From 893af88d2061b3beeef7530c467c4f8bb83b0c29 Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: Thu, 17 Jan 2019 13:39:24 +0100 Subject: [PATCH] admin: Prevent access if any authentication agent isn't available --- ...cess-if-any-authentication-agent-isn.patch | 42 +++++++++++++++++++ gvfs.spec | 10 ++++- 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 admin-Prevent-access-if-any-authentication-agent-isn.patch diff --git a/admin-Prevent-access-if-any-authentication-agent-isn.patch b/admin-Prevent-access-if-any-authentication-agent-isn.patch new file mode 100644 index 0000000..63b0c74 --- /dev/null +++ b/admin-Prevent-access-if-any-authentication-agent-isn.patch @@ -0,0 +1,42 @@ +From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Wed, 2 Jan 2019 17:13:27 +0100 +Subject: [PATCH] admin: Prevent access if any authentication agent isn't + available + +The backend currently allows to access and modify files without prompting +for password if any polkit authentication agent isn't available. This seems +isn't usually problem, because polkit agents are integral parts of +graphical environments / linux distributions. The agents can't be simply +disabled without root permissions and are automatically respawned. However, +this might be a problem in some non-standard cases. + +This affects only users which belong to wheel group (i.e. those who are +already allowed to use sudo). It doesn't allow privilege escalation for +users, who don't belong to that group. + +Let's return permission denied error also when the subject can't be +authorized by any polkit agent to prevent this behavior. + +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355 +--- + daemon/gvfsbackendadmin.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index ec0f2392..0f849008 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self, + return FALSE; + } + +- is_authorized = polkit_authorization_result_get_is_authorized (result) || +- polkit_authorization_result_get_is_challenge (result); ++ is_authorized = polkit_authorization_result_get_is_authorized (result); + + g_object_unref (result); + +-- +2.20.1 + diff --git a/gvfs.spec b/gvfs.spec index f80d6a6..1a0a0b6 100644 --- a/gvfs.spec +++ b/gvfs.spec @@ -22,13 +22,16 @@ Name: gvfs Version: 1.39.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Backends for the gio framework in GLib License: GPLv3 and LGPLv2+ and BSD and MPLv2.0 URL: https://wiki.gnome.org/Projects/gvfs Source0: https://download.gnome.org/sources/gvfs/1.39/gvfs-%{version}.tar.xz +# https://gitlab.gnome.org/GNOME/gvfs/issues/355 +Patch0: admin-Prevent-access-if-any-authentication-agent-isn.patch + BuildRequires: meson BuildRequires: gcc BuildRequires: pkgconfig @@ -209,7 +212,7 @@ The gvfs-tests package contains tests that can be used to verify the functionality of the installed gvfs package. %prep -%setup -q +%autosetup -p1 %build %meson -Dinstalled_tests=true \ @@ -396,6 +399,9 @@ killall -USR1 gvfsd >&/dev/null || : %{_datadir}/installed-tests %changelog +* Thu Jan 17 2019 Ondrej Holy - 1.39.4-2 +- admin: Prevent access if any authentication agent isn't available + * Mon Jan 07 2019 Kalev Lember - 1.39.4-1 - Update to 1.39.4