You are not logged in.
I've installed Arch Linux long time ago and have been tried many graphical environments(KDE, GNOME, XFCE, LXDE, Enlightenment, Hyprland, Sway, COSMIC and more). But I never mind about Polkit because always used sudo for my privileged operations and today I found that /usr/bin/pkexec coming with polkit package has SUID-bit installed and has executable bit for everybody
$ eza -lag /usr/bin/pkexec
.rwsr-xr-x 27k root root 15 Jan 11:36 /usr/bin/pkexec
$ sudo pacman -Qkk polkit
polkit: 226 total files, 0 altered files
And my question is: why it has exec-permission for everybody when suid-bit is set at the same time, is it OK for security? I've created new clean user for sake of check my suspicions and tried to run pkexec and immediately got root shell, I think this is not ok, prove me if I'm wrong:
login: clean
Password:
Last login: Sat Sep 12 16:22:43 on tty1
[clean@host ~]$ pkexec zsh
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/zsh' as the super user
Authenticating as: root
==== AUTHENTICATION COMPLETE ====
# id
uid=0(root) gid=0(root) groups=0(root)
host #
[clean@host ~]$ id
uid=1001(clean) gid=1001(clean) groups=1001(clean)
Last edited by sincomil (2025-02-19 09:03:37)
Offline
pkexec is similar-ish to sudo and needs the same permissions to do its job:
stat /bin/{sudo,pkexec}
That part is normal.
It will authenticate via polkit and typically, like sudo, ask for a password - but that can be cached or drawn from a keyring/wallet.
If that's not the case (eg. for a test user) you'd likely ahve screwed up some polkit rules?
pacman -Qikk polkit
sudo ls -R /{etc,usr/share}/polkit-1
Offline
Interesting but I never ever done mess with Polkit.
$ pacman -Qikk polkit
Name : polkit
Version : 126-2
Description : Application development toolkit for controlling system-wide privileges
Architecture : x86_64
URL : https://github.com/polkit-org/polkit
Licenses : LGPL-2.0-or-later
Groups : None
Provides : libpolkit-agent-1.so=0-64 libpolkit-gobject-1.so=0-64
Depends On : duktape expat glib2 glibc pam systemd-libs
Optional Deps : None
Required By : accountsservice bolt corectrl flatpak fwupd gamemode lib32-polkit libvirt modemmanager packagekit pcsclite
polkit-qt6 rtkit spice-gtk swhkd-git udisks2 upower
Optional For : firewalld grub-customizer networkmanager systemd
Conflicts With : None
Replaces : None
Installed Size : 1933.92 KiB
Packager : Christian Hesse <eworm@archlinux.org>
Build Date : Wed Jan 15 11:36:32 2025
Install Date : Wed Jan 29 20:10:12 2025
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By : Signature
polkit: 226 total files, 0 altered files
$ sudo ls -R /{etc,usr/share}/polkit-1
/etc/polkit-1:
rules.d
/etc/polkit-1/rules.d:
/usr/share/polkit-1:
actions policyconfig-1.dtd rules.d
/usr/share/polkit-1/actions:
com.feralinteractive.GameMode.policy org.freedesktop.packagekit.policy
com.github.swhkd.pkexec.policy org.freedesktop.policykit.examples.pkexec.policy
com.mesonbuild.install.policy org.freedesktop.policykit.policy
com.system76.CosmicSettings.Users.policy org.freedesktop.portable1.policy
io.systemd.credentials.policy org.freedesktop.resolve1.policy
io.systemd.mount-file-system.policy org.freedesktop.systemd1.policy
net.launchpad.danielrichter2007.pkexec.grub-customizer.policy org.freedesktop.timedate1.policy
org.corectrl.helper.policy org.freedesktop.timesync1.policy
org.corectrl.helperkiller.policy org.freedesktop.upower.policy
org.debian.pcsc-lite.policy org.kde.drkonqi.policy
org.fedoraproject.FirewallD1.desktop.policy.choice org.kde.filesharing.samba.policy
org.fedoraproject.FirewallD1.policy org.kde.fontinst.policy
org.fedoraproject.FirewallD1.server.policy.choice org.kde.kameleonhelper.policy
org.freedesktop.Flatpak.policy org.kde.kcontrol.kcmclock.policy
org.freedesktop.ModemManager1.policy org.kde.kcontrol.kcmkwallet5.policy
org.freedesktop.NetworkManager.policy org.kde.kcontrol.kcmsddm.policy
org.freedesktop.RealtimeKit1.policy org.kde.kded.smart.policy
org.freedesktop.UDisks2.policy org.kde.kinfocenter.dmidecode.policy
org.freedesktop.accounts.policy org.kde.ksysguard.processlisthelper.policy
org.freedesktop.bolt.policy org.kde.ktexteditor6.katetextbuffer.policy
org.freedesktop.fwupd.policy org.kde.powerdevil.backlighthelper.policy
org.freedesktop.home1.policy org.kde.powerdevil.chargethresholdhelper.policy
org.freedesktop.hostname1.policy org.kde.powerdevil.discretegpuhelper.policy
org.freedesktop.import1.policy org.kde.ufw.policy
org.freedesktop.locale1.policy org.libvirt.api.policy
org.freedesktop.login1.policy org.libvirt.unix.policy
org.freedesktop.machine1.policy org.spice-space.lowlevelusbaccess.policy
org.freedesktop.network1.policy ru.linuxonly.modem-manager-gui.policy
/usr/share/polkit-1/rules.d:
50-default.rules cosmic-settings-daemon.rules org.freedesktop.Flatpak.rules org.freedesktop.fwupd.rules
50-libvirt.rules cosmic-settings.rules org.freedesktop.GeoClue2.rules org.freedesktop.packagekit.rules
55-org.nomachine.rules gamemode.rules org.freedesktop.bolt.rules systemd-networkd.rules
Could you please advise me what I have to seek to find out what causes unauthorized user to get root shell with pkexec?
Last edited by sincomil (2025-02-18 21:27:05)
Offline
Right off the bat, where do com.github.swhkd.pkexec.policy and net.launchpad.danielrichter2007.pkexec.grub-customizer.policy come from and what do thesy look like?
And then let's check
sudo grep -r pkexec /usr/share/polkit-1/
Offline
$ pacman -Qo com.github.swhkd.pkexec.policy
/usr/share/polkit-1/actions/com.github.swhkd.pkexec.policy is owned by swhkd-git 1.2.1.r77.gf8519a5-1
$ cat com.github.swhkd.pkexec.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="com.github.swhkd.pkexec">
<message>Authentication is required to run Simple Wayland Hotkey Daemon</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/swhkd</annotate>
</action>
</policyconfig>
$ pacman -Qo net.launchpad.danielrichter2007.pkexec.grub-customizer.policy
/usr/share/polkit-1/actions/net.launchpad.danielrichter2007.pkexec.grub-customizer.policy is owned by grub-customizer 5.2.5-1
$ cat net.launchpad.danielrichter2007.pkexec.grub-customizer.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="net.launchpad.danielrichter2007.pkexec.grub-customizer">
<message>Authentication is required to run Grub Customizer</message>
<icon_name>grub-customizer</icon_name>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/grub-customizer</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
</action>
</policyconfig>
$ grep -r pkexec /usr/share/polkit-1/
/usr/share/polkit-1/actions/net.launchpad.danielrichter2007.pkexec.grub-customizer.policy: <action id="net.launchpad.danielrichter2007.pkexec.grub-customizer">
/usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy: <action id="org.freedesktop.policykit.example.pkexec.run-frobnicate">
/usr/share/polkit-1/actions/com.github.swhkd.pkexec.policy: <action id="com.github.swhkd.pkexec">
As long as last command bring us 3 matches and contents of two of them already there, here is 3rd file contents:
https://hastebin.com/share/tufojipibi.xml
$ pacman -Qo /usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
/usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy is owned by polkit 126-2
Last edited by sincomil (2025-02-19 08:20:31)
Offline
I found how is my problem originated! I've run journalctl --follow and there was it:
polkit-agent-helper-1[678763]: pam_unix(polkit-1:auth): user [root] has blank password; authenticated without it
I have made root password empty some time ago for the test purposes and it was empty since then. So it is totally my fault.
Now I'm just locked root account and pkexec now asking me for root password and this is fully satisfied me
$ sudo passwd -l root
$ sudo grep root /etc/shadow
root:!:14871::::::
Marking this topic as solved. Thank you!
Offline