polkit-github-migration-bot
commented
9 years ago In gitlab.freedesktop.org by bugzilla-migration on Mar 31, 2015, 09:50
:speech_balloon: Simon McVittie said:
(In reply to Colin Walters from comment 0) Polkit currently authorizes uid 0 for anything, which is suboptimal
If it's determining that the uid is 0 by asking dbus-daemon, then this cannot be fixed without kdbus or similar, because:
- dbus-daemon has no way to ask what a peer's capabilities look like;
- the reason that it lacks that feature is that the Linux kernel offers no race-free way to ask what a Unix socket peer's capabilities look like
(The way that has a race, which is unsuitable for exactly that reason, is to get the peer's pid and look in /proc/PID/status.)
In gitlab.freedesktop.org by bugzilla-migration on Mar 24, 2011, 07:10
Link to the original issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/33
Submitted by Colin Walters
@waltersAssigned to David Zeuthen
@davidLink to original bug (#35623)
Description
Polkit currently authorizes uid 0 for anything, which is suboptimal for operating system creators who have done work to drop Linux capabilities from processes, even if they retain uid 0 (like syslogd say).
Not a big deal, but worth fixing.