[systemd-devel] systemd-devel Digest, Vol 155, Issue 8
Lennart Poettering
lennart at poettering.net
Mon Mar 13 11:43:21 UTC 2023
On Sa, 11.03.23 08:29, Lal, Arun (arun.lal at intel.com) wrote:
> Hi Lennart Poettering,
>
> Can you give me some more clarity on why this cannot safely be
> implemented?
> Do you mean the use of polkit?
No. I mean authentication via linux process credentials cannot work in
userspace.
Let's say some service asks polkit to authenticate some client. Now
polkit wants to check if the client as the right caps. It could read
them from the client's /proc/$PID/status file, looking for the
"CapEff" field. But doing so would be a vulnerability because it is
asynchronous in nature.
Consider this attack: an unpriv client issues a request to the service
for some privileged operation, enqueuing a request for that into dbus,
and then immediately issuing execve() on /usr/bin/sudo (which famously
is a suid program and thus will run with full capabilities). Now
the service gets the request, passes it on to polkit. Now polkit reads
the caps info from /proc/, and will now see sudo's caps, and not the
one from the original unpriv process. And will allow the access, even
if it really shouldn#t have.
This would only be secure if the caps at the moment of the original
sending of the message would be transferred along with it. But Linux
does not offer that functionality.
Hence, auth-by-caps in userspace via things like polkit cannot be
done. It's simply not safe.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list