 |
 |
 |
PolicyKit Library Reference Manual |  |
|---|---|---|---|---|
| Top | Description | ||||
Synopsis
polkit_uint64_t polkit_sysdeps_get_start_time_for_pid (pid_t pid); int polkit_sysdeps_get_exe_for_pid (pid_t pid, char *out_buf, size_t buf_size); int polkit_sysdeps_get_exe_for_pid_with_helper (pid_t pid, char *out_buf, size_t buf_size);
Details
polkit_sysdeps_get_start_time_for_pid ()
polkit_uint64_t polkit_sysdeps_get_start_time_for_pid (pid_t pid);
Get when a process started.
|
process id |
Returns : |
start time for the process or 0 if an error occured and errno will be set |
Since 0.7
polkit_sysdeps_get_exe_for_pid ()
int polkit_sysdeps_get_exe_for_pid (pid_t pid,
char *out_buf,
size_t buf_size);
Get the name of the binary a given process was started from.
Note that this is not necessary reliable information and as such
shouldn't be relied on 100% to make a security decision. In fact,
this information is only trustworthy in situations where the given
binary is securely locked down meaning that 1) it can't be
ptrace(2)'d; 2) libc secure mode kicks in (e.g
LD_PRELOAD won't work); 3) there are no other
attack vectors (e.g. GTK_MODULES, X11, CORBA, D-Bus) to patch
running code into the process.
In other words: the risk of relying on constraining an
authorization to the output of this function is high. Suppose that
the program /usr/bin/gullible obtains an
authorization via authentication for the action
org.example.foo. We add a constraint to say that
the gained authorization only applies to processes for whom
/proc/pid/exe points to
/usr/bin/gullible. Now enter
/usr/bin/evil. It knows that the program
/usr/bin/gullible is not "securely locked down"
(per the definition in the above paragraph). So
/usr/bin/evil simply sets
LD_PRELOAD and execs
/usr/bin/gullible and it can now run code in a
process where /proc/pid/exe points to
/usr/bin/gullible. Thus, the recently gained
authorization for org.example.foo applies. Also,
/usr/bin/evil could use a host of other attack
vectors to run it's own code under the disguise of pretending to be
/usr/bin/gullible.
Specifically for interpreted languages like Python and Mono it is
the case that /proc/pid/exe always points to
/usr/bin/python
resp. /usr/bin/mono. Thus, it's not very useful
to rely on that the result for this function if you want to
constrain an authorization to
e.g. /usr/bin/tomboy or
/usr/bin/banshee.
If the information could not be obtained, such as if the given
process is owned by another user than the caller, -1 is returned
and out_buf will be set to "(unknown)". See also the function
polkit_sysdeps_get_exe_for_pid_with_helper().
|
process id |
|
buffer to store the string representation in |
|
size of buffer |
Returns : |
Number of characters written (not including trailing '\0'). If the output was truncated due to the buffer being too small, buf_size will be returned. Thus, a return value of buf_size or more indicates that the output was truncated (see snprintf(3)) or an error occured. If the name cannot be found, -1 will be returned. |
Since 0.7
polkit_sysdeps_get_exe_for_pid_with_helper ()
int polkit_sysdeps_get_exe_for_pid_with_helper
(pid_t pid,
char *out_buf,
size_t buf_size);
Like polkit_sysdeps_get_exe_for_pid() but if the given process is
owned by another user, a setuid root helper is used to obtain the
information. This helper only works if 1) the caller is authorized
for the org.freedesktop.policykit.read authorization; or 2) the
calling user is polkituser; or 3) the calling user is setegid
polkituser.
So -1 might still be returned (the process might also have exited).
|
process id |
|
buffer to store the string representation in |
|
size of buffer |
Returns : |
See polkit_sysdeps_get_exe_for_pid().
|
Since 0.8