Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday January 27 2022, @04:34AM   Printer-friendly

Major Linux PolicyKit security vulnerability uncovered: Pwnkit:

Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution.

[...] This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true."

[...] Why is it so bad? Let us count the ways:

  • Pkexec is installed by default on all major Linux distributions.
  • Qualys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
  • Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
  • An unprivileged local user can exploit this vulnerability to get full root privileges.
  • Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
  • And, last but not least, it's exploitable even if the polkit daemon itself is not running.

[...] While we know Linux can be attacked, Solaris and other Unix systems may also be vulnerable. We do know, however, that OpenBSD can't be attacked by exploits using this vulnerability.

Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high.

When used correctly, Polkit provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Anonymous Coward on Thursday January 27 2022, @06:05AM (8 children)

    by Anonymous Coward on Thursday January 27 2022, @06:05AM (#1216066)

    polkit (nee PolicyKit) predates systemd, it's just that systemd seems intermingled with it now, it's hard to discern.

    But do you remember how granting users some special powers were done "long" ago? su, sudo, groups and group ownership (/etc/group, pam_group, udev rules), user ownership (udev rules). I'm sure there were more (never dived deep into PAM, eg). But hey, polkit is "newer" than those AND can be configured with XML. Must be great!

    Great for corporations to take over Linux by adding more of their things instead of (re)using previous ones, I mean. Freedesktop name is ironic now, assuming it was not since the begining.

    Starting Score:    0  points
    Moderation   +3  
       Insightful=2, Interesting=1, Total=3
    Extra 'Insightful' Modifier   0  

    Total Score:   3  
  • (Score: 1, Informative) by Anonymous Coward on Thursday January 27 2022, @09:39AM (2 children)

    by Anonymous Coward on Thursday January 27 2022, @09:39AM (#1216121)

    Not that sudo didn't have its share of holes, either.

    • (Score: 0) by Anonymous Coward on Thursday January 27 2022, @02:38PM

      by Anonymous Coward on Thursday January 27 2022, @02:38PM (#1216163)

      The whole point of these programs is to circumvent OS security anyway, the entire thing is a hole.

    • (Score: 1, Informative) by Anonymous Coward on Thursday January 27 2022, @11:17PM

      by Anonymous Coward on Thursday January 27 2022, @11:17PM (#1216326)

      OpenBSD has a simpler tool, doas. https://man.openbsd.org/doas [openbsd.org] Instead of huge surface attack directly or indirectly (policykit-1 0.120-3 reports "Depends: adduser, default-dbus-system-bus | dbus-system-bus, default-logind | logind, libc6 (>= 2.33), libexpat1 (>= 2.0.1), libgcc-s1 (>= 3.0), libglib2.0-0 (>= 2.37.3), libmozjs-78-0 (>= 78.15.0), libpam0g (>= 0.99.7.1), libpolkit-agent-1-0 (= 0.120-3), libpolkit-gobject-1-0 (= 0.120-3), libstdc++6 (>= 5), libsystemd0 (>= 213)"... libexpat1 for XML but libmozjs? WTF!?) some people prefer to create new tools with restricted focus, smaller code base and less dependencies. Specially if those tools are about security tasks.

      sudo can still be installed, but if doas is enough for your use case, you can avoid sudo.

  • (Score: 1, Interesting) by Anonymous Coward on Thursday January 27 2022, @07:11PM (4 children)

    by Anonymous Coward on Thursday January 27 2022, @07:11PM (#1216232)

    But do you remember how granting users some special powers were done "long" ago? su, sudo, groups and group ownership (/etc/group, pam_group, udev rules), user ownership (udev rules).

    The issue with using those same tried-and-true tools today is, it involves a non-trivial amount of fucking around on my part to get it all working, if it can be done at all. Whether that is because distribution-maintainers (by this I mean the Canonical's and Red Hat's of the world, the folks who put together 'a distro') have gone out of their way to make it a pain in the ass, or because computer usage patterns and user expectations have changed and the tools have not kept pace, is a question for another thread. Myself, I lean towards the second one. But, to address your point:

    Don't misunderstand me, I'm not advocating for a maximium-bling desktop experience; I run a pretty boring setup. My machine boots to a console prompt, same as it has for twenty years. I log in, type startx, and away I go.

    But that being said, I do, in the year 2022, have some basic expectations: I expect to be able to shut the machine down from my DE's main menu, using the large and well labeled 'Shutdown' button. Or reboot it. I expect to be able to suspend or hibernate it. I expect, when I plug a usb drive in, to have it automatically mounted, read-write, to a directory that I as a user have access to. I expect to connect to any wifi network I please, or to change my wired-network IP and other settings as needed. I expect to be able to use the USB-RS232 converter I have, if I plug it in. I expect to add or remove printers, and administer them as needed. And so on.

    And I expect all of those things to happen without FUCKING AROUND with entering root passwords, user passwords, dealing with Vista-style 'security' pop-ups, manually editing /etc/sudoers, tweaking udev rules by hand, or any other bullshit. It's a multi-user OS on a single-user machine, not a goddamn mainframe.

    It needs. To Just. Work.

    And making that happen using sudo, su, groups and so on, reliably and repeatably, by default for any user who installs the distro, is apparently a massive headache and/or nigh impossible using the tools of yore, because shit like PolicyKit, ConsoleKit, and SystemD didn't just spring in to being overnight for no reason whatsoever. Somebody, somewhere, saw a need that wasn't being addressed, and dealt with it.

    And now we're stuck with that new garbage, on top of the old, somewhat-less garbage.

    And on top of that, at least in my case with a polkit:yes/systemd:no Gentoo install, it still rarely Just Works.

    Sucks, don't it?

    Rant over. Posted AC so I don't get reply alerts, I don't give a damn what anyone else thinks on the topic.

    • (Score: 1, Troll) by FatPhil on Thursday January 27 2022, @08:51PM (3 children)

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday January 27 2022, @08:51PM (#1216282) Homepage
      Please get a single-user operating system. A multi-user OS like Unix is too advanced for you.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 0) by Anonymous Coward on Friday January 28 2022, @01:34AM

        by Anonymous Coward on Friday January 28 2022, @01:34AM (#1216355)

        Windows 95 then?

      • (Score: 0) by Anonymous Coward on Saturday January 29 2022, @06:02AM (1 child)

        by Anonymous Coward on Saturday January 29 2022, @06:02AM (#1216633)

        I think you misunderstood the point. A multi-user OS installed on what is effectively a single-user machine, changes the dynamics considerably. The owner of the machine has physical access to the hardware. Complete control, of everything. Including the root password, and root account.

        Isn't it reasonable to expect the OS to have a tier of user between 'root' and 'unprivileged', that is a lot closer to 'root', for that scenario?

        • (Score: 2) by FatPhil on Wednesday February 02 2022, @09:51AM

          by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 02 2022, @09:51AM (#1217954) Homepage
          You appear to have forgotten that networking exists. People might be relying on access to your machine remotely. File shares, web server, irc bouncer, who knows. There's plenty more types of access to a machine than just sitting at the keyboard.
          --
          Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves