituser polkituser /var/run/PolicyKit
>> > 3.2  770  polkituser polkituser /var/lib/PolicyKit
>> > 3.3  755  polkituser polkituser /var/lib/PolicyKit-public
>> > 3.4  775  polkituser polkituser /var/lib/misc/PolicyKit.reload
>> > 3.5  4755 polkituser root       /libexec/polkit-set-default-helper
>> > 3.6  2755 root       polkituser /libexec/polkit-read-auth-helper
>> > 3.7  2755 root       polkituser /libexec/polkit-revoke-helper
>> > 3.8  2755 root       polkituser /libexec/polkit-grant-helper
>> > 3.9  2755 root       polkituser /libexec/polkit-explicit-grant-helper
>> > 3.10 4754 root       polkituser /libexec/polkit-grant-helper-pam
>> > 3.11 4755 root       root       /libexec/polkit-resolve-exe-helper
>> > 
>> > 1.) 1.3 has /var/run/PolicyKit-public, in 2.3, 3.3 it is in /var/lib
> 
> That's a bug in 1.3; need to fix the configure output.
> 
>> > 2.) fedora has a different owner for 3.1, 3.2 resp group for 3.3
> 
> That's a bug in the fedora rpm. I'll fix that.
> 
>> > 3.) It's not clear to me, why we need a user *and* group polkituser.
> 
> See below.
> 
>> > And why 1.5, 1.10 and 1.11 have somewhat strange suid/sgid bits and 
>> > owners. Could you elaborate in detail for each binary why those 
>> > different ownerships and suid/sgid bits are necessary?
> 
> Right, I'll go through them one by one based on the output of make
> install.
> 
> 2.1  770  root       polkituser /var/run/PolicyKit
> 2.2  770  root       polkituser /var/lib/PolicyKit
> 
> We store authorizations for each user here. Since we don't want user A
> to know what authorizations other users have no one can read these
> files. However, when checking authorizations we need to be able to read
> from here; we use this helper
> 
> 2.6  2755 root       polkituser /libexec/polkit-read-auth-helper
> 
> which can read from here since it's setgid polkituser. This helper will
> refuse to return authorizations for other users than the calling user
> except if the calling user is authorized for org.fd.pk.read.
> 
> We also want to be able to grant authorizations through authentication.
> That happens with this helper
> 
> 2.8  2755 root       polkituser /libexec/polkit-grant-helper
> 
> This program is setgid 'polkituser' so it can write files
> in /var/{run,lib}/PolicyKit. Note that these files are created with mode
> 464. 
> 
> To do the actual authentication check, polkit-grant-helper uses another
> helper
>  
> 2.10 4754 root       polkituser /libexec/polkit-grant-helper-pam
> 
> This one is setuid root because checking authentications might need
> require that (you may be checking the root password). The reason 2.10 is
> is owned by group 'polkituser' is to ensure that random users can't
> execute it; only setgid polkituser programs (e.g. 2.8).  Which adds a
> little extra security but strictly it's not necessary.
> 
> On to
> 
> 2.7  2755 root       polkituser /libexec/polkit-revoke-helper
> 
> This one is used to revoke authorizations. It will only allow uid 0 and
> users with the org.fd.pk.revoke authorization to do so. It needs to be
> setgid polkituser to be able to modify authorization files
> in /var/{run,lib}/PolicyKit.
> 
> 2.9  2755 root       polkituser /libexec/polkit-explicit-grant-helper
> 
> Same story as for polkit-revoke-helper only this grants authorizations.
> Only allowed for uid 0 and users with the org.fd.pk.grant authorization.
> 
> 2.3  755  polkituser root       /var/lib/PolicyKit-public
> 
> This is where we store modifications to the defaults. Anyone should be
> able to read these files. They are created with mode 644. These files
> are written / modified by this helper
> 
> 2.5  4755 polkituser root       /libexec/polkit-set-default-helper
> 
> which is setuid polkituser to be able to write/modify files.
> 
> On to
> 
> 2.11 4755 root       root       /libexec/polkit-resolve-exe-helper
> 
> This is used to find the executable name for a process. On Linux this is
> the /proc/<pid>/exe symlink and you can only do this for processes you
> own. This helper finds the executable name for processes not owned by
> you but only if you have the org.fd.pk.read authorization. This is
> important to let e.g. user 'haldaemon' check authorizations for a user
> requesting service.
> 
> 2.4  775  polkituser polkituser /var/lib/misc/PolicyKit.reload
> 
> This file is used by libpolkit to detect when something has changed
> (authorizations granted/revoked, defaults changed etc.). It is writable
> by both user 'polkituser' and group 'polkituser' because we have helpers
> running with both euid 'polkituser' and egid 'polkituser'.
> 
> The permissions on this should be 664 instead.
> 
> Does all this make sense now?
> 
>      David
> 
> 
> 


Cheers,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 482064@bugs.debian.org (full text, mbox, reply):

From: James Westby <jw+debian@jameswestby.net>

To: 482064@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#482064: policykit: some files have different permissions from those recommended by upstream

Date: Wed, 21 May 2008 09:40:33 +0200

On Wed, 2008-05-21 at 01:00 +0200, Michael Biebl wrote:
> thanks for filing this bug report. As it happens, I already noticed that 
>   issue myself and have discussed that extensively with upstream.
> There is currently a discrepancy between the configure output, the 
> actual rules in the makefiles and how the rpm installs it.
> Your proposed patch is not quite correct (you will see that if you read 
> the following discussion), so I'm removing the "patch" tag.
> I already have a correct fix ready and will provide updated packages soon.

Thanks, I'll let you prepare your packages, and then when you upload
them I will merge them in to Ubuntu.

Thanks,

James

Message #22 received at 482064-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 482064-close@bugs.debian.org

Subject: Bug#482064: fixed in policykit 0.8-2

Date: Fri, 23 May 2008 03:17:05 +0000

Source: policykit
Source-Version: 0.8-2

We believe that the bug you reported is fixed in the latest version of
policykit, which is due to be installed in the Debian FTP archive:

libpolkit-dbus-dev_0.8-2_i386.deb
  to pool/main/p/policykit/libpolkit-dbus-dev_0.8-2_i386.deb
libpolkit-dbus2_0.8-2_i386.deb
  to pool/main/p/policykit/libpolkit-dbus2_0.8-2_i386.deb
libpolkit-dev_0.8-2_i386.deb
  to pool/main/p/policykit/libpolkit-dev_0.8-2_i386.deb
libpolkit-grant-dev_0.8-2_i386.deb
  to pool/main/p/policykit/libpolkit-grant-dev_0.8-2_i386.deb
libpolkit-grant2_0.8-2_i386.deb
  to pool/main/p/policykit/libpolkit-grant2_0.8-2_i386.deb
libpolkit2_0.8-2_i386.deb
  to pool/main/p/policykit/libpolkit2_0.8-2_i386.deb
policykit-doc_0.8-2_all.deb
  to pool/main/p/policykit/policykit-doc_0.8-2_all.deb
policykit_0.8-2.diff.gz
  to pool/main/p/policykit/policykit_0.8-2.diff.gz
policykit_0.8-2.dsc
  to pool/main/p/policykit/policykit_0.8-2.dsc
policykit_0.8-2_i386.deb
  to pool/main/p/policykit/policykit_0.8-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 482064@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated policykit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 23 May 2008 04:33:48 +0200
Source: policykit
Binary: policykit policykit-doc libpolkit2 libpolkit-dev libpolkit-dbus2 libpolkit-dbus-dev libpolkit-grant2 libpolkit-grant-dev
Architecture: source all i386
Version: 0.8-2
Distribution: unstable
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 libpolkit-dbus-dev - library for accessing PolicyKit via D-Bus - development files
 libpolkit-dbus2 - library for accessing PolicyKit via D-Bus
 libpolkit-dev - library for accessing PolicyKit - development files
 libpolkit-grant-dev - library for obtaining privileges via PolicyKit - development file
 libpolkit-grant2 - library for obtaining privileges via PolicyKit
 libpolkit2 - library for accessing PolicyKit
 policykit  - framework for managing administrative policies and privileges
 policykit-doc - documentation for PolicyKit
Closes: 482064
Changes: 
 policykit (0.8-2) unstable; urgency=low
 .
   * Add symbols files for libpolkit2, libpolkit-grant2 and libpolkit-dbus2.
   * debian/policykit.postinst
     - Set correct permissions for all files. (Closes: #482064)
     - Define a small helper function to apply the permissions. This makes it
       more concise and readable.
Checksums-Sha1: 
 ae45543b081359c092c443a4bf531c3dedf8d2a1 1573 policykit_0.8-2.dsc
 2a78723dac09b394b965bba8f0140bdd4905b30c 5913 policykit_0.8-2.diff.gz
 e2f0b1c1a51dee2e9c7c006afcdaa0b9b9f1a596 358876 policykit-doc_0.8-2_all.deb
 f5f890b4c673095ab622d5b4e364af42279ed0d2 125692 policykit_0.8-2_i386.deb
 f3b690cd271dc5473113d4c028348d35fdfc647a 99502 libpolkit2_0.8-2_i386.deb
 39dc3180d1f0a7928b885b5a0f32b4cf9b062a04 117390 libpolkit-dev_0.8-2_i386.deb
 63c2cbadfbc426a933a1517753b1abbe8a228955 81538 libpolkit-dbus2_0.8-2_i386.deb
 4528409a64aa4f5d36db705983b9f5d7fae2f8eb 85670 libpolkit-dbus-dev_0.8-2_i386.deb
 0ea34fc3c9ffa546732b82ee3ba384df896e3c78 78208 libpolkit-grant2_0.8-2_i386.deb
 e861fa89e08a54f9472e66a4326ef6c860028e63 84678 libpolkit-grant-dev_0.8-2_i386.deb
Checksums-Sha256: 
 7ad3ce310dbb348c3f90b09c61e88f76c09cbdc7992b18a012be7f68e26bb226 1573 policykit_0.8-2.dsc
 30036823e743ea5b151a65e93d369b4445f3a1105384e785880354b963e46822 5913 policykit_0.8-2.diff.gz
 60859d96b501ef056a3d8b27c0291a86b64dd9123c448f71b9a63bae06d57165 358876 policykit-doc_0.8-2_all.deb
 aa91995bcc8cf9e7734a0dd75c5c11dde8a79cd78bd40a30f737ee1c911aac3d 125692 policykit_0.8-2_i386.deb
 f43e59c2f1e2a65e3b9c3ae94e11579934610636c103fcb9b26335da58af8854 99502 libpolkit2_0.8-2_i386.deb
 2fc1963aa8efae78eab3d601fdd0bd91735a444037397aaa33fbb1fd17eca723 117390 libpolkit-dev_0.8-2_i386.deb
 94ae84cd6d10cbdcb6a6149b3642fb49943a110fa3dcf1673a22652e0f39188e 81538 libpolkit-dbus2_0.8-2_i386.deb
 e79f89804a8089c89259404550ef6a3e06002a0f9b235a53415a4c4807e10569 85670 libpolkit-dbus-dev_0.8-2_i386.deb
 6426c2f32f2c46eccd734cf74072fb5d1138f4a2465971c51973bce6d85af24b 78208 libpolkit-grant2_0.8-2_i386.deb
 93e3297644ff04b9a1be318367e831291551af3ac70c5b3135588d43ef2221b0 84678 libpolkit-grant-dev_0.8-2_i386.deb
Files: 
 8e815979b8c82f32489c3db9105ecc48 1573 admin optional policykit_0.8-2.dsc
 96778ae699d29c525ba998276020213f 5913 admin optional policykit_0.8-2.diff.gz
 d42ebf240a3dd148ef350cdbf4770b1d 358876 doc optional policykit-doc_0.8-2_all.deb
 b5f38fdd8c8a93ead765cbc4fcc29664 125692 admin optional policykit_0.8-2_i386.deb
 8ebe83b69023236003e2e0c020483400 99502 libs optional libpolkit2_0.8-2_i386.deb
 535208f94241a92c5f31b03430e7ce79 117390 libdevel optional libpolkit-dev_0.8-2_i386.deb
 39b7b46d06b278fd2ace7f946fc3254c 81538 libs optional libpolkit-dbus2_0.8-2_i386.deb
 c8f88d4dc84c7ab6c15cb8550cbefb40 85670 libdevel optional libpolkit-dbus-dev_0.8-2_i386.deb
 70468085efde691a7fc074f792594475 78208 libs optional libpolkit-grant2_0.8-2_i386.deb
 1991096997b3713736a11287b9166eff 84678 libdevel optional libpolkit-grant-dev_0.8-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFINjFZh7PER70FhVQRAlvFAJ9h3MNQWBKMDMJtsHjcK3OqrUHEeACdFOy9
I4M/6+lG0Yt3zkUGrI1ZnIg=
=rBre
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.