meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

From 17f18d9f81d99b014c680e7e50198d7f190b804e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 3 Dec 2018 11:20:34 +0100
Subject: [PATCH 2/3] tests: add tests for high uids

CVE: CVE-2018-19788
Upstream-Status: Backport
[https://gitlab.freedesktop.org/polkit/polkit/commit/b534a10727455409acd54018a9c91000e7626126]

Signed-off-by: Dan Tran <dantran@microsoft.com>
---
 test/data/etc/group                           |  1 +
 test/data/etc/passwd                          |  2 +
 .../etc/polkit-1/rules.d/10-testing.rules     | 21 ++++++
 .../test-polkitbackendjsauthority.c           | 72 +++++++++++++++++++
 4 files changed, 96 insertions(+)

diff --git a/test/data/etc/group b/test/data/etc/group
index 12ef328..b9acab9 100644
--- a/test/data/etc/group
+++ b/test/data/etc/group
@@ -5,3 +5,4 @@ john:x:500:
 jane:x:501:
 sally:x:502:
 henry:x:503:
+highuid2:x:4000000000:
diff --git a/test/data/etc/passwd b/test/data/etc/passwd
index 8544feb..5cf14a5 100644
--- a/test/data/etc/passwd
+++ b/test/data/etc/passwd
@@ -3,3 +3,5 @@ john:x:500:500:John Done:/home/john:/bin/bash
 jane:x:501:501:Jane Smith:/home/jane:/bin/bash
 sally:x:502:502:Sally Derp:/home/sally:/bin/bash
 henry:x:503:503:Henry Herp:/home/henry:/bin/bash
+highuid1:x:2147483648:2147483648:The first high uid:/home/highuid1:/sbin/nologin
+highuid2:x:4000000000:4000000000:An example high uid:/home/example:/sbin/nologin
diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules
index 446e622..98bf062 100644
--- a/test/data/etc/polkit-1/rules.d/10-testing.rules
+++ b/test/data/etc/polkit-1/rules.d/10-testing.rules
@@ -53,6 +53,27 @@ polkit.addRule(function(action, subject) {
     }
 });
 
+polkit.addRule(function(action, subject) {
+    if (action.id == "net.company.john_action") {
+        if (subject.user == "john") {
+            return polkit.Result.YES;
+        } else {
+            return polkit.Result.NO;
+        }
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "net.company.highuid2_action") {
+        if (subject.user == "highuid2") {
+            return polkit.Result.YES;
+        } else {
+            return polkit.Result.NO;
+        }
+    }
+});
+
+
 // ---------------------------------------------------------------------
 // variables
 
diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
index b484a26..71aad23 100644
--- a/test/polkitbackend/test-polkitbackendjsauthority.c
+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
@@ -330,6 +330,78 @@ static const RulesTestCase rules_test_cases[] = {
     NULL,
     POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
   },
+
+  {
+    /* highuid1 is not a member of group 'users', see test/data/etc/group */
+    "group_membership_with_non_member(highuid22)",
+    "net.company.group.only_group_users",
+    "unix-user:highuid2",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* highuid2 is not a member of group 'users', see test/data/etc/group */
+    "group_membership_with_non_member(highuid21)",
+    "net.company.group.only_group_users",
+    "unix-user:highuid2",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* highuid1 is not a member of group 'users', see test/data/etc/group */
+    "group_membership_with_non_member(highuid24)",
+    "net.company.group.only_group_users",
+    "unix-user:2147483648",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* highuid2 is not a member of group 'users', see test/data/etc/group */
+    "group_membership_with_non_member(highuid23)",
+    "net.company.group.only_group_users",
+    "unix-user:4000000000",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* john is authorized to do this, see 10-testing.rules */
+    "john_action",
+    "net.company.john_action",
+    "unix-user:john",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+  },
+
+  {
+    /* only john is authorized to do this, see 10-testing.rules */
+    "jane_action",
+    "net.company.john_action",
+    "unix-user:jane",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* highuid2 is authorized to do this, see 10-testing.rules */
+    "highuid2_action",
+    "net.company.highuid2_action",
+    "unix-user:highuid2",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+  },
+
+  {
+    /* only highuid2 is authorized to do this, see 10-testing.rules */
+    "highuid1_action",
+    "net.company.highuid2_action",
+    "unix-user:highuid1",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
 };
 
 /* ---------------------------------------------------------------------------------------------------- */
-- 
2.22.0.vfs.1.1.57.gbaf16c8