there is defect of escalation because the directory /etc/polkit-1/rules.d/ is owned by polkitd with permissions of 0700

Support for security such as Firewalls and securing linux
Post Reply
frankLinux
Posts: 1
Joined: 2019/08/31 07:16:23

there is defect of escalation because the directory /etc/polkit-1/rules.d/ is owned by polkitd with permissions of 0700

Post by frankLinux » 2019/09/02 08:12:45

The polkit spec file specifies that the /etc/polkit-1/rules.d/ owner is user polkitd, and then polkitd user/process has permission to add new policy files.

Code: Select all

%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
the daemon polkit loads rules from directory /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d

Code: Select all

# systemctl status polkit
● polkit.service - Authorization Manager
   Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
   Active: active (running) since  2019-08-29 23:44:47 CST; 3 days ago
     Docs: man:polkit(8)
 Main PID: 726 (polkitd)
   CGroup: /system.slice/polkit.service
           └─726 /usr/lib/polkit-1/polkitd --no-debug

systemd[1]: Starting Authorization Manager...
polkitd[726]: Started polkitd version 0.112
polkitd[726]: Loading rules from directory /etc/polkit-1/rules.d
polkitd[726]: Loading rules from directory /usr/share/polkit-1/rules.d
polkitd[726]: Finished loading, compiling and executing 2 rules
polkitd[726]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
systemd[1]: Started Authorization Manager.
polkitd starts with superuser privileges but drops privileges early by switching to the unprivileged polkitd system user.

Code: Select all

# ps -elf | grep polkitd
4 S polkitd    726     1  0  80   0 - 135131 poll_s 8 29 ?      00:00:01 /usr/lib/polkit-1/polkitd --no-debug
If the polkitd program has a vulnerability,it may be exploited to add any rule file,for expamle /etc/polkit-1/rules.d/30_nopasswd_test.rules

Code: Select all

polkit.addRule(function(action, subject) {
        if (subject.isInGroup("test")) {
                return polkit.Result.YES;
        }
})
so user in Group test can exec any command without authentication

Code: Select all

[test@localhost ~]$ id
uid=1001(test) gid=1001(test) groups=1001(test) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[test@localhost ~]$ pkexec id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Finally,why not set the permissions to 500,the user polkitd only have read and search permissions

User avatar
TrevorH
Forum Moderator
Posts: 26596
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: there is defect of escalation because the directory /etc/polkit-1/rules.d/ is owned by polkitd with permissions of 0

Post by TrevorH » 2019/09/02 08:57:40

If you think you have found a bug in CentOS and it is one that is inherited from RHEL then you need to report that on bugzilla.redhat.com. Optionally you can also report it on bugs.centos.org and cross link the two bugs so that they point to each other but the fix will not come from CentOS as we aim for bug-for-bug compatibility with RHEL.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”