On Thu, Jun 4, 2015, at 09:20 AM, Colin Walters wrote:
>
> But I'd be most comforatable if we did *both* "uid binding" and "secret
> cookie".
Ok, updated patches are in:
https://bugs.freedesktop.org/show_bug.cgi?id=90837
https://bugs.freedesktop.org/show_bug.cgi?id=90832
I wouldn't call these
On Thu, Jun 4, 2015, at 07:49 AM, Miloslav Trmač wrote:
> Hello,
> > I'm still thinking about stronger approaches. I think the strongest thing
> > we
> > could do would be to enforce the binding of cookie -> agent. Given that
> > there can be at most one agent per uid
>
> No, it is per sessio
Hello,
> I'm still thinking about stronger approaches. I think the strongest thing we
> could do would be to enforce the binding of cookie -> agent. Given that
> there can be at most one agent per uid
No, it is per session or per PID.
(polkit_backend_interactive_authority_register_authenticatio
On Wed, Jun 3, 2015, at 05:22 PM, Colin Walters wrote:
> Or should I just revert it?
I ended up pushing a revert, as I wanted to cleanly investigate other options.
> # Idea 1: Pass and verify uid
> - Add a new API AuthenticationAgentResponse2 which also takes a uint32 uid.
> - Change polkit-
On Wed, Jun 3, 2015, at 03:40 PM, Miloslav Trmač wrote:
>
> Isn’t this a privilege escalation actually?
>
> Mallory creates creates auth_admin* sessions for all possible cookie values,
> and waits for Alice to (or social-engineers Alice to) create a new auth_admin
> session for an unrelated p
Hello,
Apologies for the late response, I was on PTO.
> On Fri, May 29, 2015, at 02:00 PM, Tavis Ormandy wrote:
> > Hello, I've been browsing the reference code and have a question about
> > how the session cookies are maintained. It looks like the cookie
> > generator can wrap and two identical c
Hi Tavis,
(By the way, thanks for all of your work in security research)
On Fri, May 29, 2015, at 02:00 PM, Tavis Ormandy wrote:
> Hello, I've been browsing the reference code and have a question about
> how the session cookies are maintained. It looks like the cookie
> generator can wrap and two
Hello, I've been browsing the reference code and have a question about
how the session cookies are maintained. It looks like the cookie
generator can wrap and two identical cookies could exist
simultaneously in the active sessions list.
static gchar * authentication_agent_new_cookie (Authenticatio
