Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 7 Apr 2017 10:41:59 +0200
From: Matthias Gerstner <>
Subject: CVE-2017-7572: backintime: usage of deprecated unix-process polkit
 authorization subject opens a race condition during authorization


backintime includes a DBus service helper 'qt/'. This helper
uses polkit to authorize some of its APIs, they should only be accessible
through entering the root password. The helper program uses the deprecated
"unix-process" authorization subject for this purpose, however. This polkit
authorization method is known to be affected by a "time of check, time of use"
race condition:

To exploit this issue an attacker needs to be able to replace the PID of
a process that requests an affected polkit privilege by a root owned
process, just in time for polkitd to assume that the requesting process
was privileged and no further password entry is required.

In the worst case this could allow a regular user to add udev rules to the
system that run commands in the context of the regular user, once a certain
udev event occurs. I don't think it is easily possible to gain root privileges
this way. This is because the serviceHelper wraps the udev commands in a sudo
call running as the user owning the requesting process. The determination of
this identity is done in a different, more secure way.

I've proposed a fix to upstream that changes the authorization mechanism to
"system-bus-name" which is considered safe and not affected by the described
race condition.

This issue was discovered by Sebastian Krahmer of the SUSE security team.


[Suggested patch]
[openSUSE bug]

Matthias Gerstner <>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
Telefon: +49 911 740 53 290

SUSE Linux GmbH 
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ