rpms/gvfs
7
0
Fork 0
Code Issues Pull Requests Releases Activity

admin: Prevent access if any authentication agent isn't available

Browse Source
This commit is contained in:
Ondrej Holy 2019-01-17 13:39:24 +01:00
parent 5027403e1e
commit 893af88d20
2 changed files with 50 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
admin-Prevent-access-if-any-authentication-agent-isn.patch Normal file
View File

@ -0,0 +1,42 @@
From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Wed, 2 Jan 2019 17:13:27 +0100
Subject: [PATCH] admin: Prevent access if any authentication agent isn't
available
The backend currently allows to access and modify files without prompting
for password if any polkit authentication agent isn't available. This seems
isn't usually problem, because polkit agents are integral parts of
graphical environments / linux distributions. The agents can't be simply
disabled without root permissions and are automatically respawned. However,
this might be a problem in some non-standard cases.
This affects only users which belong to wheel group (i.e. those who are
already allowed to use sudo). It doesn't allow privilege escalation for
users, who don't belong to that group.
Let's return permission denied error also when the subject can't be
authorized by any polkit agent to prevent this behavior.
Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
---
daemon/gvfsbackendadmin.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index ec0f2392..0f849008 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
return FALSE;
}
- is_authorized = polkit_authorization_result_get_is_authorized (result) ||
- polkit_authorization_result_get_is_challenge (result);
+ is_authorized = polkit_authorization_result_get_is_authorized (result);
g_object_unref (result);
--
2.20.1

10
gvfs.spec
View File

@ -22,13 +22,16 @@
Name: gvfs Name: gvfs
Version: 1.39.4 Version: 1.39.4
Release: 1%{?dist} Release: 2%{?dist}
Summary: Backends for the gio framework in GLib Summary: Backends for the gio framework in GLib
License: GPLv3 and LGPLv2+ and BSD and MPLv2.0 License: GPLv3 and LGPLv2+ and BSD and MPLv2.0
URL: https://wiki.gnome.org/Projects/gvfs URL: https://wiki.gnome.org/Projects/gvfs
Source0: https://download.gnome.org/sources/gvfs/1.39/gvfs-%{version}.tar.xz Source0: https://download.gnome.org/sources/gvfs/1.39/gvfs-%{version}.tar.xz
# https://gitlab.gnome.org/GNOME/gvfs/issues/355
Patch0: admin-Prevent-access-if-any-authentication-agent-isn.patch
BuildRequires: meson BuildRequires: meson
BuildRequires: gcc BuildRequires: gcc
BuildRequires: pkgconfig BuildRequires: pkgconfig
@ -209,7 +212,7 @@ The gvfs-tests package contains tests that can be used to verify
the functionality of the installed gvfs package. the functionality of the installed gvfs package.
%prep %prep
%setup -q %autosetup -p1
%build %build
%meson -Dinstalled_tests=true \ %meson -Dinstalled_tests=true \
@ -396,6 +399,9 @@ killall -USR1 gvfsd >&/dev/null || :
%{_datadir}/installed-tests %{_datadir}/installed-tests
%changelog %changelog
* Thu Jan 17 2019 Ondrej Holy <oholy@redhat.com> - 1.39.4-2
- admin: Prevent access if any authentication agent isn't available
* Mon Jan 07 2019 Kalev Lember <klember@redhat.com> - 1.39.4-1 * Mon Jan 07 2019 Kalev Lember <klember@redhat.com> - 1.39.4-1
- Update to 1.39.4 - Update to 1.39.4