How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

najamelan · 2018-01-12 00:59:10

It seems that polkit is a mechanism that can grant root privileges without the user knowing about it or authorizing it. That feels like a security hazard to me. I currently run into this:

On a fresh install of Arch and Sublime Text, open sublime text (as normal user) and:

ctrl+o /etc/passwd

Make some changes and save. No password prompt, no confirmation to permit the operation. Everyone seems happy, but me .

So looking into it:

root@computer /h/user# la /etc/passwd
-rw-r--r-- 1 root root 1,3K 12 jan 00:43 /etc/passwd

root@computer /h/user# ps aux | grep sublime_text
user     10728  3.2  0.3 849680 49476 ?        Ssl  00:43   0:00 /opt/sublime_text/sublime_text
user     10740  1.6  0.1 119156 19636 ?        Sl   00:43   0:00 /opt/sublime_text/plugin_host 10728

user@computer ~> id
uid=1000(user) gid=1000(user) groups=1000(user),150(wireshark),1001(sudo)

root@computer /h/user# cat /etc/sudoers | grep "%sudo"
%sudo	ALL=(ALL) ALL

journalctl will show:

jan 12 00:43:54 computer polkitd[500]: /etc/polkit-1/rules.d/00-log-access.rules:2: action=[Action id='org.freedesktop.policykit.exec' polkit.gettext_domain='polkit-1' command_line='/bin/cp /tmp/.subl35d.tmp /etc/passwd' program='/bin/cp' user.gecos='' user='root' polkit.message='Authentication is needed to run `$(program)' as the super user' user.display='root']
jan 12 00:43:54 computer polkitd[500]: /etc/polkit-1/rules.d/00-log-access.rules:3: subject=[Subject pid=10728 user='user' groups=user,sudo,wireshark seat='seat0' session='c1' local=true active=true]
jan 12 00:43:54 computer polkitd[500]: Operator of unix-session:c1 successfully authenticated as unix-user:root to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:10728:721632 [/opt/sublime_text/sublime_text] (owned by unix-user:user)
jan 12 00:43:54 computer pkexec[10744]: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
jan 12 00:43:54 computer pkexec[10744]: user: Executing command [USER=root] [TTY=unknown] [CWD=/] [COMMAND=/bin/cp /tmp/.subl35d.tmp /etc/passwd]

I don't have a policy action or rule file with that exact name, but lets find it:

root@computer /h/user# grep "org.freedesktop.policykit.exec" /usr/share/polkit-1/**
grep: /usr/share/polkit-1/actions: Is a directory
/usr/share/polkit-1/actions/org.archlinux.pkexec.netactview.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/netactview</annotate>
/usr/share/polkit-1/actions/org.archlinux.pkexec.netactview.policy:    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/pk-device-rebind</annotate>
/usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/pk-example-frobnicate</annotate>
/usr/share/polkit-1/actions/org.freedesktop.policykit.policy:  <action id="org.freedesktop.policykit.exec">
/usr/share/polkit-1/actions/org.freedesktop.systemd1.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/systemd/systemd-reply-password</annotate>
/usr/share/polkit-1/actions/org.gnome.controlcenter.remote-login-helper.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/cc-remote-login-helper</annotate>
/usr/share/polkit-1/actions/org.gnome.gnome-system-monitor.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/gnome-system-monitor/gnome-system-monitor/gsm-kill</annotate>
/usr/share/polkit-1/actions/org.gnome.gnome-system-monitor.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/gnome-system-monitor/gnome-system-monitor/gsm-renice</annotate>
/usr/share/polkit-1/actions/org.gnome.settings-daemon.plugins.power.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/gnome-settings-daemon/gsd-backlight-helper</annotate>
/usr/share/polkit-1/actions/org.gnome.settings-daemon.plugins.wacom.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper</annotate>
/usr/share/polkit-1/actions/org.gnome.settings-daemon.plugins.wacom.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/gnome-settings-daemon/gsd-wacom-oled-helper</annotate>
/usr/share/polkit-1/actions/org.gtk.vfs.file-operations.policy:    <annotate key="org.freedesktop.policykit.exec.path">/usr/lib/gvfs/gvfsd-admin</annotate>
grep: /usr/share/polkit-1/rules.d: Is a directory

Only reasonable candidate seems /usr/share/polkit-1/actions/org.freedesktop.policykit.policy. So here it is:

root@computer /h/user# cat /usr/share/polkit-1/actions/org.freedesktop.policykit.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD polkit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
<policyconfig>
  <vendor>The polkit project</vendor>
  <vendor_url>http://www.freedesktop.org/wiki/Software/polkit/</vendor_url>

  <action id="org.freedesktop.policykit.exec">
    <description>Run a program as another user</description>
        [translations omitted for brevity]
    <message>Authentication is required to run a program as another user</message>
        [translations omitted for brevity]
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
  </action>
</policyconfig>

From the Polkit documentation:

auth_admin Authentication by an administrative user is required.

Whatever that is supposed to mean? As far as I understand it, auth_admin should ask for authentication, but something authenticates sublime text without my interaction and without my intent and permission.

Any other policies:

root@computer /h/user# find /etc/polkit-1 -type f
/etc/polkit-1/rules.d/50-default.rules
/etc/polkit-1/rules.d/00-log-access.rules

root@computer /h/user# cat /etc/polkit-1/**
cat: /etc/polkit-1/rules.d: Is a directory
polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
});
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */

// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});

I can't really test without polkit because systemd will relaunch it immediately, however this might be the culprit, in journalctl when polkit relaunches:

jan 12 01:26:52 computer polkitd[12618]: Registered Authentication Agent for unix-session:c1 (system bus name :1.10 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
jan 12 01:26:52 computer org.gnome.Shell.desktop[571]: We are now a registered authentication agent.

Digging a bit deeper, I do have "polkit-gnome" package installed. Looking at the source package it turns out that this is 6 years old, so I removed it. So far no effect, not even after restarting polkit, gnome-shell still registers as an authentication agent.

My package versions:

polkit 0.113+34+g29ba7af-1
gnome-shell 3.26.2+9+ga3736d3a3-1

I'm a bit at a loss. I will reboot now I have removed polkit-gnome and see what gives.

So how would I disable such behaviour (and understand where it comes from)? And how would I be spared of such nasty surprises with polkit in the future?

Last edited by najamelan (2018-01-12 15:15:03)

najamelan · 2018-01-12 01:04:04

Ok, rebooting didn't change a thing, it wasn't polkit-gnome package.

circleface · 2018-01-12 03:20:25

What about the output of

ls -l /opt/sublime_text/sublime_text

If that is not the path to the actual executable (I don't have it installed so I have no idea) then make sure you run ls on the actual executable.

Trilby · 2018-01-12 04:18:32

While I'm not fan of polkit (the simple answer to the title in your question is `pacman -Rsn polkit`), ~~I have no idea how you leaped to blaming polkit for this problem. What evidence/observations led you to that conclusion?~~

Oops, I just caught up on your journalctl output. That does seem to be there.

Last edited by Trilby (2018-01-12 04:21:42)

najamelan · 2018-01-12 05:05:45

Sorry I forgot to post this, but no it's not setuid and sublime has not installed any setuid executables. But then the journalctl output is quite clear about how it gets root privileges.

root@computer /etc# ls -l /opt/sublime_text/sublime_text
-rwxr-xr-x 1 root root 6361184 13 sep 08:57 /opt/sublime_text/sublime_text*

About removing polkit, sure but even simpler:

pacman -Rsn linux

Somehow something is holding me back, I wonder why. No, seriously, polkit is becoming a dependency of more and more software, so we are going to have to deal with it. I don't like geoclue either, but still, gnome depends on it.

circleface · 2018-01-12 05:08:11

Thanks for the follow up. That's exactly what I was thinking (about setuid) but obviously I was wrong.

jasonwryan · 2018-01-12 06:07:11

Is it just sublime text? What about Vim/Nano/Whatever?

seth · 2018-01-12 10:08:34

Try it in a different desktop environment. If it's still a problem you likely have sth. like https://wiki.archlinux.org/index.php/Po … ord_prompt around.

Trilby · 2018-01-12 12:17:48

najamelan wrote:

No, seriously, polkit is becoming a dependency of more and more software, so we are going to have to deal with it.

No we really wont need to, you might need to. If you do have something you value that actually depends on it, I'd be all for helping you ensure it works properly. But if nothing really needs it and you have it around just because you think it's the "future" when it's giving you trouble, that's a bit silly.

R00KIE · 2018-01-12 13:24:29

I really doubt that by default you can edit passwd freely with or without polkit installed. How did you install arch and what changes have you done? I see you have at least edited the sudoers file, maybe you have done other changes you are not considering that may have an influence on the problem.

Did you launch your DE or GUI interface while logged in as root?

seth · 2018-01-12 13:31:40

This thread smells like being in a "sudo" group gets you instant privs through pkexec?
https://bugs.debian.org/cgi-bin/bugrepo … bug=869922

Lone_Wolf · 2018-01-12 13:35:40

The problem is likely not in polkit itself, but with some application that installs a polkit rule that poses a security risk.
see https://bbs.archlinux.org/viewtopic.php?id=215993 and https://bugs.archlinux.org/task/50459 .

please post output of

$ls -l /usr/share/polkit-1/actions

#ls -l /usr/share/polkit-1/rules.d

najamelan · 2018-01-12 14:26:17

So, some updates:

It doesn't work with nano or Gedit. I suspect it's because they don't try to do something that gets validated by Polkit. I don't know exactly how it's different, but sublime clearly creates a temporary file and than asks to run cp as root, rather than writing directly to /etc/passwd. I suppose nano and Gedit don't do that, and thus standard Linux ACL applies.

I installed following the "Installation instructions" on the wiki, but obviously I am making changes to my system. Unfortunately it's necessary to configure one's OS, especially if you want some security. I have been working on it for about a week so it's hard to tell all the things I have changed, but I have not done anything ludicrous like launching the desktop environment as root.

The one thing I have notably changed about root access is running "xhost si:localhost:root" so I can run GUI programs as root, but that shouldn't give user programs root privileges.

Ok I did some narrowing down, to remove sublime text from the equation as that is a closed source software so it's hard to tell what it does exactly.

root@computer /h/user# touch /etc/somefile
root@computer /h/user# la /etc/somefile
-rw-r--r-- 1 root root 0 12 jan 14:52 /etc/somefile

user@computer ~> echo "some text" > myfile
user@computer ~> la myfile
-rw-r--r-- 1 user user 10 12 jan 14:53 myfile
user@computer ~> cp myfile /etc/somefile
cp: cannot create regular file '/etc/somefile': Permission denied
user@computer ~> sudo cp myfile /etc/somefile
[sudo] password for user:
# I hit ctrl-C (so it doesn't copy)
user@computer ~> pkexec cp /home/user/myfile /etc/somefile
user@computer ~> cat /etc/somefile
some text

I would think it's indeed the bug report that seth referenced. Thanks for pointing that out.

I tried creating a new group, give it password protected sudo access in sudoers, and remove my user from the `sudo` group, but after logout and login, the result remains the same. `pkexec` grants root privilege without asking for a password. Duh. I suppose for now we are down to using `su` instead of `sudo` if I don't want this?

The asked output:

root@computer /h/user# ls -l /usr/share/polkit-1/actions
total 1348
-rw-r--r-- 1 root root    739 28 sep 14:08 org.archlinux.pkexec.netactview.policy
-rw-r--r-- 1 root root  19755 22 apr  2017 org.freedesktop.accounts.policy
-rw-r--r-- 1 root root  65425 16 dec 20:45 org.freedesktop.color.policy
-rw-r--r-- 1 root root  19454 10 jan 00:41 org.freedesktop.hostname1.policy
-rw-r--r-- 1 root root  18875 10 jan 00:41 org.freedesktop.import1.policy
-rw-r--r-- 1 root root  12745 10 jan 00:41 org.freedesktop.locale1.policy
-rw-r--r-- 1 root root 211610 10 jan 00:41 org.freedesktop.login1.policy
-rw-r--r-- 1 root root  48870 10 jan 00:41 org.freedesktop.machine1.policy
-rw-r--r-- 1 root root 140023 12 dec 09:03 org.freedesktop.NetworkManager.policy
-rw-r--r-- 1 root root 149799 10 jan 13:22 org.freedesktop.packagekit.policy
-rw-r--r-- 1 root root   5319 16 dec 03:26 org.freedesktop.policykit.examples.pkexec.policy
-rw-r--r-- 1 root root   3520 16 dec 03:26 org.freedesktop.policykit.policy
-rw-r--r-- 1 root root   1489 22 nov 16:32 org.freedesktop.RealtimeKit1.policy
-rw-r--r-- 1 root root   1633 10 jan 00:41 org.freedesktop.resolve1.policy
-rw-r--r-- 1 root root  33348 10 jan 00:41 org.freedesktop.systemd1.policy
-rw-r--r-- 1 root root  26167 10 jan 00:41 org.freedesktop.timedate1.policy
-rw-r--r-- 1 root root   3520 24 dec 09:36 org.freedesktop.UDisks2.bcache.policy
-rw-r--r-- 1 root root   3388 24 dec 09:36 org.freedesktop.UDisks2.btrfs.policy
-rw-r--r-- 1 root root   3555 24 dec 09:36 org.freedesktop.UDisks2.lvm2.policy
-rw-r--r-- 1 root root 297218 24 dec 09:36 org.freedesktop.UDisks2.policy
-rw-r--r-- 1 root root   3291 24 dec 09:36 org.freedesktop.UDisks2.zram.policy
-rw-r--r-- 1 root root  18579 22 nov 15:50 org.gnome.controlcenter.datetime.policy
-rw-r--r-- 1 root root  17550 22 nov 15:50 org.gnome.controlcenter.remote-login-helper.policy
-rw-r--r-- 1 root root  15497 22 nov 15:50 org.gnome.controlcenter.user-accounts.policy
-rw-r--r-- 1 root root  28750  9 aug  2016 org.gnome.gconf.defaults.policy
-rw-r--r-- 1 root root  24680 15 sep 23:16 org.gnome.gnome-system-monitor.policy
-rw-r--r-- 1 root root  15694  2 nov 15:59 org.gnome.settings-daemon.plugins.power.policy
-rw-r--r-- 1 root root  28826  2 nov 15:59 org.gnome.settings-daemon.plugins.wacom.policy
-rw-r--r-- 1 root root  12388 10 dec 04:31 org.gtk.vfs.file-operations.policy
-rw-r--r-- 1 root root  89094  5 mrt  2016 org.opensuse.cupspkhelper.mechanism.policy

root@computer /h/user# ls -l /usr/share/polkit-1/rules.d
total 16
-rw-r--r-- 1 root root 488 22 nov 15:50 gnome-control-center.rules
-rw-r--r-- 1 root root 257 10 jan 13:22 org.freedesktop.packagekit.rules
-rw-r--r-- 1 root root 264 10 dec 04:31 org.gtk.vfs.file-operations.rules
-rw-r--r-- 1 root root 330 10 jan 00:41 systemd-networkd.rules

seth · 2018-01-12 14:29:52

-rw-r--r-- 1 root root 149799 10 jan 13:22 org.freedesktop.packagekit.policy

It's the bug lone_wolf linked.

Edit: or is it? The rule there looks like more specific to the org.freedesktop.packagekit.package-install action.
Better check the 4 rules.

Last edited by seth (2018-01-12 14:36:21)

najamelan · 2018-01-12 15:07:01

Yes, I will have a closer look to all of these actions. Just to clarify something more. I made a guest account on my system to let friends check their email and such. The only group in which this account is, is guest. Nothing else. It's not in wheel, nor is my normal user account btw, it's not in anything in sudoers, yet pkexec happily allows it full control, just try pkexec su and you're good to go.

Let's hope this is because of something stupid I did, but for everyone who has polkit installed, you might want to check that.

najamelan · 2018-01-12 15:13:46

OK, I found it. It was my stupid. I was convinced that I had changed the root password since installing, but apparently it was still blank. Now that I set a password, pkexec asks for a password.

Arch Linux

#1 2018-01-12 00:59:10

How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#2 2018-01-12 01:04:04

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#3 2018-01-12 03:20:25

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#4 2018-01-12 04:18:32

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#5 2018-01-12 05:05:45

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#6 2018-01-12 05:08:11

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#7 2018-01-12 06:07:11

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#8 2018-01-12 10:08:34

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#9 2018-01-12 12:17:48

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#10 2018-01-12 13:24:29

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#11 2018-01-12 13:31:40

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#12 2018-01-12 13:35:40

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#13 2018-01-12 14:26:17

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#14 2018-01-12 14:29:52

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#15 2018-01-12 15:07:01

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

#16 2018-01-12 15:13:46

Re: How do you tame polkit? (sublime text can modify /etc/passwd) [solved]

Board footer