Major Linux PolicyKit security vulnerability uncovered: Pwnkit:
Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution.
[...] This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true."
[...] Why is it so bad? Let us count the ways:
- Pkexec is installed by default on all major Linux distributions.
- Qualys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
- Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
- An unprivileged local user can exploit this vulnerability to get full root privileges.
- Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
- And, last but not least, it's exploitable even if the polkit daemon itself is not running.
[...] While we know Linux can be attacked, Solaris and other Unix systems may also be vulnerable. We do know, however, that OpenBSD can't be attacked by exploits using this vulnerability.
Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high.
When used correctly, Polkit provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.
(Score: 5, Insightful) by Runaway1956 on Thursday January 27 2022, @04:53AM (25 children)
Sadly. As noted, it's a systemd thing. I don't have systemd. I've never used pkexec. I was feeling good, almost gloating, "I ain't got that trash!" Whoops, I was wrong. MX Linux uses a systemd shim, to satisfy all those programs that are dependent on systemd. That is, systemd is installed, but doesn't run. Polkit, pkexec, and some polkit libraries are installed. Typing pkexec at the prompt gives me this:
Can't we just ban that Peter-ring kid from Linux?
Updates for polkit are available, but it isn't clear to me at this moment that the updates actually fix the vulnerability.
(Score: 3, Insightful) by janrinok on Thursday January 27 2022, @05:18AM (9 children)
Ubuntu has already issued the updates to fix this bug. I believe that the same will apply to many Debian-based distros. Update your software.
(Score: 3, Informative) by Runaway1956 on Thursday January 27 2022, @06:03AM (8 children)
I don't think any systemd-free distro is downstream from Ubuntu. I know MX isn't. Only Debian and Devuan is upstream from here.
(Score: 2) by janrinok on Thursday January 27 2022, @06:32AM (7 children)
Yes but Ubuntu can get their fixes from Debian - if Ubuntu has it then many, if not all, Debian derivatives will also have it. That is the point that I was making.
(Score: -1, Offtopic) by Anonymous Coward on Thursday January 27 2022, @07:20AM (6 children)
What happened to aristarchus' journal? Has he been banned for good, in the interest of free speech?
(Score: -1, Offtopic) by Anonymous Coward on Thursday January 27 2022, @07:25AM
Sure! Mod free speech advocacy as "Troll". SoylentNews has betrayed BuckFeta, for real.
(Score: 4, Funny) by janrinok on Thursday January 27 2022, @07:42AM (3 children)
Don't know - I've just got out of bed. But lets spin it into some dastardly plot before we get any facts, I'm sure somebody will be along posting as AC soon to claim some such nonsense.
(Score: 0) by Anonymous Coward on Thursday January 27 2022, @11:44AM (2 children)
Isn't is obvious? MOSSAD used the systemd/polkit bug to infiltrate SN and remove Ari's journal because they were worried he was getting to close to the truth.
(Score: 2) by DannyB on Thursday January 27 2022, @03:01PM (1 child)
he was getting two close too the truth.
FTFY
His journal seems to be right hear. [soylentnews.org]
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Thursday January 27 2022, @05:42PM
I love that you changed the other "to" as well, even though you didn't bold it.
Bravo good sir.
(Score: 0) by Anonymous Coward on Friday January 28 2022, @01:28AM
You're lucky we won't.
(Score: 3, Informative) by drussell on Thursday January 27 2022, @05:22AM (5 children)
Linux? Icky... yucky! Blech!
FreeBSD 12.3-STABLE says to me:
Obviously though, if you have installed sysutils/polkit, you may potentially be wanting to patch or update it, although it currently appears that FreeBSD systems wouldn't be vulnerable due to the fact that there is "no GNU libc which the payload would work on.":
...
(Score: 2) by bart9h on Thursday January 27 2022, @12:37PM (4 children)
No need to ditch Linux yet, there are still some sane (as in, sans-systemd) distributions around.
On my Devuan system I also got pkexec: Command not found.
(Score: 2) by epitaxial on Thursday January 27 2022, @01:30PM (1 child)
Don't forget about Slackware. It's a current distro and 15.0 should be released soon.
(Score: 5, Informative) by linuxrocks123 on Thursday January 27 2022, @04:02PM
I run Slackware. Although it doesn't use SystemD, polkit is in /l and would therefore be installed on most systems, including mine.
(Score: 3, Informative) by bart9h on Thursday January 27 2022, @10:23PM (1 child)
I replied from another system. Now that I'm at my main desktop I checked, and I was wrong: pkexec is indeed installed.
As was already mentioned, policykit is not part of systemd. It was installed as a dependency of MATE, which I'll consider switching from.
(Score: 1) by therainingmonkey on Tuesday February 01 2022, @03:22PM
I'm running Devuan with polkit too here, looks like it was pulled in by KDE
(Score: -1, Troll) by aristarchus on Thursday January 27 2022, @06:06AM (3 children)
Is this installed on SoylentNews servers? Is this why the aristarchus journal has disappeared? Will none call this what it is, censorship pure and simple!
quote?Due to excessive bad posting from this IP or Subnet, comment posting has temporarily been disabled. If it's you, consider this a chance to sit in the timeout corner. If it's someone else, this is a chance to hunt them down. If you think this is unfair, please email admin@soylentnews.org with your MD5'd IPID and SubnetID, which are "b0e4c575kkdhsk;796f3d7790" and "e1uj88860o3334kksndldl8ff26d701554b71cc7fa1" and (optionally, but preferably) your IP number "666.321.156.231" and your username "aristarchus".
(Score: -1, Offtopic) by Anonymous Coward on Thursday January 27 2022, @06:14AM (1 child)
almost nobody cared yesterday ari
today, nobody cares
(Score: -1, Offtopic) by Anonymous Coward on Thursday January 27 2022, @07:17AM
Thank you for destroying SoylentNews, AC.
(Score: -1, Offtopic) by Anonymous Coward on Thursday January 27 2022, @08:24AM
$ ping 666.321.156.231
ping: 666.321.156.231: Name or service not known
(Score: -1, Offtopic) by Anonymous Coward on Thursday January 27 2022, @07:32AM
Like you got aristarchus banned? You admin asskissing excuse for a real soylentil, Runaway! You comeuppance is coming up. Janrinok cannot protect you forever.
(Score: 5, Informative) by digitalaudiorock on Thursday January 27 2022, @01:43PM (2 children)
I'm running Gentoo with no systemd and no polkit. Interestingly though, I think the recent recommendations to not run X as root likely changed that for many. Running X as non-root uses elogind. It's default configuration uses polkit, and I've read that at least some users seem to have had difficultly getting that elogind setup working without it. When I saw the BS that configuration wanted to install, I opted to just set enable my "suid" USE flag on xorg-server, and to continue running X as root. Several users on the Gentoo forums seriously question whether running X as root is truly less secure than depending on other security nightmare BS like this to run shit as root on your behalf...myself among them. This vulnerability is pretty telling in that regard.
(Score: 0) by Anonymous Coward on Thursday January 27 2022, @02:20PM (1 child)
This exactly. Though, my Gentoo system has enough dependencies on polkit that I seem to have wound up with it anyway, even though I don't use systemd, Wayland, nor any desktop
bloatwareenvironment. The main culprits (the things that would be hard to get rid of or which I need) are libvirt and elogind. And mythtv has a transitive dependency via udisks, which I'd rather not have itself (maybe the package dependencies can be moved behind a use flag).Because ConsoleKit is dead, Gentoo more or less forced everyone to switch to elogind. And, to be honest, I am not even that unhappy with elogind. I don't think you can pin this on elogind, and X being setuid has caused this kind of problem in the past.
(Score: 4, Interesting) by digitalaudiorock on Thursday January 27 2022, @02:30PM
Interesting that you mentioned udisks and MythTV. I've been using MythTV since 2007. Currently I'm still running 29.1 but with an ebuild of my own. Among other things, like modifying it to not require QtWekKit, I just dropped the udisks requirement. I find that, at least with only one DVD drive on the frontend (which I never really use anymore anyway) there's no need for it at all.
(Score: 0) by Anonymous Coward on Thursday January 27 2022, @11:21PM
I run devuan. My systems don't have that.