1747910 – there is defect of escalation because the directory /etc/polkit-1/rules.d/ is owned by polkitd with permissions of 0700

Bug 1747910 - there is defect of escalation because the directory /etc/polkit-1/rules.d/ is owned by polkitd with permissions of 0700

Summary: there is defect of escalation because the directory /etc/polkit-1/rules.d/ is...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	polkit
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Polkit Maintainers
QA Contact:	Frantisek Sumsal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1855317
TreeView+	depends on / blocked

Reported:	2019-09-02 08:57 UTC by zhchf2010
Modified:	2020-07-09 14:36 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1855317 (view as bug list)
Environment:
Last Closed:	2020-07-09 14:36:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description zhchf2010 2019-09-02 08:57:05 UTC

The polkit spec file specifies that the /etc/polkit-1/rules.d/ owner is user polkitd, and then polkitd user/process has permission to add new policy files.
%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d

the daemon polkit loads rules from directory /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d
# systemctl status polkit
● polkit.service - Authorization Manager
   Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
   Active: active (running) since 四 2019-08-29 23:44:47 CST; 3 days ago
     Docs: man:polkit(8)
 Main PID: 726 (polkitd)
   CGroup: /system.slice/polkit.service
           └─726 /usr/lib/polkit-1/polkitd --no-debug

8月 29 23:44:45 Fcc systemd[1]: Starting Authorization Manager...
8月 29 23:44:46 Fcc polkitd[726]: Started polkitd version 0.112
8月 29 23:44:47 Fcc polkitd[726]: Loading rules from directory /etc/polkit-1/rules.d
8月 29 23:44:47 Fcc polkitd[726]: Loading rules from directory /usr/share/polkit-1/rules.d
8月 29 23:44:47 Fcc polkitd[726]: Finished loading, compiling and executing 2 rules
8月 29 23:44:47 Fcc polkitd[726]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
8月 29 23:44:47 Fcc systemd[1]: Started Authorization Manager.

polkitd starts with superuser privileges but drops privileges early by switching to the unprivileged polkitd system user.
# ps -elf | grep polkitd
4 S polkitd    726     1  0  80   0 - 135131 poll_s 8月29 ?      00:00:01 /usr/lib/polkit-1/polkitd --no-debug[/i]

If the polkitd program has a vulnerability，it may be exploited to add any rule file，for expamle /etc/polkit-1/rules.d/30_nopasswd_test.rules
[i]polkit.addRule(function(action, subject) {
        if (subject.isInGroup("test")) {
                return polkit.Result.YES;
        }
})

so user in Group test can exec any command without authentication
[test@localhost ~]$ id
uid=1001(test) gid=1001(test) groups=1001(test) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[test@localhost ~]$ pkexec id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


Finally,why not set the permissions to 500，the user polkitd only have read and search permissions

Comment 2 zhchf2010 2019-09-03 12:34:38 UTC

also can see:
https://bugs.freedesktop.org/show_bug.cgi?id=58787

https://gitlab.freedesktop.org/polkit/polkit/issues/48

Comment 3 Jan Rybar 2020-07-09 14:36:08 UTC

This preventive enhancement bug was cloned for RHEL8.

Note You need to log in before you can comment on or make changes to this bug.