- Linux Training
- Desktop Tutorials
- Server Tutorials
|Core API Reference - System Dependecies|
|Desktop Apps Training - Policy Kit|
Get when a process started.
int polkit_sysdeps_get_exe_for_pid (pid_t pid,
Get the name of the binary a given process was started from.
Note that this is not necessary reliable information and as such shouldn't be relied on 100% to make a security decision. In fact, this information is only trustworthy in situations where the given binary is securely locked down meaning that 1) it can't be ptrace(2)'d; 2) libc secure mode kicks in (e.g LD_PRELOAD won't work); 3) there are no other attack vectors (e.g. GTK_MODULES, X11, CORBA, D-Bus) to patch running code into the process.
In other words: the risk of relying on constraining an authorization to the output of this function is high. Suppose that the program /usr/bin/gullible obtains an authorization via authentication for the action org.example.foo. We add a constraint to say that the gained authorization only applies to processes for whom /proc/pid/exe points to /usr/bin/gullible. Now enter /usr/bin/evil. It knows that the program /usr/bin/gullible is not "securely locked down" (per the definition in the above paragraph). So /usr/bin/evil simply sets LD_PRELOAD and execs /usr/bin/gullible and it can now run code in a process where /proc/pid/exe points to /usr/bin/gullible. Thus, the recently gained authorization for org.example.foo applies. Also, /usr/bin/evil could use a host of other attack vectors to run it's own code under the disguise of pretending to be /usr/bin/gullible.
Specifically for interpreted languages like Python and Mono it is the case that /proc/pid/exe always points to /usr/bin/python resp. /usr/bin/mono. Thus, it's not very useful to rely on that the result for this function if you want to constrain an authorization to e.g. /usr/bin/tomboy or /usr/bin/banshee.
If the information could not be obtained, such as if the given process is owned by another user than the caller, -1 is returned and out_buf will be set to "(unknown)". See also the function.
Like polkit_sysdeps_get_exe_for_pid() but if the given process is owned by another user, a setuid root helper is used to obtain the information. This helper only works if 1) the caller is authorized for the org.freedesktop.policykit.read authorization; or 2) the calling user is polkituser; or 3) the calling user is setegid polkituser.
So -1 might still be returned (the process might also have exited).