Merge pull request #423 from swomf/polkit-write-anywhere

SECURITY: Prevent create_ap's --mkconfig switch from overwriting any file without explicit authorization
2024-11-21 11:30:09 +00:00 · 2024-11-09 15:42:14 +05:30 · 2024-11-09 15:42:14 +05:30 · 2cedd27e32
commit 2cedd27e32
parent c46049b9ec 826f0a82c0
1 changed files with 20 additions and 1 deletions
--- a/src/scripts/create_ap
+++ b/src/scripts/create_ap
@ -1006,7 +1006,26 @@ send_stop() {
 write_config() {
    local i=1

-    if ! eval 'echo -n > "$STORE_CONFIG"' > /dev/null 2>&1; then
+    # If using pkexec, evaluate permissions before writing.
+    #   However, the /etc/create_ap.conf
+    #   location is excepted.
+    if [[ "$STORE_CONFIG" != "/etc/create_ap.conf" && $PKEXEC_UID ]]; then
+        if [ -e "$STORE_CONFIG" ]; then
+            if ! pkexec --user "$(id -nu $PKEXEC_UID)" test -w "$STORE_CONFIG"; then
+                echo "ERROR: 1 $(id -nu $PKEXEC_UID) has insufficient permissions to write to config file $STORE_CONFIG"
+                exit 1
+            fi
+        elif ! pkexec --user "$(id -nu $PKEXEC_UID)" test -w "$(dirname "$STORE_CONFIG")"; then
+            echo "ERROR: 2 $(id -nu $PKEXEC_UID) has insufficient permissions to write to config file $STORE_CONFIG"
+            exit 1
+        fi
+        # Assume that the user is making a conf file in a directory they normally
+        # have control over, and keep permissions strictly private. (i.e. they will
+        # need to run create_ap directly with sudo in order to write to, say, /etc/create_ap2.conf)
+        touch "$STORE_CONFIG"
+        chown "$(id -nu $PKEXEC_UID):$(id -ng $PKEXEC_GID)" "$STORE_CONFIG"
+        chmod 600 "$STORE_CONFIG"
+    elif ! eval 'echo -n > "$STORE_CONFIG"' > /dev/null 2>&1; then
        echo "ERROR: Unable to create config file $STORE_CONFIG" >&2
        exit 1
    fi