File PolicyKit-0.9-pidconstraint.diff of Package PolicyKit

Don't resolve pid->exe unless the exe resolve helper is setuid root. Otherwise
pid constraints might get added to obtained privileges although unprivileged
programs can't ever verify them.

Index: PolicyKit-0.9/src/polkit/polkit-authorization-constraint.c
===================================================================
--- PolicyKit-0.9.orig/src/polkit/polkit-authorization-constraint.c
+++ PolicyKit-0.9/src/polkit/polkit-authorization-constraint.c
@@ -545,6 +545,23 @@ out:
         return ret;
 }
 
+
+/* check whether binary is setuid root and executable for anyone */
+static polkit_bool_t
+_check_setuid_root(const char* path)
+{
+	struct stat stb;
+
+	if(stat(path, &stb) == 0
+	&& S_ISREG(stb.st_mode)
+	&& (stb.st_mode & 04111) == 04111
+	&& stb.st_uid == 0) {
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
 /**
  * polkit_authorization_constraint_get_from_caller:
  * @caller: caller
@@ -621,7 +638,18 @@ polkit_authorization_constraint_get_from
                  *
                  * An example of this is pulseaudio...
                  */
-                n = polkit_sysdeps_get_exe_for_pid_with_helper (pid, path, sizeof (path));
+
+		/* HOWEVER don't set pid contraints if the exe helper isn't
+		 * setuid root to ensure that unprivileged programs will
+		 * actually be able to check such constraints later.
+		 * XXX: should be a sysdeps function. Upstream disagrees with
+		 * me about that feature anyways so let's live with the hack
+		 */
+		n = -1;
+		if(_check_setuid_root(PACKAGE_LIBEXEC_DIR "/polkit-resolve-exe-helper")) {
+			n = polkit_sysdeps_get_exe_for_pid_with_helper (pid, path, sizeof (path));
+		}
+
                 if (n != -1 && n < (int) sizeof (path)) {
                         PolKitAuthorizationConstraint *c;