unprivileged users with UID > INT_MAX can successfully execute any systemctl command

[4z3]

Unprivileged users with UID > INT_MAX can execute any systemctl command due pkttyagent aborting with an assertion at https://github.com/freedesktop/polkit/blob/8c1bc8a/src/programs/pkttyagent.c#L156.

systemd version the issue has been seen with

$ systemctl --version
systemd 239
+PAM +AUDIT -SELINUX +IMA +APPARMOR +SMACK -SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

For completeness:

$ pkttyagent --version
pkttyagent version 0.115

Used distribution

NixOS 18.09 stable (commit db561c9)

Expected behaviour you didn't see

$ id
uid=4000000000(someuser) gid=100(users) groups=100(users)
$ systemctl stop sshd.service
Failed to stop sshd.service: Interactive authentication required.
See system logs and 'systemctl status sshd.service' for details.
$ systemctl is-active sshd.service
active

Unexpected behaviour you saw

$ id
uid=4000000000(someuser) gid=100(users) groups=100(users)
$ systemctl stop sshd.service

(pkttyagent:3342): GLib-GObject-WARNING **: 13:28:53.802: value "-294967296" of type 'gint' is invalid or out of range for property 'uid' of type 'gint'
**
ERROR:pkttyagent.c:156:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)
$ systemctl is-active sshd.service
inactive

Steps to reproduce the problem

1. create a user with an UID > INT_MAX, e.g. 4000000000
2. run any systemctl command

[poettering]

pkttyagent does not authenticate anything, it juts passes a password if one is required from the user to polkit in the background

it's the polkit service in the background that does the authentication. Not sure I grok what's going on, but this smells like a pokit service issue

[poettering]

So, I managed to reproduce this, and yes, PolicyKit says the caller is authenticated, a "busctl monitor" reveals. This is hence a PolicyKit bug. A pretty bad one...

[4z3]

Thanks for verifying the issue. I've crossposted it at polkit's issue tracker: https://gitlab.freedesktop.org/polkit/polkit/issues/74

[keszybz]

pkttyagent aborts, but this is not very important.

Work-around: systemctl mask polkit && systemctl stop polkit.

[evverx]

In a way it's kind of handy because it allows users with uids like that to bypass sudo machinery or any other mechanism used to become root :-) I took a look at https://gitlab.freedesktop.org/polkit/polkit and it seems that it isn't exactly active (looks like the main bug tracker is somewhere else). Anyway, I'm pretty sure the bug would be fixed much faster if a CVE was created for this.

[mbiebl]

@evverx I've forwarded this issue to the Debian security team and they requested a CVE
https://gitlab.freedesktop.org/polkit/polkit/issues/74#note_84732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788

[evverx]

@mbiebl thank you! I was also going to write that according to https://gitlab.freedesktop.org/polkit/polkit/blob/master/README it's possible to report security vulnerabilities privately by sending them to dbus-security@lists.freedesktop.org but it seems to be too late.

[poettering]

I think we can close this one here. let's do all follow-up discussions on the fdo gitlab for polkit.

[setharnold]

I'm surprised a process aborting fails open like this -- are you sure that there's nothing to fix here?

Thanks

[grawity]

I'm surprised a process aborting fails open like this -- are you sure that there's nothing to fix here?

Neither the process you see abort (pkttyagent) nor the process making authorization decisions (polkitd) are part of the systemd repository. The issue here is that polkitd wrongly reports to the systemd process that the action is allowed.

This bug would not have occured in systemd if it had a Code of Conduct https://github.com/ContributorCovenant/contributor_covenant