Bug 1747910
| Summary: | there is defect of escalation because the directory /etc/polkit-1/rules.d/ is owned by polkitd with permissions of 0700 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | zhchf2010 | |
| Component: | polkit | Assignee: | Polkit Maintainers <polkit-devel> | |
| Status: | CLOSED WONTFIX | QA Contact: | Frantisek Sumsal <fsumsal> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.5 | CC: | jrybar | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1855317 (view as bug list) | Environment: | ||
| Last Closed: | 2020-07-09 14:36:08 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1855317 | |||
also can see: https://bugs.freedesktop.org/show_bug.cgi?id=58787 https://gitlab.freedesktop.org/polkit/polkit/issues/48 This preventive enhancement bug was cloned for RHEL8. |
The polkit spec file specifies that the /etc/polkit-1/rules.d/ owner is user polkitd, and then polkitd user/process has permission to add new policy files. %attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d the daemon polkit loads rules from directory /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d # systemctl status polkit ● polkit.service - Authorization Manager Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled) Active: active (running) since 四 2019-08-29 23:44:47 CST; 3 days ago Docs: man:polkit(8) Main PID: 726 (polkitd) CGroup: /system.slice/polkit.service └─726 /usr/lib/polkit-1/polkitd --no-debug 8月 29 23:44:45 Fcc systemd[1]: Starting Authorization Manager... 8月 29 23:44:46 Fcc polkitd[726]: Started polkitd version 0.112 8月 29 23:44:47 Fcc polkitd[726]: Loading rules from directory /etc/polkit-1/rules.d 8月 29 23:44:47 Fcc polkitd[726]: Loading rules from directory /usr/share/polkit-1/rules.d 8月 29 23:44:47 Fcc polkitd[726]: Finished loading, compiling and executing 2 rules 8月 29 23:44:47 Fcc polkitd[726]: Acquired the name org.freedesktop.PolicyKit1 on the system bus 8月 29 23:44:47 Fcc systemd[1]: Started Authorization Manager. polkitd starts with superuser privileges but drops privileges early by switching to the unprivileged polkitd system user. # ps -elf | grep polkitd 4 S polkitd 726 1 0 80 0 - 135131 poll_s 8月29 ? 00:00:01 /usr/lib/polkit-1/polkitd --no-debug[/i] If the polkitd program has a vulnerability,it may be exploited to add any rule file,for expamle /etc/polkit-1/rules.d/30_nopasswd_test.rules [i]polkit.addRule(function(action, subject) { if (subject.isInGroup("test")) { return polkit.Result.YES; } }) so user in Group test can exec any command without authentication [test@localhost ~]$ id uid=1001(test) gid=1001(test) groups=1001(test) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [test@localhost ~]$ pkexec id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Finally,why not set the permissions to 500,the user polkitd only have read and search permissions