New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unprivileged users with UID > INT_MAX can successfully execute any systemctl command #11026

Closed
4z3 opened this Issue Dec 2, 2018 · 12 comments

Comments

8 participants
@4z3

4z3 commented Dec 2, 2018

Unprivileged users with UID > INT_MAX can execute any systemctl command due pkttyagent aborting with an assertion at https://github.com/freedesktop/polkit/blob/8c1bc8a/src/programs/pkttyagent.c#L156.

systemd version the issue has been seen with

$ systemctl --version
systemd 239
+PAM +AUDIT -SELINUX +IMA +APPARMOR +SMACK -SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

For completeness:

$ pkttyagent --version
pkttyagent version 0.115

Used distribution

NixOS 18.09 stable (commit db561c9)

Expected behaviour you didn't see

$ id
uid=4000000000(someuser) gid=100(users) groups=100(users)
$ systemctl stop sshd.service
Failed to stop sshd.service: Interactive authentication required.
See system logs and 'systemctl status sshd.service' for details.
$ systemctl is-active sshd.service
active

Unexpected behaviour you saw

$ id
uid=4000000000(someuser) gid=100(users) groups=100(users)
$ systemctl stop sshd.service

(pkttyagent:3342): GLib-GObject-WARNING **: 13:28:53.802: value "-294967296" of type 'gint' is invalid or out of range for property 'uid' of type 'gint'
**
ERROR:pkttyagent.c:156:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)
$ systemctl is-active sshd.service
inactive

Steps to reproduce the problem

  1. create a user with an UID > INT_MAX, e.g. 4000000000
  2. run any systemctl command
@poettering

This comment has been minimized.

Member

poettering commented Dec 2, 2018

pkttyagent does not authenticate anything, it juts passes a password if one is required from the user to polkit in the background

it's the polkit service in the background that does the authentication. Not sure I grok what's going on, but this smells like a pokit service issue

@4z3 4z3 changed the title from unprivileged users with UID > MAX_INT can successfully execute any systemctl command to unprivileged users with UID > INT_MAX can successfully execute any systemctl command Dec 2, 2018

@poettering

This comment has been minimized.

Member

poettering commented Dec 2, 2018

So, I managed to reproduce this, and yes, PolicyKit says the caller is authenticated, a "busctl monitor" reveals. This is hence a PolicyKit bug. A pretty bad one...

@4z3

This comment has been minimized.

4z3 commented Dec 2, 2018

Thanks for verifying the issue. I've crossposted it at polkit's issue tracker: https://gitlab.freedesktop.org/polkit/polkit/issues/74

@keszybz

This comment has been minimized.

Member

keszybz commented Dec 2, 2018

pkttyagent aborts, but this is not very important.

Work-around: systemctl mask polkit && systemctl stop polkit.

@evverx

This comment has been minimized.

Member

evverx commented Dec 3, 2018

In a way it's kind of handy because it allows users with uids like that to bypass sudo machinery or any other mechanism used to become root :-) I took a look at https://gitlab.freedesktop.org/polkit/polkit and it seems that it isn't exactly active (looks like the main bug tracker is somewhere else). Anyway, I'm pretty sure the bug would be fixed much faster if a CVE was created for this.

@mbiebl

This comment has been minimized.

Contributor

mbiebl commented Dec 3, 2018

@evverx I've forwarded this issue to the Debian security team and they requested a CVE
https://gitlab.freedesktop.org/polkit/polkit/issues/74#note_84732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788

@evverx

This comment has been minimized.

Member

evverx commented Dec 3, 2018

@mbiebl thank you! I was also going to write that according to https://gitlab.freedesktop.org/polkit/polkit/blob/master/README it's possible to report security vulnerabilities privately by sending them to dbus-security@lists.freedesktop.org but it seems to be too late.

@poettering

This comment has been minimized.

Member

poettering commented Dec 3, 2018

I think we can close this one here. let's do all follow-up discussions on the fdo gitlab for polkit.

@setharnold

This comment has been minimized.

setharnold commented Dec 4, 2018

I'm surprised a process aborting fails open like this -- are you sure that there's nothing to fix here?

Thanks

@grawity

This comment has been minimized.

Contributor

grawity commented Dec 4, 2018

I'm surprised a process aborting fails open like this -- are you sure that there's nothing to fix here?

Neither the process you see abort (pkttyagent) nor the process making authorization decisions (polkitd) are part of the systemd repository. The issue here is that polkitd wrongly reports to the systemd process that the action is allowed.

@rmoog

This comment was marked as off-topic.

rmoog commented Dec 6, 2018

This bug would not have occured in systemd if it had a Code of Conduct https://github.com/ContributorCovenant/contributor_covenant

@poettering

This comment has been minimized.

Member

poettering commented Dec 6, 2018

So, apparently the peanut gallery found this bug, I am locking this now here. This is not the right place for off-topic trolling (it never is) nor even for on-topic technical info (because that should be placed on the polkit bug over on fdo).

@systemd systemd locked as too heated and limited conversation to collaborators Dec 6, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.