New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unprivileged users with UID > INT_MAX can successfully execute any systemctl command #11026
Comments
pkttyagent does not authenticate anything, it juts passes a password if one is required from the user to polkit in the background it's the polkit service in the background that does the authentication. Not sure I grok what's going on, but this smells like a pokit service issue |
So, I managed to reproduce this, and yes, PolicyKit says the caller is authenticated, a "busctl monitor" reveals. This is hence a PolicyKit bug. A pretty bad one... |
Thanks for verifying the issue. I've crossposted it at polkit's issue tracker: https://gitlab.freedesktop.org/polkit/polkit/issues/74 |
pkttyagent aborts, but this is not very important. Work-around: |
In a way it's kind of handy because it allows users with uids like that to bypass |
@evverx I've forwarded this issue to the Debian security team and they requested a CVE |
@mbiebl thank you! I was also going to write that according to https://gitlab.freedesktop.org/polkit/polkit/blob/master/README it's possible to report security vulnerabilities privately by sending them to dbus-security@lists.freedesktop.org but it seems to be too late. |
I think we can close this one here. let's do all follow-up discussions on the fdo gitlab for polkit. |
I'm surprised a process aborting fails open like this -- are you sure that there's nothing to fix here? Thanks |
Neither the process you see abort (pkttyagent) nor the process making authorization decisions (polkitd) are part of the systemd repository. The issue here is that polkitd wrongly reports to the systemd process that the action is allowed. |
This comment has been minimized.
This comment has been minimized.
So, apparently the peanut gallery found this bug, I am locking this now here. This is not the right place for off-topic trolling (it never is) nor even for on-topic technical info (because that should be placed on the polkit bug over on fdo). |
Unprivileged users with UID > INT_MAX can execute any systemctl command due pkttyagent aborting with an assertion at https://github.com/freedesktop/polkit/blob/8c1bc8a/src/programs/pkttyagent.c#L156.
systemd version the issue has been seen with
For completeness:
Used distribution
Expected behaviour you didn't see
Unexpected behaviour you saw
Steps to reproduce the problem
systemctl
commandThe text was updated successfully, but these errors were encountered: