Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday January 27, @04:34AM   Printer-friendly [Skip to comment(s)]

Major Linux PolicyKit security vulnerability uncovered: Pwnkit:

Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution.

[...] This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true."

[...] Why is it so bad? Let us count the ways:

  • Pkexec is installed by default on all major Linux distributions.
  • Qualys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
  • Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
  • An unprivileged local user can exploit this vulnerability to get full root privileges.
  • Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
  • And, last but not least, it's exploitable even if the polkit daemon itself is not running.

[...] While we know Linux can be attacked, Solaris and other Unix systems may also be vulnerable. We do know, however, that OpenBSD can't be attacked by exploits using this vulnerability.

Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high.

When used correctly, Polkit provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Runaway1956 on Thursday January 27, @04:53AM (25 children)

    by Runaway1956 (2926) Subscriber Badge on Thursday January 27, @04:53AM (#1216048) Homepage Journal

    It's installed by default in every major Linux distribution.

    Sadly. As noted, it's a systemd thing. I don't have systemd. I've never used pkexec. I was feeling good, almost gloating, "I ain't got that trash!" Whoops, I was wrong. MX Linux uses a systemd shim, to satisfy all those programs that are dependent on systemd. That is, systemd is installed, but doesn't run. Polkit, pkexec, and some polkit libraries are installed. Typing pkexec at the prompt gives me this:

    pkexec --version
    pkexec version 0.105

    Can't we just ban that Peter-ring kid from Linux?

    Updates for polkit are available, but it isn't clear to me at this moment that the updates actually fix the vulnerability.

    --
    “If everyone is thinking alike, then somebody isn't thinking.” ― George S. Patton on Ukraine
    • (Score: 3, Insightful) by janrinok on Thursday January 27, @05:18AM (9 children)

      by janrinok (52) Subscriber Badge on Thursday January 27, @05:18AM (#1216055) Journal

      Ubuntu has already issued the updates to fix this bug. I believe that the same will apply to many Debian-based distros. Update your software.

      --
      We are always looking for new staff in different areas - please volunteer if you have some spare time and wish to help
      • (Score: 3, Informative) by Runaway1956 on Thursday January 27, @06:03AM (8 children)

        by Runaway1956 (2926) Subscriber Badge on Thursday January 27, @06:03AM (#1216065) Homepage Journal

        I don't think any systemd-free distro is downstream from Ubuntu. I know MX isn't. Only Debian and Devuan is upstream from here.

        --
        “If everyone is thinking alike, then somebody isn't thinking.” ― George S. Patton on Ukraine
        • (Score: 2) by janrinok on Thursday January 27, @06:32AM (7 children)

          by janrinok (52) Subscriber Badge on Thursday January 27, @06:32AM (#1216078) Journal

          Yes but Ubuntu can get their fixes from Debian - if Ubuntu has it then many, if not all, Debian derivatives will also have it. That is the point that I was making.

          --
          We are always looking for new staff in different areas - please volunteer if you have some spare time and wish to help
          • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @07:20AM (6 children)

            by Anonymous Coward on Thursday January 27, @07:20AM (#1216088)

            What happened to aristarchus' journal? Has he been banned for good, in the interest of free speech?

            • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @07:25AM

              by Anonymous Coward on Thursday January 27, @07:25AM (#1216091)

              Sure! Mod free speech advocacy as "Troll". SoylentNews has betrayed BuckFeta, for real.

            • (Score: 4, Funny) by janrinok on Thursday January 27, @07:42AM (3 children)

              by janrinok (52) Subscriber Badge on Thursday January 27, @07:42AM (#1216097) Journal

              Don't know - I've just got out of bed. But lets spin it into some dastardly plot before we get any facts, I'm sure somebody will be along posting as AC soon to claim some such nonsense.

              --
              We are always looking for new staff in different areas - please volunteer if you have some spare time and wish to help
              • (Score: 0) by Anonymous Coward on Thursday January 27, @11:44AM (2 children)

                by Anonymous Coward on Thursday January 27, @11:44AM (#1216131)

                Isn't is obvious? MOSSAD used the systemd/polkit bug to infiltrate SN and remove Ari's journal because they were worried he was getting to close to the truth.

                • (Score: 2) by DannyB on Thursday January 27, @03:01PM (1 child)

                  by DannyB (5839) Subscriber Badge on Thursday January 27, @03:01PM (#1216170) Journal

                  he was getting to close to the truth.

                  he was getting two close too the truth.

                  FTFY

                  His journal seems to be right hear. [soylentnews.org]

                  --
                  Nature abhors a machine that removes dust from the living space.
                  • (Score: 0) by Anonymous Coward on Thursday January 27, @05:42PM

                    by Anonymous Coward on Thursday January 27, @05:42PM (#1216205)

                    I love that you changed the other "to" as well, even though you didn't bold it.

                    Bravo good sir.

            • (Score: 0) by Anonymous Coward on Friday January 28, @01:28AM

              by Anonymous Coward on Friday January 28, @01:28AM (#1216352)

              You're lucky we won't.

    • (Score: 3, Informative) by drussell on Thursday January 27, @05:22AM (5 children)

      by drussell (2678) Subscriber Badge on Thursday January 27, @05:22AM (#1216057) Journal

      Linux? Icky... yucky! Blech!

      FreeBSD 12.3-STABLE says to me:

      pkexec
      pkexec: Command not found.

      Obviously though, if you have installed sysutils/polkit, you may potentially be wanting to patch or update it, although it currently appears that FreeBSD systems wouldn't be vulnerable due to the fact that there is "no GNU libc which the payload would work on.":

      Greg V 2022-01-25 23:26:49 UTC

      Created attachment 231339 [freebsd.org] [details] [freebsd.org]
      0001-sysutils-polkit-add-upstream-patch-for-CVE-2021-4034.patch

      A vulnerability was just published along with the patch:
      https://seclists.org/oss-sec/2022/q1/80 [seclists.org]
      https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/104 [freedesktop.org]

      Let's apply the patch ASAP.

      ...

      commit-hook freebsd_committer 2022-01-26 23:05:56 UTC

      A commit in branch main references this bug:

      URL: https://cgit.FreeBSD.org/ports/commit/?id=7e3378fc941d3710b4d864e3fffa0c78004b0632 [freebsd.org]

      commit 7e3378fc941d3710b4d864e3fffa0c78004b0632
      Author: Adriaan de Groot
      AuthorDate: 2022-01-26 23:02:41 +0000
      Commit: Adriaan de Groot
      CommitDate: 2022-01-26 23:05:01 +0000

              security/vuxml: notify polkit local-privilege-escalation

              It was unclear if the actual explot would work on FreeBSD,
              since there's no GNU libc which the payload would work on.
              The following changes are / have been applied:
              - fix in polkit from upstream (from Greg V)
              - at kernel level, fixes to disallow argc==0 (from kevans, I think)

              PR: 261482

        security/vuxml/vuln-2022.xml | 29 +++++++++++++++++++++++++++++
        1 file changed, 29 insertions(+)

      • (Score: 2) by bart9h on Thursday January 27, @12:37PM (4 children)

        by bart9h (767) on Thursday January 27, @12:37PM (#1216137)

        No need to ditch Linux yet, there are still some sane (as in, sans-systemd) distributions around.

        On my Devuan system I also got pkexec: Command not found.

        • (Score: 2) by epitaxial on Thursday January 27, @01:30PM (1 child)

          by epitaxial (3165) on Thursday January 27, @01:30PM (#1216148)

          Don't forget about Slackware. It's a current distro and 15.0 should be released soon.

          • (Score: 5, Informative) by linuxrocks123 on Thursday January 27, @04:02PM

            by linuxrocks123 (2557) on Thursday January 27, @04:02PM (#1216179) Journal

            I run Slackware. Although it doesn't use SystemD, polkit is in /l and would therefore be installed on most systems, including mine.

        • (Score: 3, Informative) by bart9h on Thursday January 27, @10:23PM (1 child)

          by bart9h (767) on Thursday January 27, @10:23PM (#1216305)

          I replied from another system. Now that I'm at my main desktop I checked, and I was wrong: pkexec is indeed installed.

          As was already mentioned, policykit is not part of systemd. It was installed as a dependency of MATE, which I'll consider switching from.

    • (Score: -1, Troll) by aristarchus on Thursday January 27, @06:06AM (3 children)

      by aristarchus (2645) on Thursday January 27, @06:06AM (#1216069) Journal

      Is this installed on SoylentNews servers? Is this why the aristarchus journal has disappeared? Will none call this what it is, censorship pure and simple!

      quote?Due to excessive bad posting from this IP or Subnet, comment posting has temporarily been disabled. If it's you, consider this a chance to sit in the timeout corner. If it's someone else, this is a chance to hunt them down. If you think this is unfair, please email admin@soylentnews.org with your MD5'd IPID and SubnetID, which are "b0e4c575kkdhsk;796f3d7790" and "e1uj88860o3334kksndldl8ff26d701554b71cc7fa1" and (optionally, but preferably) your IP number "666.321.156.231" and your username "aristarchus".

      --
      #Freearistarchus, again!!!!!1!!
      • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @06:14AM (1 child)

        by Anonymous Coward on Thursday January 27, @06:14AM (#1216074)

        almost nobody cared yesterday ari

        today, nobody cares

        • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @07:17AM

          by Anonymous Coward on Thursday January 27, @07:17AM (#1216085)

          Thank you for destroying SoylentNews, AC.

      • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @08:24AM

        by Anonymous Coward on Thursday January 27, @08:24AM (#1216112)

        $ ping 666.321.156.231
        ping: 666.321.156.231: Name or service not known

    • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @07:32AM

      by Anonymous Coward on Thursday January 27, @07:32AM (#1216095)

      Can't we just ban that Peter-ring kid from Linux?

      Like you got aristarchus banned? You admin asskissing excuse for a real soylentil, Runaway! You comeuppance is coming up. Janrinok cannot protect you forever.

    • (Score: 5, Informative) by digitalaudiorock on Thursday January 27, @01:43PM (2 children)

      by digitalaudiorock (688) on Thursday January 27, @01:43PM (#1216150)

      Sadly. As noted, it's a systemd thing.

      I'm running Gentoo with no systemd and no polkit. Interestingly though, I think the recent recommendations to not run X as root likely changed that for many. Running X as non-root uses elogind. It's default configuration uses polkit, and I've read that at least some users seem to have had difficultly getting that elogind setup working without it. When I saw the BS that configuration wanted to install, I opted to just set enable my "suid" USE flag on xorg-server, and to continue running X as root. Several users on the Gentoo forums seriously question whether running X as root is truly less secure than depending on other security nightmare BS like this to run shit as root on your behalf...myself among them. This vulnerability is pretty telling in that regard.

      • (Score: 0) by Anonymous Coward on Thursday January 27, @02:20PM (1 child)

        by Anonymous Coward on Thursday January 27, @02:20PM (#1216156)

        This exactly. Though, my Gentoo system has enough dependencies on polkit that I seem to have wound up with it anyway, even though I don't use systemd, Wayland, nor any desktop bloatware environment. The main culprits (the things that would be hard to get rid of or which I need) are libvirt and elogind. And mythtv has a transitive dependency via udisks, which I'd rather not have itself (maybe the package dependencies can be moved behind a use flag).

        Because ConsoleKit is dead, Gentoo more or less forced everyone to switch to elogind. And, to be honest, I am not even that unhappy with elogind. I don't think you can pin this on elogind, and X being setuid has caused this kind of problem in the past.

        • (Score: 4, Interesting) by digitalaudiorock on Thursday January 27, @02:30PM

          by digitalaudiorock (688) on Thursday January 27, @02:30PM (#1216158)

          Interesting that you mentioned udisks and MythTV. I've been using MythTV since 2007. Currently I'm still running 29.1 but with an ebuild of my own. Among other things, like modifying it to not require QtWekKit, I just dropped the udisks requirement. I find that, at least with only one DVD drive on the frontend (which I never really use anymore anyway) there's no need for it at all.

    • (Score: 0) by Anonymous Coward on Thursday January 27, @11:21PM

      by Anonymous Coward on Thursday January 27, @11:21PM (#1216329)

      I run devuan. My systems don't have that.

  • (Score: 3, Insightful) by Anonymous Coward on Thursday January 27, @06:05AM (8 children)

    by Anonymous Coward on Thursday January 27, @06:05AM (#1216066)

    polkit (nee PolicyKit) predates systemd, it's just that systemd seems intermingled with it now, it's hard to discern.

    But do you remember how granting users some special powers were done "long" ago? su, sudo, groups and group ownership (/etc/group, pam_group, udev rules), user ownership (udev rules). I'm sure there were more (never dived deep into PAM, eg). But hey, polkit is "newer" than those AND can be configured with XML. Must be great!

    Great for corporations to take over Linux by adding more of their things instead of (re)using previous ones, I mean. Freedesktop name is ironic now, assuming it was not since the begining.

    • (Score: 1, Informative) by Anonymous Coward on Thursday January 27, @09:39AM (2 children)

      by Anonymous Coward on Thursday January 27, @09:39AM (#1216121)

      Not that sudo didn't have its share of holes, either.

      • (Score: 0) by Anonymous Coward on Thursday January 27, @02:38PM

        by Anonymous Coward on Thursday January 27, @02:38PM (#1216163)

        The whole point of these programs is to circumvent OS security anyway, the entire thing is a hole.

      • (Score: 1, Informative) by Anonymous Coward on Thursday January 27, @11:17PM

        by Anonymous Coward on Thursday January 27, @11:17PM (#1216326)

        OpenBSD has a simpler tool, doas. https://man.openbsd.org/doas [openbsd.org] Instead of huge surface attack directly or indirectly (policykit-1 0.120-3 reports "Depends: adduser, default-dbus-system-bus | dbus-system-bus, default-logind | logind, libc6 (>= 2.33), libexpat1 (>= 2.0.1), libgcc-s1 (>= 3.0), libglib2.0-0 (>= 2.37.3), libmozjs-78-0 (>= 78.15.0), libpam0g (>= 0.99.7.1), libpolkit-agent-1-0 (= 0.120-3), libpolkit-gobject-1-0 (= 0.120-3), libstdc++6 (>= 5), libsystemd0 (>= 213)"... libexpat1 for XML but libmozjs? WTF!?) some people prefer to create new tools with restricted focus, smaller code base and less dependencies. Specially if those tools are about security tasks.

        sudo can still be installed, but if doas is enough for your use case, you can avoid sudo.

    • (Score: 1, Interesting) by Anonymous Coward on Thursday January 27, @07:11PM (4 children)

      by Anonymous Coward on Thursday January 27, @07:11PM (#1216232)

      But do you remember how granting users some special powers were done "long" ago? su, sudo, groups and group ownership (/etc/group, pam_group, udev rules), user ownership (udev rules).

      The issue with using those same tried-and-true tools today is, it involves a non-trivial amount of fucking around on my part to get it all working, if it can be done at all. Whether that is because distribution-maintainers (by this I mean the Canonical's and Red Hat's of the world, the folks who put together 'a distro') have gone out of their way to make it a pain in the ass, or because computer usage patterns and user expectations have changed and the tools have not kept pace, is a question for another thread. Myself, I lean towards the second one. But, to address your point:

      Don't misunderstand me, I'm not advocating for a maximium-bling desktop experience; I run a pretty boring setup. My machine boots to a console prompt, same as it has for twenty years. I log in, type startx, and away I go.

      But that being said, I do, in the year 2022, have some basic expectations: I expect to be able to shut the machine down from my DE's main menu, using the large and well labeled 'Shutdown' button. Or reboot it. I expect to be able to suspend or hibernate it. I expect, when I plug a usb drive in, to have it automatically mounted, read-write, to a directory that I as a user have access to. I expect to connect to any wifi network I please, or to change my wired-network IP and other settings as needed. I expect to be able to use the USB-RS232 converter I have, if I plug it in. I expect to add or remove printers, and administer them as needed. And so on.

      And I expect all of those things to happen without FUCKING AROUND with entering root passwords, user passwords, dealing with Vista-style 'security' pop-ups, manually editing /etc/sudoers, tweaking udev rules by hand, or any other bullshit. It's a multi-user OS on a single-user machine, not a goddamn mainframe.

      It needs. To Just. Work.

      And making that happen using sudo, su, groups and so on, reliably and repeatably, by default for any user who installs the distro, is apparently a massive headache and/or nigh impossible using the tools of yore, because shit like PolicyKit, ConsoleKit, and SystemD didn't just spring in to being overnight for no reason whatsoever. Somebody, somewhere, saw a need that wasn't being addressed, and dealt with it.

      And now we're stuck with that new garbage, on top of the old, somewhat-less garbage.

      And on top of that, at least in my case with a polkit:yes/systemd:no Gentoo install, it still rarely Just Works.

      Sucks, don't it?

      Rant over. Posted AC so I don't get reply alerts, I don't give a damn what anyone else thinks on the topic.

      • (Score: 1, Troll) by FatPhil on Thursday January 27, @08:51PM (3 children)

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday January 27, @08:51PM (#1216282) Homepage
        Please get a single-user operating system. A multi-user OS like Unix is too advanced for you.
        --
        I know I'm God, because every time I pray to him, I find I'm talking to myself.
        • (Score: 0) by Anonymous Coward on Friday January 28, @01:34AM

          by Anonymous Coward on Friday January 28, @01:34AM (#1216355)

          Windows 95 then?

        • (Score: 0) by Anonymous Coward on Saturday January 29, @06:02AM (1 child)

          by Anonymous Coward on Saturday January 29, @06:02AM (#1216633)

          I think you misunderstood the point. A multi-user OS installed on what is effectively a single-user machine, changes the dynamics considerably. The owner of the machine has physical access to the hardware. Complete control, of everything. Including the root password, and root account.

          Isn't it reasonable to expect the OS to have a tier of user between 'root' and 'unprivileged', that is a lot closer to 'root', for that scenario?

          • (Score: 2) by FatPhil on Wednesday February 02, @09:51AM

            by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 02, @09:51AM (#1217954) Homepage
            You appear to have forgotten that networking exists. People might be relying on access to your machine remotely. File shares, web server, irc bouncer, who knows. There's plenty more types of access to a machine than just sitting at the keyboard.
            --
            I know I'm God, because every time I pray to him, I find I'm talking to myself.
  • (Score: -1, Offtopic) by Fuck You Niggers 10 on Thursday January 27, @06:06AM (5 children)

    by Fuck You Niggers 10 (16403) on Thursday January 27, @06:06AM (#1216068)

    I am a new soylentil! I think I've found an equally severe bug in Soylent News!

    This site allows Runaway to use limitless sock puppets to harass aristarchus and mod bomb him. All of the evidence seems to be changed to blame aristarchus for Runaway's sock puppets. Is this by design? I think it's a bug and I don't think it's very fair to other soylentils to let Runaway use sock puppets. Nobody else uses sock puppets. Why does Runaway get to? I think this is a serious bug.

    Is martyb an admin? What about janrinok? Can they investigate this severe bug in Soylent News?

    • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @06:53AM (3 children)

      by Anonymous Coward on Thursday January 27, @06:53AM (#1216080)

      You are missing the big picture. The whole scheme in inventing SN was to act as a honeypot to entrap the Runaway. He is much too dangerous to be allowed out of here. Nobody cares about Aristarchus. He can come and go.

      There are several three letter agencies who have operatives assigned full-time to entice Runaway to post incessantly by disagreeing with him, moderating him unfairly and calling him stupid.

      And everybody loves a puppet show.

      • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @07:17AM (1 child)

        by Anonymous Coward on Thursday January 27, @07:17AM (#1216086)

        It would make a great sitcom, sadly, a real domestic terrorist would have the FBI sending weapons dealers to visit.

        • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @04:54PM

          by Anonymous Coward on Thursday January 27, @04:54PM (#1216186)

          Runaway already has more weapons than he can possibly use. He dreams of Galveston.

      • (Score: -1, Offtopic) by Anonymous Coward on Thursday January 27, @07:22AM

        by Anonymous Coward on Thursday January 27, @07:22AM (#1216089)

        I want my aristarchus back. Seriously, he was the only reason I would check this site.

    • (Score: 3, Touché) by maxwell demon on Thursday January 27, @11:40AM

      by maxwell demon (1608) on Thursday January 27, @11:40AM (#1216129) Journal

      Runaway argument?

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 5, Informative) by Anonymous Coward on Thursday January 27, @07:46AM (10 children)

    by Anonymous Coward on Thursday January 27, @07:46AM (#1216098)

    If you run Linux, especially GNOME, check if you have pkexec and PolKit. Despite what some say, it is not a systemd component (but is is a freedesktop.org project). Even if you are on a systemd-free installation you may be running it and even if you are on systemd you may not be running it. Check your updates anyway. To illustrate, none of our systemd servers had it installed but two of our Devaun desktops did.

    • (Score: 5, Informative) by Snospar on Thursday January 27, @08:38AM (5 children)

      by Snospar (5366) Subscriber Badge on Thursday January 27, @08:38AM (#1216113)

      Running Void Linux here which is systemd free (using runit instead). I had pkexec version 0.119 which was already safe (0.118 was the last dangerous version) but I've upgraded to 0.120 just to be sure. Always useful in these discussions to make it clear which versions are dodgy and which have been fixed.

      • (Score: 0) by Anonymous Coward on Thursday January 27, @08:48AM

        by Anonymous Coward on Thursday January 27, @08:48AM (#1216114)

        I just checked my pkexec (Arch derivative distro) - version 0.120. As almost always, by the time an article hits "THE HEADLINES!!!" the fix has already come and been through the regular updates. Yawn...

      • (Score: 0) by Anonymous Coward on Thursday January 27, @09:23AM

        by Anonymous Coward on Thursday January 27, @09:23AM (#1216120)

        I thought about that but decided against it. All of the major distros already patched it as have their downstreams. But the problem is that what versions are or are not dodgy can be specific to particular distros and particular releases of distros.

      • (Score: 0) by Anonymous Coward on Thursday January 27, @10:26PM

        by Anonymous Coward on Thursday January 27, @10:26PM (#1216306)

        You are thinking of a different vulnerability. The one fixed in 0.119 was a problem with dbus. Even 0.120 is vulnerable to this. You will need to get a 0.120 patched with a fix, or disable pkexec as a workaround (probably a painless one for personal use, as everyone uses sudo, not pkexec, although corporate users sometimes prefer pkexec).

        Documentation is scarce because most distros for some reason no longer report exact package versions in their security bulletins (users shouldn't have to worry their pretty little heads over what version of software they have), but you can see the security tickets for Gentoo here [gentoo.org].

      • (Score: 2) by Runaway1956 on Friday January 28, @12:42AM (1 child)

        by Runaway1956 (2926) Subscriber Badge on Friday January 28, @12:42AM (#1216337) Homepage Journal

        +1 informative

        However, MX introduces some confusion.

        $ pkexec --version
        pkexec version 0.105

        .105 is obviously not up to date with .118, .119, or .120.

        Package manager says that mx-pkexec provides my pkexec, and it is at version 21.03.02. It isn't clear to me, based on that, whether I'm patched or not patched.

        Internet search "is my pkexec vulnerable" leads to https://support.cpanel.net/hc/en-us/articles/4420357490455-Polkit-pkexec-vulnerability-CVE-2021-4034 [cpanel.net]

        zgrep -E 'CVE-2021-4034' /usr/share/doc/policykit-1/changelog.Debian.gz
        If it is not updated, the output will be blank.

        Results say

        $ zgrep -E 'CVE-2021-4034' /usr/share/doc/policykit-1/changelog.Debian.gz
            * Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

        It seems that my version is patched, despite being multiple versions out of date.

        --
        “If everyone is thinking alike, then somebody isn't thinking.” ― George S. Patton on Ukraine
        • (Score: 0) by Anonymous Coward on Friday January 28, @02:05AM

          by Anonymous Coward on Friday January 28, @02:05AM (#1216361)

          Is it really informative if the information is wrong? 0.119 and 0.120 ARE vulnerable unless patched.

          Anyway, it's possible to backport the fix, so you might be running a distro that did that. Gentoo backported it to 0.117 which, for some reason, is the newest version supported on some non-x86 platforms.

          If you don't use pkexec, you can avoid worrying with good old-fashioned chmod 0.

    • (Score: 4, Interesting) by digitalaudiorock on Thursday January 27, @07:45PM (2 children)

      by digitalaudiorock (688) on Thursday January 27, @07:45PM (#1216244)

      Despite what some say, it is not a systemd component (but is is a freedesktop.org project).

      Between those two it's a pretty close race as to who sucks more frankly (with the Mozilla devs arguably not far behind). Don't even get me started with the freedesktop.org project. Here's one I ran into recently:

      I use only fluxbox as a window manager. After a recent update to thunderbird I no longer had any Window decorations at all and couldn't even move the Window. Just to note: The only reason I use thunderbird for email is because I need a client that fully supports the Godless travesty that is HTML email (because of my work). If it weren't for that, I'd use a sane text only client like Claws mail. It turns out that the missing decorations issue was caused by the freedesktop.org's GTK3 "client side decorations" which they do NOT [github.com] allow you to disable, despite the fact that it breaks some window managers. With the help of another user on the gentoo forums I was able to come up with a patch that addressed this in fluxbox. I now have window decorations back...the ones that I want, and not the ones GTK3 wants.

      More importantly, you have to consider what they're doing with that whole concept of "client side decorations": You as a user choose a theme for the way you want windows to appear, any they say "fuck you..we want all GTK apps to look the same to protect our brand". And yes...although being (supposedly) part of the open source community, they very much DO use the term "brand" [wordpress.com].

      So yea, for me all three of systemd, Mozilla, and freedesktop.org pretty much epitomize everything that's wrong with Linux these day. Somehow I manage to maintain a sane, lean system despite all these a-holes.

    • (Score: 0) by Anonymous Coward on Thursday February 17, @05:02PM

      by Anonymous Coward on Thursday February 17, @05:02PM (#1222536)

      The difference between systemd and freedesktop is academic at this point.

      And the latter is likely a rubber stamp fig leaf for RH's control of Linux userspace by way of API churn.

      Freedesktop is supposedly about improving cross-DE compatibility on Linux. But invariably, the only "standards" that gets adopted are those proposed by people on RH payroll.

      Never mind that it was founded by RH's Gnome chief back in the day.

  • (Score: 3, Funny) by Anonymous Coward on Thursday January 27, @11:15AM

    by Anonymous Coward on Thursday January 27, @11:15AM (#1216126)

    install windows and all the dependency worries slip away, especially post innoculation tuesdays.

  • (Score: 0) by Anonymous Coward on Thursday January 27, @02:24PM

    by Anonymous Coward on Thursday January 27, @02:24PM (#1216157)

    the only winning Polkit is not to Polkit

  • (Score: 2) by srobert on Thursday January 27, @03:12PM

    by srobert (4803) on Thursday January 27, @03:12PM (#1216171)

    I use Void Linux which doesn't use systemd. But packages that I need have polkit as a dependency. Fortunately Void has patched this already.

(1)