Ubuntu
policykit package

/proc/$pid/* gets too restrictive permissions for g-s-t tools

Bug #181088 reported by Carlos Garnacho
18
Affects Status Importance Assigned to Milestone
policykit (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu ubuntu-8.04

Bug Description

Binary package hint: gnome-system-tools

gnome-system-tools relies on PolicyKit to check privileges, and PolicyKit-gnome 0.6 requires reading /proc/$pid/exe to know the executable binary path, however this is what I get when running any g-s-t tool (didn't see it with other executables):

$ ps -ef | grep "network-admin"
carlos 9385 8497 0 20:35 pts/1 00:00:00 ./network-admin
$ ls -l /proc/9385/exe
ls: cannot read symbolic link /proc/9385/exe: Permission denied
lrwxrwxrwx 1 root root 0 2008-01-07 20:36 /proc/9385/exe

When pressing the "unlock" button, PolicyKit-gnome should show a dialog to ask for the user/admin password, but due to these permissions, it fails, g-s-t was incorrectly interpreting the error as a successful reply (fixed in svn trunk), but there's clearly a much bigger underlying problem, so the possible solutions are:

1) Check where does the /proc/$pid entry for g-s-t tools get such permissions and unpatch/fix it
2) Update to PolicyKit 0.7, where the exec path isn't anymore a hard requirement

I'm reporting it to the g-s-t package as it's where it's visible

Related branches

lp:ubuntu/karmic/policykit
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for the detail bug report, I've subscribed Martin who might know about the issue

Changed in gnome-system-tools:
assignee: nobody → desktop-bugs
importance: Undecided → High
milestone: none → ubuntu-8.04
status: New → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

I confirm the /proc/pid/exe readlink failure. It doesn't work for g-s-t tools, but I can do it for other processes of mine.

I didn't upgrade PK to 0.7 yet because it does not work at all at least for me (tested with gnome-mount). Apparently the dbus API changed and the client apps need updates as well?

Sebastien Bacher (seb128)
Changed in gnome-system-tools:
milestone: ubuntu-8.04 → hardy-alpha-3
Martin Pitt (pitti)
Changed in gnome-system-tools:
assignee: desktop-bugs → pitti
milestone: hardy-alpha-3 → ubuntu-8.04
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit - 0.6-1ubuntu4

---------------
policykit (0.6-1ubuntu4) hardy; urgency=low

  * Disable 02_noptrace.patch for now, since disabling ptrace() also disables
    reading /proc/<pid>/exe and PK 0.6 depends on this. (LP: #181088)

 -- Martin Pitt <email address hidden> Tue, 08 Jan 2008 09:50:53 +0100

Changed in policykit:
status: In Progress → Fix Released
Revision history for this message
Saivann Carignan (oxmosys) wrote :

Tested latest hardy updates and changing root account with GST now works, thanks for your great work!

Revision history for this message
Phoul (v-admin-insecure-complexity-com) wrote :

This bug has been revived in the latest hardy update

Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

Martin, it seems like you enabled that patch again:

    - debian/patches/02_noptrace.patch: Disable ptrace() for
      polkit-gnome-manager, to make it harder to silently abuse gained PK
      privileges. (See policykit-integration spec). Forwarded to FD#13742.

Changed in policykit:
status: Fix Released → Triaged
Revision history for this message
Martin Pitt (pitti) wrote :

I deliberately added the patch again since with 0.7 g-s-t works fine for me with the ptrace protection enabled. What exactly broke for you?

Changed in policykit:
status: Triaged → Incomplete
Revision history for this message
Martin Pitt (pitti) wrote :

Let's discuss this in bug 183673. I believe that this bug is fixed.

Changed in policykit:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.