12 comments

[ 0.24 ms ] story [ 30.2 ms ] thread
I simply love this kind of articles and writing style!
(comment deleted)
> It’s used by systemd, so any Linux distribution that uses systemd also uses polkit.

I can't help imagining a distro developer looking out at systemd across a lava field and saying:

"You were the chosen one! It was said that you would destroy the badly designed legacy components, not join them!"

Take a look at the bug. It’s polkit defaulting to 0 if dbus is down for the UID. A terrible but understandable default. It has absolutely nothing to do with the systemd structure other than being a component with a bug.
Defaulting to root UID is not an understandable default.

Systemd requiring polkit is a valid issue.

Defaulting an int to 0 is understandable. Defaulting a uid to 0 is terrible (if you reread my response that’s what I said)
The quoted statement is not entirely accurate, polkit is compile-time optional in systemd. Though most distributions will use it because it's an enhancement over the even older sudo-type authentication mechanisms.
The versioning scheme of `pkexec` in Debian based Linuxes leaves a little to be desired.. `pkexec --version` in Debian 10 and Ubuntu 20 (server/minimal) both report `0.105` but according to the article it's fine for `0.105-25` (Debian 10) and vulnerable in `0.105-26` (Ubuntu >18).. but you can't find out from the CLI.
The self-reported version from `pkexec` could definitely be clearer. Instead I checked the versions of the installed packages using `dpkg -l | grep -i polkit`. On an up-to-date Ubuntu 20.04 desktop I see `0.105-26ubuntu1.1`.
Title doesn't quite fit, how about this instead?

"Privilege escalation with polkit: Rooting Linux with a 7-year-old bug"