questions about pkexec

David Zeuthen david at fubar.dk
Fri Dec 11 09:45:18 PST 2009 

On Tue, 2009-12-08 at 02:37 +0300, Dmitry V. Levin wrote:
> - Presence of a setuid root executable that could be launched by
> regular unprivileged users poses a risk by fact of its existence.
> Recent history of the Linux kernel vulnerabilities gives a few
> examples how such executables could be used to exploit kernel
> flaws (see e.g. CVE-2009-1527, CVE-2009-1337).  There are no
> warranty that all kernel bugs of this kind have been found and
> plugged forever.  In other words, this deficiency of setuid
> executables has no fix.

You can say exactly the same about the IPC mechanism for client/server -
e.g. buffer overflows in libdbus.so.

> - An attacker can influence behaviour of an executable in more various
> ways in case when it was launched by a suid helper.  In pkexec, you
> try to secure privileged executable by closing non-standard descriptors
> and filtering process environment (but still allow callers to pass PATH
> and SHELL which is very risky -- imagine what would happen if a privileged
> executable was going to execute something).

We close all fds and only pass on these environment variables

 LANG
 LANGUAGE
 LC_ALL
 LC_MESSAGES
 SHELL
 TERM

We could validate the contents of these environment variables - do you
have any attack vectors in mind that people could abuse if we didn't? Do
you know if su(1) and sudo(8) validates such variables?

> But you don't run PAM
> stack like sudo(8) does, so an executable launched by pkexec will inherit
> caller's resource limits. 

It's a good point that we need to run the "open session" part of PAM
stack - and, FWIW, limits is only one aspect of setting up the session.

FWIW, I just added that, see

http://cgit.freedesktop.org/PolicyKit/commit/?id=84958d3707ff43e8b8bda3fc0f669966db683f67

Btw, you are wrong about sudo(8) (and su(1) for that matter) - the
spawned privileged process does indeed inherit the POSIX limits that
applies to the spawning process:

  (unfortunately I got the comment wrong in the commit - see the
   next commit for the fix)

 $ ulimit -t
 unlimited

 $ su -
 Password:
 # ulimit -t
 unlimited
 # logout

 $ ulimit -t 1000
 $ ulimit -t
 1000
 $ su -
 Password:
 # ulimit -t
 1000

I don't know if it's supposed to work this way - maybe this is just a
quirk with the Fedora configuration or version of pam_limits.so - or
maybe it's a bug in sudo(8) or su(1). I left a TODO in the pkexec.c
sources to investigate further.

So on my system...

>  Consequences may vary.  For example, a low
> RLIMIT_FSIZE value may cause unprepared privileged application to
> corrupt system files.

... applies to sudo(8) and su(1) too.

Either way, we do the same thing as sudo(8) and su(1) now.

     David

More information about the polkit-devel mailing list