Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unprivileged users with UID > INT_MAX can successfully execute any systemctl command #11026

Closed
4z3 opened this issue Dec 2, 2018 · 12 comments
Closed

Comments

@4z3
Copy link

@4z3 4z3 commented Dec 2, 2018

Unprivileged users with UID > INT_MAX can execute any systemctl command due pkttyagent aborting with an assertion at https://github.com/freedesktop/polkit/blob/8c1bc8a/src/programs/pkttyagent.c#L156.

systemd version the issue has been seen with

$ systemctl --version
systemd 239
+PAM +AUDIT -SELINUX +IMA +APPARMOR +SMACK -SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

For completeness:

$ pkttyagent --version
pkttyagent version 0.115

Used distribution

NixOS 18.09 stable (commit db561c9)

Expected behaviour you didn't see

$ id
uid=4000000000(someuser) gid=100(users) groups=100(users)
$ systemctl stop sshd.service
Failed to stop sshd.service: Interactive authentication required.
See system logs and 'systemctl status sshd.service' for details.
$ systemctl is-active sshd.service
active

Unexpected behaviour you saw

$ id
uid=4000000000(someuser) gid=100(users) groups=100(users)
$ systemctl stop sshd.service

(pkttyagent:3342): GLib-GObject-WARNING **: 13:28:53.802: value "-294967296" of type 'gint' is invalid or out of range for property 'uid' of type 'gint'
**
ERROR:pkttyagent.c:156:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)
$ systemctl is-active sshd.service
inactive

Steps to reproduce the problem

  1. create a user with an UID > INT_MAX, e.g. 4000000000
  2. run any systemctl command
@poettering
Copy link
Member

@poettering poettering commented Dec 2, 2018

pkttyagent does not authenticate anything, it juts passes a password if one is required from the user to polkit in the background

it's the polkit service in the background that does the authentication. Not sure I grok what's going on, but this smells like a pokit service issue

@4z3 4z3 changed the title unprivileged users with UID > MAX_INT can successfully execute any systemctl command unprivileged users with UID > INT_MAX can successfully execute any systemctl command Dec 2, 2018
@poettering
Copy link
Member

@poettering poettering commented Dec 2, 2018

So, I managed to reproduce this, and yes, PolicyKit says the caller is authenticated, a "busctl monitor" reveals. This is hence a PolicyKit bug. A pretty bad one...

@4z3
Copy link
Author

@4z3 4z3 commented Dec 2, 2018

Thanks for verifying the issue. I've crossposted it at polkit's issue tracker: https://gitlab.freedesktop.org/polkit/polkit/issues/74

@keszybz
Copy link
Member

@keszybz keszybz commented Dec 2, 2018

pkttyagent aborts, but this is not very important.

Work-around: systemctl mask polkit && systemctl stop polkit.

@evverx
Copy link
Member

@evverx evverx commented Dec 3, 2018

In a way it's kind of handy because it allows users with uids like that to bypass sudo machinery or any other mechanism used to become root :-) I took a look at https://gitlab.freedesktop.org/polkit/polkit and it seems that it isn't exactly active (looks like the main bug tracker is somewhere else). Anyway, I'm pretty sure the bug would be fixed much faster if a CVE was created for this.

@mbiebl
Copy link
Contributor

@mbiebl mbiebl commented Dec 3, 2018

@evverx I've forwarded this issue to the Debian security team and they requested a CVE
https://gitlab.freedesktop.org/polkit/polkit/issues/74#note_84732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788

@evverx
Copy link
Member

@evverx evverx commented Dec 3, 2018

@mbiebl thank you! I was also going to write that according to https://gitlab.freedesktop.org/polkit/polkit/blob/master/README it's possible to report security vulnerabilities privately by sending them to dbus-security@lists.freedesktop.org but it seems to be too late.

@poettering
Copy link
Member

@poettering poettering commented Dec 3, 2018

I think we can close this one here. let's do all follow-up discussions on the fdo gitlab for polkit.

@setharnold
Copy link

@setharnold setharnold commented Dec 4, 2018

I'm surprised a process aborting fails open like this -- are you sure that there's nothing to fix here?

Thanks

@grawity
Copy link
Contributor

@grawity grawity commented Dec 4, 2018

I'm surprised a process aborting fails open like this -- are you sure that there's nothing to fix here?

Neither the process you see abort (pkttyagent) nor the process making authorization decisions (polkitd) are part of the systemd repository. The issue here is that polkitd wrongly reports to the systemd process that the action is allowed.

@rmoog

This comment was marked as off-topic.

@poettering
Copy link
Member

@poettering poettering commented Dec 6, 2018

So, apparently the peanut gallery found this bug, I am locking this now here. This is not the right place for off-topic trolling (it never is) nor even for on-topic technical info (because that should be placed on the polkit bug over on fdo).

@systemd systemd locked as too heated and limited conversation to collaborators Dec 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants