Headline
CVE-2023-4104: Linux: Remove the use of polkit by oskirby · Pull Request #7055 · mozilla-mobile/mozilla-vpn-client
An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected. This vulnerability affects Mozilla VPN client for Linux < v2.16.1.
Okay, I think I understand why the polkit code does nothing. The call polkit_unix_process_new_for_owner(getpid(), 0, -1) means that we are checking the permissions of the daemon (not the entity that invoked the D-Bus method). Because the daemon starts as root, this means that the allow_admin permission will always be met.
For this to have had any effect, instead of getpid() we should have been using the PID of the D-Bus method’s caller.