Fedora and pkexec [LWN.net]

By Jake Edge
February 2, 2022

The nasty vulnerability in pkexec has been rippling through the Linux world, leading to lots of security updates to the underlying polkit authorization toolkit. It also led to a recent discussion on the Fedora devel mailing list about whether pkexec, which runs a program as another user, is actually needed—or wanted—in some or all of the distribution's editions. But pkexec is used by quite a few different Fedora components, particularly in desktop-oriented editions, and it could perhaps be a better choice than the alternatives for running programs with the privileges of another user.

Adam Williamson raised the issue on the day after the disclosure of the PwnKit flaw. It is, as he noted, a longstanding (since the first version of pkexec in 2009) local root privilege escalation. That started him thinking:

The issue and some of the comments around it prompted me to wonder - why is `pkexec` still a thing? Particularly, why is it still a thing we are shipping by default in just about every Fedora install?
My best recollection is that pkexec was kinda a kludge to allow us to get rid of consolehelper: some apps weren't getting rewritten to the Right Way of doing things under policykit, they still just wanted to have the entire app run as root, and pkexec was a way to make that happen.

consolehelper is another program that allows users to run code as other users, while PolicyKit is a former name for polkit. Back in 2013, the Fedora Usermode Migration feature targeted moving all users of consolehelper to polkit. Williamson wondered which parts of Fedora still needed pkexec at this point (given its "kludge" status). But, since it is included in the polkit package, which is used far more widely, perhaps pkexec could be split out into a sub-package that would only be installed where that piece is actually needed, he suggested.

In a followup message, Williamson noted that the bug ticket for the Usermode Migration showed that it had not been completed. There are still 15 packages in Fedora that require consolehelper. Peter Robinson said that most of those "appear to be legacy" packages that should not be in general use.

Michael J Gruber jokingly asked if he should switch his package away from pkexec and back to using the consolehelper-based beesu wrapper for the su command since beesu still exists in Fedora. But Williamson said that is not his point at all:

The issue is not that pkexec is inherently worse than any other tool to do approximately the same thing (prompt for some kind of password, then run the entire app as root) - it's unfortunate that pkexec happened to have a giant security flaw, but it's not unlikely that other tools to do the same thing will turn out to have security flaws if someone decides to take a close look at them. The issue is that *that whole design* is suboptimal.

The idea was that applications would move to using the other mechanisms provided by polkit in order to do their privileged operations, he said. For applications that will not make that transition, pkexec was a "less-good second choice option" to allow them to continue to work. Removing consolehelper was meant to reduce the number of "run things as root" tools that the distribution needed to pay attention to, though that has not ever fully been completed. "Switching from pkexec to any other 'run-this-thing-as-root' tool would not be an improvement."

If you are going to run programs as root anyway, though, pkexec is probably better than using sudo or other options, Lennart Poettering said. pkexec already uses the polkit interprocess communication (IPC) mechanism to request running a binary as root, which is a superior model in his mind:

I mean, polkit has some issues, but I am pretty sure that "pkexec" is not what I'd consider the big problem with it. Or to say this differently: the whole concept of tools like su/sudo/setpriv/runuser/suid binaries is [questionable]: i.e. I am pretty sure we'd be better off if we would systematically prohibit acquiring privs through execve(), and instead focus on delegating privileged operations to IPC services — but of course that would be quite a departure from traditional UNIX.
[...] "pkexec" is a *short* program, it runs very little code with privileges actually. That makes it a *ton* better than the [humongous] code monster that "sudo" is. It has a smaller security footprint, and is easier to review than "sudo". That's worth a lot actually.

But Sam Varshavchik objected to the idea that moving the privileged operation to the other end of an IPC mechanism, such as a socket, really would solve the underlying problem. Having programs that run as root, which have bugs, is actually the problem at hand:

The same bug that's exploitable in a suid [or setuid] binary will also be exploitable, exactly the same way, in its suid-less equivalent. If you have a buffer overrun in a suid binary as a result of carefully-crafted command-line parameters or environment, then if you replace the suid binary with an identical bug-for-bug implementation that uses a socket to carefully pass along the same environment or parameters to a native root binary, and the buffer overrun is the same, guess what: you still have the same exploit.
suid is not the problem. An execved program will inherit the environment, some open file descriptors, and maybe a few other things that a standalone daemon that accepted a socket connection does not have. But that's what most exploits leverage, so cleaning up the environment and open file descriptors would remedy that. It will take some effort to exploit whatever remains.

Poettering did not see things that way, however. There is an enormous amount of state that comes along for the ride when executing a setuid binary, and that state is growing over time:

The thing with setuid/setgid is that the invoked privileged process inherits a lot of implicit state and context that people aren't really aware of or fully understand. i.e. it's not just env vars and argv[], it's cgroup memberships, audit fields, security contexts, open fds, child pids, parent pids, cpu masks, IO/CPU scheduling priorities, various prctl() settings, tty control, signal masks + handlers, … and so on. And it's not even clear what gets inherited as many of these process properties are added all the time.
If you do privileged execution of specific operations via IPC you get the guarantee that whatever is done, is done from a well-defined, pristine execution environment, without leaking context implicitly. The IPC message is the *full* vulnerable surface, and that's as minimal as it can get. And that's great.

While all of that context and state is present for the setuid program, the underlying problem is in the program itself, Varshavchik said:

And none of that makes any difference, whatsoever, unless there's also an underlying logical bug in the code itself. And that's going to be the real problem. So then, question becomes, how many exploits leveraged any of these exotic resources, like cgroup members, tty control, and all of those other fringe attributes? I suppose there might've been a few, but I can't recall many. On the other hand, exploits that accomplish execve("/bin/bash") would work equally well, given the same underlying bug in the root daemon, that's triggerable via its front end, or in a suid program. A sanitized environment won't be much of a help.

But sanitizing the environment fully is difficult or impossible to do for the setuid program, Poettering said. There are a number of interacting attributes that are under the control of the caller (read attacker) of the setuid binary—and that number keeps increasing:

You might *hope* that there was no bug introduced through the interaction of all that code, but the point I am making is that "struct task" and associated objects in kernel get extended all the time, and suid programs that didn't expect these additions will be exposed to them, and cannot sanely reset them even if they wanted, since typically developers cannot look into the future (and the cgroup stuff cannot even be reset reasonably at all).

Varshavchik wanted "hard data" on the kinds of vulnerabilities being envisioned here. He and Poettering went back and forth about what constituted said data, without coming to any real agreement. Poettering ended his participation in that sub-thread by noting that he understands "your love [for] suid and sudo" but that he and others consider them to be "a very bad idea". For his part, Varshavchik is not particularly enamored with those mechanisms:

I love suid and sudo no more, no less, and exactly the same as I love my screwdriver. I'm married to neither. Both are just tools. Both can be used, by people, correctly. Both can be used also, by people, incorrectly. But it makes no sense to use that as a reason for replacing screwdrivers with wrenches.

Demi Marie Obenour suggested that the state information that gets inherited by a setuid binary should be chosen by that binary: "State inheritance definitely should be opt-in, with the possible exception of certain audit data such as the audit user ID." Steve Grubb, who works on the Linux audit system, said that auditing relies on binaries inheriting security contexts and audit information, so the existing polkit mechanisms fall short. Had a kernel mechanism, like kdbus, been adopted, that problem would have been avoided. As it stands, polkit "doesn't satisfy our security requirements":

[...] it's impossible to reason about what's allowed and what's not because the policy is free-form javascript rather than assignments that can be checked by any configuration scanners. And access decisions do not go through the audit system. So, we really have little insight into access control and information flows from anything using IPC started applications.
Setuid may be distasteful to some people. But it's properties are well known and its fully plumbed to make some assurance arguments about the platform.

He was not alone in complaining about polkit's JavaScript configuration mechanism, as that is seen as something of poor design decision by many. Meanwhile, Andrew Lutomirski said that getting an in-kernel IPC mechanism is a difficult problem; he had some thoughts on setuid as well:

I would love to see a nice security model for IPC in the Linux kernel, but I haven't seen a credible proposal. This problem is *hard*.
As for setuid, I'm strongly of the opinion that setuid was and remains a mistake. Executing a process should never add privileges.

Circling back to his original message, Williamson noted that the thread made it clear that pkexec is currently needed by at least some of the desktop editions/spins of Fedora, though: "It's not an easy question to answer since our packaging doesn't distinguish between something needing *polkit* and something needing *pkexec*." Fedora project leader Matthew Miller thought that at least could be changed: "I wonder if a first step might be to split out pkexec into a subpackage, and then gradually remove requirements on it."

That's where things stand at this point. Pulling pkexec out into its own package seems like a good plan, regardless of whether it should slowly be removed from use or not; it will make tracking which other packages use it that much easier should another vulnerability arise. A longer-term shift toward more—or exclusively—polkit-style privilege enhancement may not necessarily be in the offing. The consensus on that path is not entirely clear and it is also an area where the distribution does not want to see a lot of churn—at least without a lot of code review to go with it.

As with most (all?) vulnerabilities, the real culprit is the lack of focused security review of code. For setuid binaries and other code that runs as root, that review is imperative, but it is far from clear that a huge amount of it is being done. Every time another widespread vulnerability crops up we get reminded of that, but the impact seems to fade rather quickly and things return to "normal". That is a rather worrisome state of affairs.

Index entries for this article
Security	Distribution security

to post comments

Fedora and pkexec

Posted Feb 2, 2022 22:29 UTC (Wed) by ejr (subscriber, #51652) [Link] (4 responses)

So... Better SELinux policies? I'm not running it; too much hassle. Hence...

And I suppose userv has/had the same issues? At some point, sending unclass messages to a server that reviews them kinda is the way.

Fedora and pkexec

Posted Feb 3, 2022 0:16 UTC (Thu) by bartoc (guest, #124262) [Link] (3 responses)

for a program like pkexec it's not clear what kind of selinux policy could help, after all the whole point is to run literally anything as root. Restricting what can run pkexec itself would be possible, and could break many exploit chains that use this bug before they even got to an unprivileged shell.

Does fedora's current selinux policy allow (for example) httpd to execute pkexec (or sudo)?

Fedora and pkexec

Posted Feb 3, 2022 8:23 UTC (Thu) by pbonzini (subscriber, #60935) [Link]

IIRC the default policy doesn't allow any execve. There are various knobs to enable additional permissions such as httpd_ssi_exec and httpd_enable_cgi.

Fedora and pkexec

Posted Feb 7, 2022 3:45 UTC (Mon) by flussence (guest, #85566) [Link] (1 responses)

SELinux is more of a bandage than a cure. The root problem here (excuse the pun) is full suid-bit privilege auth programs being necessary for going between any two lesser privilege levels, the general flow being [regular user -> unrestricted setuid 0 binary handling auth -> privileged filehandles/capabilities]. I'm not sure how to fix that, but it does seem like there's something we could be doing fundamentally better and not just "write C code more carefully".

Fedora and pkexec

Posted Feb 8, 2022 8:09 UTC (Tue) by bartoc (guest, #124262) [Link]

I think the solution is "make it easier to write correct suid programs", provide tools to correctly clear the environment and so forth.

For things that are less general than pkexec/sudo something like selinux can reduce them from "full suid" a little bit.

And yeah, SELinux is absolutely (and always) a bandage rather than a cure. It's a defense in depth measure. It can do a good job stopping the bleeding though.

Fedora and pkexec

Posted Feb 2, 2022 22:31 UTC (Wed) by smcv (subscriber, #53363) [Link] (2 responses)

> I wonder if a first step might be to split out pkexec into a subpackage, and then gradually remove requirements on it

I think that makes sense, and I'm looking at doing exactly that in Debian. That way, only systems that actually need pkexec (either because the sysadmin wants to be able to run it, or because another installed package relies on it) have to pay the attack-surface cost of having one more setuid executable.

Some of polkit's past CVEs have been vulnerabilities in its core functionality (briefly: replying to IPC requests "foo has asked me to do bar, is that OK?" with a yes or no), and not installing pkexec would not do anything to solve those; but some of its past CVEs (notably CVE-2021-4034) have been pkexec being insufficiently paranoid in the face of a hostile execution environment, and those are easy to mitigate by not having pkexec on systems that don't need it.

> The thing with setuid/setgid is that the invoked privileged process inherits a lot of implicit state and context that people aren't really aware of or fully understand. i.e. it's not just env vars and argv[], it's cgroup memberships, audit fields, security contexts, open fds, child pids, parent pids, cpu masks, IO/CPU scheduling priorities, various prctl() settings, tty control, signal masks + handlers, … and so on. And it's not even clear what gets inherited as many of these process properties are added all the time.

100% this. pkexec is a relatively small program, which has been presumably looked at by lots of security-conscious people; it makes sure to avoid the obvious, well-known setuid traps, like clearing its environment variables before calling into "big" libraries; and yet it had this recent vulnerability, presumably because it didn't occur to any of its maintainers, packagers or auditors that lower-level components (kernel and ld.so) would allow a process - particularly an AT_SECURE process! - to enter main() with argc == 0.

Fedora and pkexec

Posted Feb 3, 2022 9:08 UTC (Thu) by taladar (subscriber, #68407) [Link] (1 responses)

The real problem is that we are still writing software in languages where the maintainer of every single program has to get these sort of things right instead of having something a bit higher level than raw pointer manipulation for something simple like argument handling that a large number of programs need.

Fedora and pkexec

Posted Feb 3, 2022 16:29 UTC (Thu) by gnu_lorien (subscriber, #44036) [Link]

Aren't there C libraries that get this right? I'm wondering if this is one of the places where two ideas come to a head:
- Small LOC with less external dependencies are more secure
- Libraries can be used to encapsulate and require security practices

I know when I read that a program is 100% self-contained I wonder, "what common thing did they mess up?" I know that others see this as a bonus feature all unto itself.

Fedora and pkexec

Posted Feb 3, 2022 7:22 UTC (Thu) by eru (subscriber, #2753) [Link] (3 responses)

I wonder about that IPC approach. How does the server end of the IPC know the client is authorised to ask what is asks?

Fedora and pkexec

Posted Feb 3, 2022 8:13 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (2 responses)

I haven't checked, but I would be completely astonished if the answer did not somehow involve SCM_CREDENTIALS and/or SO_PEERCRED over unix(7). That is the normal way of accomplishing this sort of thing.

(If you want something that works in a distributed/multi-node setup, then you have to use signatures and certificates. This requires solving a number of PKI-related problems, which are difficult but not insurmountable for an organization of reasonable means. Fortunately, polkit mostly doesn't get deployed in that fashion, to the best of my understanding.)

Fedora and pkexec

Posted Feb 3, 2022 14:30 UTC (Thu) by eru (subscriber, #2753) [Link]

Thanks. I have not programmed with these unix-domain sockets, so did not know they have this kind of feature.

Fedora and pkexec

Posted Feb 7, 2022 7:41 UTC (Mon) by joib (subscriber, #8541) [Link]

There are projects to extend the SO_PEERCRED kind of model to distributed setups like munge (https://dun.github.io/munge/ ), widely used in the HPC world. Yes, using crypto.

Fedora and pkexec

Posted Feb 3, 2022 9:40 UTC (Thu) by larkey (guest, #104463) [Link] (1 responses)

To me the gist of this is:

1. Split polkit & pkexec
2. Have polkit rules be more sane

Further, either

a) move an increasing amount of stuff from sudo to pkexec (or even build a drop-in binary with a one-time translation of sudoers to policykit rules); or
b) make a suid replacement mechanism with opt-in state?

(a) seems more likely to happen, I think.

Fedora and pkexec

Posted Feb 3, 2022 10:52 UTC (Thu) by pabs (subscriber, #43278) [Link]

Fedora and pkexec

Posted Feb 3, 2022 10:20 UTC (Thu) by cortana (subscriber, #24596) [Link] (10 responses)

because the policy is free-form javascript rather than assignments that can be checked by any configuration scanners

On Debian (and derived distributions I guess) an older version of Polkit is shipped, which still uses the old 'pklocalauthority' where policy is written in static INI-like format, but you're limited to matching on properties like "is the requester a given user", "is the requester in a group^*", "is the requster on an active console session", etc.

I go back and forward on whether this is good or not. The fragmentation between the Red Hat and Debian worlds here is aggravating. But the static policy is easier to understand!

* which it does in a broken way (upstream bug) that doesn't work in large installations, precisely the sort of installations that would like to use Polkit to control policy, argh!

Fedora and pkexec

Posted Feb 3, 2022 23:07 UTC (Thu) by mchapman (subscriber, #66589) [Link] (3 responses)

Newer polkit still supports "polkit local authority" INI files through pkla-admin-identities + pkla-check-authorization. These can be invoked from the newer JavaScript-based authority, and the default polkit configuration does just that.

I'm wondering if Debian doesn't use a newer polkit simply because they object to using JS (or perhaps the old mozjs library?) in a security-sensitive context.

Fedora and pkexec

Posted Feb 4, 2022 17:59 UTC (Fri) by cortana (subscriber, #24596) [Link] (2 responses)

That proposed reasoning seems odd to me, mozjs is already exposed, via its use in Firefox, to the most hostile of all possible environments: the internet!

I wish the reason was documented in the package's README.Debian file...

Fedora and pkexec

Posted Feb 5, 2022 22:00 UTC (Sat) by khim (subscriber, #9252) [Link] (1 responses)

Firefox, like Chrome, doesn't trust it's renderers and sandboxes mozjs for a reason.

Polkit does the exact opposite.

Fedora and pkexec

Posted Feb 6, 2022 4:42 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

The reason being that they're exposed to untrusted input in a way that polkit isn't?

Fedora and pkexec

Posted Feb 4, 2022 7:01 UTC (Fri) by zdzichu (subscriber, #17118) [Link] (5 responses)

Looking at my polkit rules, I have stuff like “allow smart home system (running as unprivileged user) to start specific services” which translates to something like:

polkit.addRule(function(action, subject) {
        if (action.id == "org.freedesktop.systemd1.manage-units") {
                var unit = action.lookup("unit");
                if (unit == "toggle-bcache@writethrough.service" ||
                    unit == "toggle-bcache@writearound.service" ||
                    unit == "toggle-bcache@writeback.service") {

                        var verb = action.lookup("verb");
                        if (verb == "start" && subject.user == "openhab" ) {
                                return polkit.Result.YES;
                        }
                }
        }
});

How to express that in previous INI-language? I doubt it's possible.

Fedora and pkexec

Posted Feb 4, 2022 10:19 UTC (Fri) by smcv (subscriber, #53363) [Link]

You are correct, it's not possible. Putting domain-specific extra information on an authorization request, and then using it as input to the authorization rules, is one of the major things that the JavaScript implementation can do and the old "local authority" (.ini-style .pkla files) did not have a representation for.

For example, when the privileged service asking for authorization is systemd, the domain-specific extra information can include a systemd unit name, as used in your example rules.

Fedora and pkexec

Posted Feb 4, 2022 11:00 UTC (Fri) by gioele (subscriber, #61675) [Link] (1 responses)

Even though expressing this kind of complex constraints with a INI-style configuration file is not feasible, in such a security-relevant piece of software it would had been more sensible to adopt and embed a small non Turing-complete language (for example CEL, available for C++ and Rust) instead of Javascript.

Fedora and pkexec

Posted Feb 15, 2022 15:51 UTC (Tue) by sammythesnake (guest, #17693) [Link]

CEL as in https://github.com/google/cel-spec ?

It took me a while to find the (hopefully) right "CEL" - it doesn't appear to be on acronym finder or Wikipedia which usually find these things for me, so I thought out might be useful for others similarly out of the loop :-P

Fedora and pkexec

Posted Feb 4, 2022 22:09 UTC (Fri) by NYKevin (subscriber, #129325) [Link] (1 responses)

Just as a style nit: You may want to use === instead of == when writing Javascript. === does what you (probably) want, == tries to do implicit type coercion (poorly).

Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/E...

Fedora and pkexec

Posted Feb 19, 2022 12:13 UTC (Sat) by cortana (subscriber, #24596) [Link]

Perfect example of why maaaaybe JavaScript was not the best choice of language for extending PolKit. :)

Fedora and pkexec

Posted Feb 3, 2022 11:37 UTC (Thu) by pothos (subscriber, #116075) [Link]

The question is which programs actually need the exact behavior of pkexec to behave like sudo and run a child process in the same process group. If you don't need this, systemd-run is the better option already because it doesn't use setuid but rather let's pid 1 start a privileged systemd unit. You can even have systemd-run be somewhat command line compatible to sudo/pkexec (https://gist.github.com/pothos/73dd4f7694acc3b6bbed614438...).

Fedora and pkexec

Posted Feb 12, 2022 21:47 UTC (Sat) by CodingVoid (guest, #156336) [Link] (14 responses)

> I love suid and sudo no more, no less, and exactly the same as I love my screwdriver. I'm married to neither. Both are just tools. Both can be used, by people, correctly. Both can be used also, by people, incorrectly. But it makes no sense to use that as a reason for replacing screwdrivers with wrenches.

I couldn't agree more. I personally don't understand why one would even need polkit in the first place. I just don't see the advantages compared to traditional Unix Permissions. Compared to polkit (which uses DBus, which in turn uses Unix Sockets), I think it is simpler and more secure to just write a program with standard unix permissions in mind. If I need to use privileged system calls I just use capabilities. If I need to access some files owned by root, I add my user and the file to a Unix Group (maybe even ACL). If I end up needing some kind of authentication, I would probably use a PAM module. Using polkit I feel like making my System unnecessarily more complex instead of making it more secure. Although I have to admit I don't have much experience using polkit, so I can't say which advantages it has over traditional Unix ways.

Fedora and pkexec

Posted Feb 13, 2022 0:34 UTC (Sun) by mjg59 (subscriber, #23239) [Link] (13 responses)

> I just don't see the advantages compared to traditional Unix Permissions.

How do traditional Unix permissions encode things like "Is this user currently logged in at a physical console"? One approach would be to add them to a group when they log in - but then they can create a sgid binary that would allow them to retain access. You could have an acl on the socket and add them to that for the duration of their login period, but then we're already outside traditional Unix permissions and also they could just open the socket with a process that survives them logging out, and given there's no revoke() syscall in Linux you can't take that away from them.

There are policy decisions you want to make that rely on the current state of a user, and filesystem permissions (traditional or ACL-based) don't give a mechanism to enforce that.

Fedora and pkexec

Posted Feb 13, 2022 12:28 UTC (Sun) by CodingVoid (guest, #156336) [Link] (6 responses)

> How do traditional Unix permissions encode things like "Is this user currently logged in at a physical console"?

I thought that's what the utmp file is for. The login program as well as ssh login write in these. In case of an remote login via SSH, there is an ip address in the utmp line.

Fedora and pkexec

Posted Feb 13, 2022 16:45 UTC (Sun) by mjg59 (subscriber, #23239) [Link] (5 responses)

But then you're relying on more than file permissions - you're going to need to extract the user credentials from the socket connection, use them to look up some other source of data to determine whether the user is on a physical console, and then make a policy decision based on that. Rather than reimplement that everywhere, you might choose to make it some sort of generalised service that applications could make use of, and then you've got polkit.

Fedora and pkexec

Posted Feb 16, 2022 14:42 UTC (Wed) by CodingVoid (guest, #156336) [Link] (4 responses)

I see your point.
I guess the root of the problem resides in the fact, that one needs to communicate with a daemon/priviledged process in the first case. First thing I do on my personal system, after installing my distribution of choice is disable/mask 80% of all systemd services/timers/sockets (of course I check whether I need the services features before disabling).
I guess it's all personal preference and all but I am more into using libraries instead of having 10 socket connections to some priviledged daemons, which do the stuff for me.

Fedora and pkexec

Posted Feb 16, 2022 17:25 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (3 responses)

> I guess it's all personal preference and all but I am more into using libraries instead of having 10 socket connections to some priviledged daemons, which do the stuff for me.

As someone who would like their program to be more robust, not having to load in arbitrary code into my process space makes me feel a lot better. Loading PAM or NSS plugins to do things on my behalf sounds a lot worse when they can take my process down instead of giving me back an error that I can explicitly handle. Some PAM plugins don't even work as intended because their configuration files aren't world-readable, so a separate process is just a better way with them.

Additionally, if one is running something like WINE or other architectures (QEMU or whatever), there can be more sharing of permissions instead of having to figure out how to make them load compatible plugins/configurations as well.

There are tradeoffs, but given that `dlopen` can just run arbitrary code, I don't like it for "must not fail" processes at all. Sure, you can also link to these libraries at build time, but "loading libraries" is usually done in languages with…sad package management.

Fedora and pkexec

Posted Feb 18, 2022 11:01 UTC (Fri) by CodingVoid (guest, #156336) [Link] (2 responses)

> As someone who would like their program to be more robust, not having to load in arbitrary code into my process space makes me feel a lot better. Loading PAM or NSS plugins to do things on my behalf sounds a lot worse when they can take my process down instead of giving me back an error that I can explicitly handle. Some PAM plugins don't even work as intended because their configuration files aren't world-readable, so a separate process is just a better way with them.
But then the problem resides in the libraries itself. reading that it sounds like polkit is just 'patch' for bad written libraries.

> Additionally, if one is running something like WINE or other architectures (QEMU or whatever), there can be more sharing of permissions instead of having to figure out how to make them load compatible plugins/configurations as well.
Could you be more specific? Who shares permissions with whom in that example?

> Sure, you can also link to these libraries at build time, but "loading libraries" is usually done in languages with…sad package management.
I don't really follow. Could you explain?

Fedora and pkexec

Posted Feb 18, 2022 11:29 UTC (Fri) by farnz (subscriber, #17727) [Link]

As an example of where the local process over UNIX Domain Sockets approach is strictly better than the library approach: there are ways to authenticate via a remote RADIUS server where I use machine secrets to establish an encrypted session with the remote server, and then send the user's credentials over that tunnel. If you do this via a library, then all processes on the system that need to authenticate need to be able to read the machine secrets, which implies that the machine secrets are world-readable. If, instead, you use a local process over a socket, that process can run as root, and the machine secrets need only be readable by root.

Fedora and pkexec

Posted Feb 18, 2022 18:08 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

> But then the problem resides in the libraries itself. reading that it sounds like polkit is just 'patch' for bad written libraries.

Badly written libraries are everywhere. Even so, it misses the case where the process doing the check needs higher permissions to be able to read some configuration file. Running every PAM-using process as `suid` on the off-chance a configuration file is not world-readable sounds like a terrible solution.

> Could you be more specific? Who shares permissions with whom in that example?

Instead of having to have a way for a WINE process to load a PAM module to be able to check a password, you can implement "talk to a socket" without having to port some (typically very-Unixy) code over to Windows-isms. Rather, you just implement "list users" and "authenticate this user" APIs in terms of socket communication which sounds…way nicer IMO.

> I don't really follow. Could you explain?

C and C++ have terrible package management. How to use package $x differs based on the build system you use as well as the project you would like to consume. Alas, solving this is *hard* because C and C++ developers have gotten accustomed to all the power that "make my own command line" offers.

Now, any C or C++-specific way that goes down a similar path as Python's PyPI, Rust's cargo, or Node's NPM will have the issues of those ecosystems: that using any interface that is not the language under consideration is extremely hard. Sure `pip install h5py` works, but if I have another library that wants to use HDF5's C interfaces, I'm SOL because `pip` has no way for such a thing to be offered or expressed as a strict enough dependency that ABI considerations require. NumPy is the only one that does it well and that's because it is *only* a Python package, not another package being stuffed into the Python world.

Fedora and pkexec

Posted Feb 14, 2022 11:15 UTC (Mon) by cortana (subscriber, #24596) [Link]

You could have an acl on the socket and add them to that for the duration of their login period, but then we're already outside traditional Unix permissions and also they could just open the socket with a process that survives them logging out, and given there's no revoke() syscall in Linux you can't take that away from them.

As an aside, I have always wondered if the way udev grants console users access to uaccess-tagged devices is vulnerable to this problem.

$ getfacl -p /dev/snd/pcmC0D0p
# file: /dev/snd/pcmC0D0p
# owner: root
# group: audio
user::rw-
user:sam:rw-
group::rw-
mask::rw-
other::---

I presume that if I lock my screen, my processes will still have access to the audio/video devices and I could use them to spy on the next user who logs in...

Fedora and pkexec

Posted Feb 16, 2022 19:11 UTC (Wed) by flussence (guest, #85566) [Link] (1 responses)

> How do traditional Unix permissions encode things like "Is this user currently logged in at a physical console"?

I really wish the answer was as simple as `fuser -u /dev/tty* | grep $USER`. It isn't, because X, but it could've been. Doesn't even have to be a device file.

Fedora and pkexec

Posted Feb 17, 2022 2:12 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

That's still not something you can encode as a permission - you'd have to look it up after determining which user has connected to the socket.

Fedora and pkexec

Posted Feb 17, 2022 20:14 UTC (Thu) by nix (subscriber, #2304) [Link] (1 responses)

> but then they can create a sgid binary that would allow them to retain access

I have long wondered why the ability to do this as a regular user didn't go away at the same time as the ability to give away things with chown as a regular user. They seem to enable the same sort of evasive behaviour...

Fedora and pkexec

Posted Feb 18, 2022 10:38 UTC (Fri) by farnz (subscriber, #17727) [Link]

That change happened in the days when systems were relatively static compared to today's setups. So your groups vector would be the same whether you were logged in or not, and thus a SGID binary wouldn't elevate your permissions; you could only use it as a way to elevate someone else to your permissions.

In contrast, giving away files to someone else is a hole in the world where everything's static; it lets you claim their quota, for a start.

Fedora and pkexec

Posted Feb 18, 2022 14:09 UTC (Fri) by cortana (subscriber, #24596) [Link]

> How do traditional Unix permissions encode things like "Is this user currently logged in at a physical console"?

Another case where we could have learned from Windows. Handwaving a bit here but I believe you can create an ACE for S-1-2-1 ("Console logon"), which will be present in the token of all processes started by a user with a physical console logon session.

(I've no idea how this handles revocation).