there is defect of escalation because the directory /etc/polkit-1/rules.d/ is owned by polkitd with permissions of 0700

[frankLinux]

The polkit spec file specifies that the /etc/polkit-1/rules.d/ owner is user polkitd, and then polkitd user/process has permission to add new policy files.

Code: Select all

%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d

the daemon polkit loads rules from directory /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d

Code: Select all

# systemctl status polkit
● polkit.service - Authorization Manager
   Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
   Active: active (running) since  2019-08-29 23:44:47 CST; 3 days ago
     Docs: man:polkit(8)
 Main PID: 726 (polkitd)
   CGroup: /system.slice/polkit.service
           └─726 /usr/lib/polkit-1/polkitd --no-debug

systemd[1]: Starting Authorization Manager...
polkitd[726]: Started polkitd version 0.112
polkitd[726]: Loading rules from directory /etc/polkit-1/rules.d
polkitd[726]: Loading rules from directory /usr/share/polkit-1/rules.d
polkitd[726]: Finished loading, compiling and executing 2 rules
polkitd[726]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
systemd[1]: Started Authorization Manager.

polkitd starts with superuser privileges but drops privileges early by switching to the unprivileged polkitd system user.

Code: Select all

# ps -elf | grep polkitd
4 S polkitd    726     1  0  80   0 - 135131 poll_s 8 29 ?      00:00:01 /usr/lib/polkit-1/polkitd --no-debug

If the polkitd program has a vulnerability，it may be exploited to add any rule file，for expamle /etc/polkit-1/rules.d/30_nopasswd_test.rules

Code: Select all

polkit.addRule(function(action, subject) {
        if (subject.isInGroup("test")) {
                return polkit.Result.YES;
        }
})

so user in Group test can exec any command without authentication

Code: Select all

[test@localhost ~]$ id
uid=1001(test) gid=1001(test) groups=1001(test) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[test@localhost ~]$ pkexec id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Finally，why not set the permissions to 500，the user polkitd only have read and search permissions

[TrevorH]

If you think you have found a bug in CentOS and it is one that is inherited from RHEL then you need to report that on bugzilla.redhat.com. Optionally you can also report it on bugs.centos.org and cross link the two bugs so that they point to each other but the fix will not come from CentOS as we aim for bug-for-bug compatibility with RHEL.