You are not logged in.

#1 2025-02-18 17:46:30

sincomil
Member
Registered: 2018-02-13
Posts: 118

[SOLVED] pkexec from Polkit allows any user to gain root privs

I've installed Arch Linux long time ago and have been tried many graphical environments(KDE, GNOME, XFCE, LXDE, Enlightenment, Hyprland, Sway, COSMIC and more). But I never mind about Polkit because always used sudo for my privileged operations and today I found that /usr/bin/pkexec coming with polkit package has SUID-bit installed and has executable bit for everybody

$ eza -lag /usr/bin/pkexec
.rwsr-xr-x 27k root root 15 Jan 11:36  /usr/bin/pkexec
$ sudo pacman -Qkk polkit
polkit: 226 total files, 0 altered files

And my question is: why it has exec-permission for everybody when suid-bit is set at the same time, is it OK for security? I've created new clean user for sake of check my suspicions and tried to run pkexec and immediately got root shell, I think this is not ok, prove me if I'm wrong:

login: clean
Password:
Last login: Sat Sep 12 16:22:43 on tty1
[clean@host ~]$ pkexec zsh
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/zsh' as the super user
Authenticating as: root
==== AUTHENTICATION COMPLETE ====
# id
uid=0(root) gid=0(root) groups=0(root)
host #
[clean@host ~]$ id
uid=1001(clean) gid=1001(clean) groups=1001(clean)

Last edited by sincomil (2025-02-19 09:03:37)

Offline

#2 2025-02-18 21:04:53

seth
Member
Registered: 2012-09-03
Posts: 64,044

Re: [SOLVED] pkexec from Polkit allows any user to gain root privs

pkexec is similar-ish to sudo and needs the same permissions to do its job:

stat /bin/{sudo,pkexec}

That part is normal.

It will authenticate via polkit and typically, like sudo, ask for a password - but that can be cached or drawn from a keyring/wallet.
If that's not the case (eg. for a test user) you'd likely ahve screwed up some polkit rules?

pacman -Qikk polkit
sudo ls -R /{etc,usr/share}/polkit-1

Offline

#3 2025-02-18 21:24:50

sincomil
Member
Registered: 2018-02-13
Posts: 118

Re: [SOLVED] pkexec from Polkit allows any user to gain root privs

Interesting but I never ever done mess with Polkit.


$ pacman -Qikk polkit
Name            : polkit
Version         : 126-2
Description     : Application development toolkit for controlling system-wide privileges
Architecture    : x86_64
URL             : https://github.com/polkit-org/polkit
Licenses        : LGPL-2.0-or-later
Groups          : None
Provides        : libpolkit-agent-1.so=0-64  libpolkit-gobject-1.so=0-64
Depends On      : duktape  expat  glib2  glibc  pam  systemd-libs
Optional Deps   : None
Required By     : accountsservice  bolt  corectrl  flatpak  fwupd  gamemode  lib32-polkit  libvirt  modemmanager  packagekit  pcsclite
                  polkit-qt6  rtkit  spice-gtk  swhkd-git  udisks2  upower
Optional For    : firewalld  grub-customizer  networkmanager  systemd
Conflicts With  : None
Replaces        : None
Installed Size  : 1933.92 KiB
Packager        : Christian Hesse <eworm@archlinux.org>
Build Date      : Wed Jan 15 11:36:32 2025
Install Date    : Wed Jan 29 20:10:12 2025
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

polkit: 226 total files, 0 altered files
$ sudo ls -R /{etc,usr/share}/polkit-1
/etc/polkit-1:
rules.d

/etc/polkit-1/rules.d:

/usr/share/polkit-1:
actions  policyconfig-1.dtd  rules.d

/usr/share/polkit-1/actions:
com.feralinteractive.GameMode.policy			       org.freedesktop.packagekit.policy
com.github.swhkd.pkexec.policy				       org.freedesktop.policykit.examples.pkexec.policy
com.mesonbuild.install.policy				       org.freedesktop.policykit.policy
com.system76.CosmicSettings.Users.policy		       org.freedesktop.portable1.policy
io.systemd.credentials.policy				       org.freedesktop.resolve1.policy
io.systemd.mount-file-system.policy			       org.freedesktop.systemd1.policy
net.launchpad.danielrichter2007.pkexec.grub-customizer.policy  org.freedesktop.timedate1.policy
org.corectrl.helper.policy				       org.freedesktop.timesync1.policy
org.corectrl.helperkiller.policy			       org.freedesktop.upower.policy
org.debian.pcsc-lite.policy				       org.kde.drkonqi.policy
org.fedoraproject.FirewallD1.desktop.policy.choice	       org.kde.filesharing.samba.policy
org.fedoraproject.FirewallD1.policy			       org.kde.fontinst.policy
org.fedoraproject.FirewallD1.server.policy.choice	       org.kde.kameleonhelper.policy
org.freedesktop.Flatpak.policy				       org.kde.kcontrol.kcmclock.policy
org.freedesktop.ModemManager1.policy			       org.kde.kcontrol.kcmkwallet5.policy
org.freedesktop.NetworkManager.policy			       org.kde.kcontrol.kcmsddm.policy
org.freedesktop.RealtimeKit1.policy			       org.kde.kded.smart.policy
org.freedesktop.UDisks2.policy				       org.kde.kinfocenter.dmidecode.policy
org.freedesktop.accounts.policy				       org.kde.ksysguard.processlisthelper.policy
org.freedesktop.bolt.policy				       org.kde.ktexteditor6.katetextbuffer.policy
org.freedesktop.fwupd.policy				       org.kde.powerdevil.backlighthelper.policy
org.freedesktop.home1.policy				       org.kde.powerdevil.chargethresholdhelper.policy
org.freedesktop.hostname1.policy			       org.kde.powerdevil.discretegpuhelper.policy
org.freedesktop.import1.policy				       org.kde.ufw.policy
org.freedesktop.locale1.policy				       org.libvirt.api.policy
org.freedesktop.login1.policy				       org.libvirt.unix.policy
org.freedesktop.machine1.policy				       org.spice-space.lowlevelusbaccess.policy
org.freedesktop.network1.policy				       ru.linuxonly.modem-manager-gui.policy

/usr/share/polkit-1/rules.d:
50-default.rules	cosmic-settings-daemon.rules  org.freedesktop.Flatpak.rules   org.freedesktop.fwupd.rules
50-libvirt.rules	cosmic-settings.rules	      org.freedesktop.GeoClue2.rules  org.freedesktop.packagekit.rules
55-org.nomachine.rules	gamemode.rules		      org.freedesktop.bolt.rules      systemd-networkd.rules

Could you please advise me what I have to seek to find out what causes unauthorized user to get root shell with pkexec?

Last edited by sincomil (2025-02-18 21:27:05)

Offline

#4 2025-02-18 21:31:29

seth
Member
Registered: 2012-09-03
Posts: 64,044

Re: [SOLVED] pkexec from Polkit allows any user to gain root privs

Right off the bat, where do com.github.swhkd.pkexec.policy and net.launchpad.danielrichter2007.pkexec.grub-customizer.policy come from and what do thesy look like?

And then let's check

sudo grep -r pkexec /usr/share/polkit-1/

Offline

#5 2025-02-19 08:14:03

sincomil
Member
Registered: 2018-02-13
Posts: 118

Re: [SOLVED] pkexec from Polkit allows any user to gain root privs

$ pacman -Qo com.github.swhkd.pkexec.policy
/usr/share/polkit-1/actions/com.github.swhkd.pkexec.policy is owned by swhkd-git 1.2.1.r77.gf8519a5-1


$ cat com.github.swhkd.pkexec.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
  <action id="com.github.swhkd.pkexec">
    <message>Authentication is required to run Simple Wayland Hotkey Daemon</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/swhkd</annotate>
  </action>
</policyconfig>
$ pacman -Qo net.launchpad.danielrichter2007.pkexec.grub-customizer.policy
/usr/share/polkit-1/actions/net.launchpad.danielrichter2007.pkexec.grub-customizer.policy is owned by grub-customizer 5.2.5-1


$ cat net.launchpad.danielrichter2007.pkexec.grub-customizer.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="net.launchpad.danielrichter2007.pkexec.grub-customizer">
    <message>Authentication is required to run Grub Customizer</message>
    <icon_name>grub-customizer</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/grub-customizer</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>
$ grep -r pkexec /usr/share/polkit-1/
/usr/share/polkit-1/actions/net.launchpad.danielrichter2007.pkexec.grub-customizer.policy:  <action id="net.launchpad.danielrichter2007.pkexec.grub-customizer">
/usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy:  <action id="org.freedesktop.policykit.example.pkexec.run-frobnicate">
/usr/share/polkit-1/actions/com.github.swhkd.pkexec.policy:  <action id="com.github.swhkd.pkexec">

As long as last command bring us 3 matches and contents of two of them already there, here is 3rd file contents:

https://hastebin.com/share/tufojipibi.xml

$ pacman -Qo /usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
/usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy is owned by polkit 126-2

Last edited by sincomil (2025-02-19 08:20:31)

Offline

#6 2025-02-19 09:03:20

sincomil
Member
Registered: 2018-02-13
Posts: 118

Re: [SOLVED] pkexec from Polkit allows any user to gain root privs

I found how is my problem originated! I've run journalctl --follow and there was it:

polkit-agent-helper-1[678763]: pam_unix(polkit-1:auth): user [root] has blank password; authenticated without it

I have made root password empty some time ago for the test purposes and it was empty since then. So it is totally my fault.
Now I'm just locked root account and pkexec now asking me for root password and this is fully satisfied me

$ sudo passwd -l root
$ sudo grep root /etc/shadow
root:!:14871::::::

Marking this topic as solved. Thank you!

Offline

Board footer

Powered by FluxBB