back to article Seven-year-old make-me-root bug in Linux service polkit patched

A seven-year-old privilege escalation vulnerability that's been lurking in several Linux distributions was patched last week in a coordinated disclosure. In a blog post on Thursday, GitHub security researcher Kevin Backhouse recounted how he found the bug (CVE-2021-3560) in a service called polkit associated with systemd, a …

  1. Tom 38 Silver badge

    As much as Lennart would like them to be, systemd and polkit are not "Linux kernel"

    1. Kettle3D

      This is true. But when most people these days refer to 'Linux' they are talking about the bulk of GNU/Linux distributions, and even in some cases FreeBSD.

      It's like how you 'Google' something on Bing, or, increasingly commonly, call a Windows laptop a 'chromebook' and an ODT document a 'Word document'. Doesn't matter if you made it in LibreOffice or OpenOffice or Google Docs or manually wrote it in Notepad.

      1. s2bu

        Except there are distributions that use the Linux kernel and yet aren’t infested with the GNU user land. Not all Linux is GNU/Linux.

      2. Anonymous Coward
        Anonymous Coward

        Why all the downvotes? He/She accurately described the situation as it exists.

        Whether you like the situation or not, this is a classic case of shooting the messenger.

    2. diodesign (Written by Reg staff) Silver badge

      Kernel

      Yeah, sorry, mea culpa. I hastily wrote the headline at the end of the day and used kernel and not service. It's fixed. Don't forget to email corrections@theregister.com if you spot anything wrong, though.

      C.

      1. TimMaher Silver badge
        Pint

        Re: Kernel

        Brought on by a beer shortage @diodesign.

        Have one on me ————>

      2. Robert Grant Silver badge

        Re: Kernel

        I'm not convinced the war on comments as corrections is going well.

        1. Anonymous Coward
          Anonymous Coward

          Re: Kernel

          We need a form as well. By choice, I don't have my browser linked to my email client.

          1. David 132 Silver badge
            Happy

            Re: Kernel

            I got temporarily sorta-banned (read: every one of my comments was flagged for manual review before it would post) several months ago, on the grounds that I'd posted a correction in a comment thread rather than use the corrections@ email link.

            The annoying thing was that my "offending" post wasn't actually a correction - it was a (weak, admittedly) joke along the lines of "hey El Reg, this article's headline says Office 365, shouldn't it actually say Office 359-and-a-half-and-decreasing?"

            I'm not bitter, cos I got reinstated after I politely explained the situation.

            But yeah, use the corrections@ email link. To err is human, and no-one likes having their flubs called out in public, Vultures least of all.

            1. Robert Grant Silver badge

              Re: Kernel

              The correction of how corrections are delivered is one of the more strangely corporate-feeling aspects of El Reg.

              Pro tip: pour that same effort into not needing corrections, instead of correcting corrections.

              1. jake Silver badge

                Re: Kernel

                Pro tip: Never use the phrase "pro tip", it makes you sound like an amateur ... or worse, a youtuber.

                1. jgarbo
                  Boffin

                  Re: Kernel

                  "Sage Advice:" is the preferred prefix...

                  1. David 132 Silver badge
                    Coat

                    Re: Kernel

                    Yeah, but typing that takes too much thyme.

                    1. jake Silver badge

                      Re: Kernel

                      Do you always pepper your comments with such salty wit?

                  2. Citizen99

                    Re: Kernel

                    Sage ? Err, ...

                    1. jake Silver badge

                      Re: Kernel

                      We are adults here, not children on 4chan.

                      But it's OK, they can cumin and bay for a few if they like.

    3. Brewster's Angle Grinder Silver badge
      Joke

      Kernel in waiting?

      1. Will Godfrey Silver badge
        Alert

        Shhh!

        Don't even think about it.

      2. HildyJ Silver badge
        Angel

        Kernelish?

        1. C R Mudgeon

          "Kernelish?"

          Husk.

    4. DrXym Silver badge

      polkit is a desktop service that allows user land applications to run elevated actions. Basically serving the equivalent to UAC on Windows. Systemd may be a backend that polkit calls but polkit runs on other platforms e.g. on FreeBSD.

      1. bombastic bob Silver badge
        Devil

        you are right. I'll need to check to see if polkit on FBSD is vulnerable...

        (it's actually a little convenient on FBSD - remembering you already were prompted for a password recently and not prompting again, for example - but now I'll consider disabling it)

        1. s2bu

          sudo also does that by default. Some consider it a security issue though (eg, if you ran something as root and then an app you’re using gets exploited, there’s a chance that you’re still within the time frame and that exploited app just gets root).

          1. sw guy

            That's why you should always use sudo -k

            1. jake Silver badge

              Always is a mighty long time, pardner.

  2. Logiker72

    Linux Alternatives

    OpenBSD

    FreeBSD

    seL4

    1. oiseau Silver badge
      Facepalm

      Re: Linux Alternatives

      OpenBSD

      FreeBSD

      seL4

      Devuan Linux

      O.

      1. Will Godfrey Silver badge
        Facepalm

        Re: Linux Alternatives

        Yesterday, my last machine on Debian moved to devuan, thanks to system (apparently not quite) D screwing up.

        1. sev.monster Bronze badge

          Re: Linux Alternatives

          The D is very real, as it's what you will be taking when your distro's developers drink the Poettering Koolaid(tm).

    2. Anonymous Coward Silver badge
      Joke

      Re: Linux Alternatives

      Windows 10

      .

      (see icon)

    3. DrXym Silver badge

      Re: Linux Alternatives

      Polkit runs on FreeBSD and OpenBSD. It's just a service that an application can call through dbus to run elevated actions.

    4. jake Silver badge

      Re: Linux Alternatives

      Minix.

      OS/2 (eComStation, ArcaOS)

      MacOS

      OpenVMS

      Solaris (::koffkoff::)

      Plan9 (someone had to say it)

  3. Tom 7 Silver badge

    That good old Unix philosophy.

    Do one thing and do it well but use lots of different paths to get there....

    1. Lars Silver badge
      Headmaster

      Re: That good old Unix philosophy.

      I remember that but I don't remember the "but use lots of different paths to get there....".

  4. Anonymous Coward
    Anonymous Coward

    Does polkit still use javascript to define its rules? Even from the perspective of a full-time JS developer, this is a stupid thing to do. Javascript doesn't have any business inside something that claims to manage user privileges at the system level.

    1. Brewster's Angle Grinder Silver badge

      Apparently. But it's Ecmascript 5. So it's javascript so old you're going to be wracking you brains to remember how it used to work and constantly cursing missing library functions.

      1. Anonymous Coward
        Anonymous Coward

        Even better!

    2. Anonymous Coward
      Alien

      Yes, it's a really nice feature that polkit, by design, arranges life to that it is not generally possible, even in principle to know if a given thing may be able to gain elevated privileges.

      I mean, really.

  5. boblongii

    Systemd is a Virus

    Gentoo Linux, among others, is free of it.

    1. DrXym Silver badge

      Re: Systemd is a Virus

      Too bad this has nothing to do with systemd.

    2. Daniel von Asmuth
      Childcatcher

      Re: Systemd is a Virus

      Though this be madness, yet there is systemd in it.

    3. jake Silver badge

      Not a virus. A cancer. (was: Re: Systemd is a Virus)

      Consider: systemd takes root in its host, eats massive quantities of resources as it grows, spreads unchecked into areas unrelated to the initial infection, and refuses to die unless physically removed from the system, all the while doing absolutely nothing of benefit to the host. That sounds an awful lot like a cancer to me ...

      So do what I do and call it the systemd-cancer. Short, descriptive, accurate, has been known to scare management/moneybags away from distributions containing it ... what's not to like?

  6. Steve Graham

    Burn it with fire

    This exactly justifies my nuke of polkit any time it appears as a dependency. A process designed to bypass the traditional unix security model? What could possibly go wrong?

  7. brotherelf

    _Another_ one of these?

    Because we've had "return 0 in error case, oh, what do you mean, that's root's UID" in systemd before… what was it, service units with non-existing users?

  8. William Towle
    Coat

    Pictures something not unlike xkcd...

    "Make me a sandwich"

    "...Shan't"

    "Seven-year-old make me a sandwich"

    "...Okay <holds bread out> you're a sandwich"

    With apologies to Randall

    1. sev.monster Bronze badge
      Gimp

      Re: Pictures something not unlike xkcd...

      "What are you?!"

      "A... a polkit sandwich!"

  9. fidodogbreath Silver badge

    Honest question: Much of IT correctly shuns alpha and beta releases on production systems. So why are we OK with using version 0.1x code to manage critical functions such as privilege requirements?

    1. jake Silver badge

      Traditionally ...

      ... 0.1x wouldn't even be Alpha or Beta, it would be Internal, or perhaps Pilot build (0.96 was the traditional last Pilot Build number, indicating an 0.98 or 0.99 Beta was about to be released ... I do not ever remember seeing an 0.97, but I saw a few 0.96a, 0.96b and 0.96c).

      However, that numbering scheme went away a long time ago. Today, the numbers only have meaning within the context of the individual program's release cycle and are at the whim of the lead developer.

      RTFM. Live it, love it, make it your mantra.

  10. Anonymous Coward
    Anonymous Coward

    Seven Years?

    I look forward to Lennart's explanation as to why this shouldn't be laid at his door, and how 7 year old privilege escalation bug such as this is somehow an acceptable consequence of his plan to take over Linux entirely...

  11. Anonymous Coward
    Anonymous Coward

    I do wish that after things like this are detected, someone with a sufficiently suspicious mind went back through the commit logs and who did it and what they were working on at the time, and whether such a bug was reasonable for a developer of that level, etc. Come on boffins let's get this sorted.

    https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 <-- that commit fixes it

    So who added "if (out_uid) *out_uid = data.uid;" if you send me an out_uid pointer I'll fill it up with the uid OOPS i forgot to handle the error yeah very likely

    1. Anonymous Coward
      Anonymous Coward

      It was Colin Walters 7 years ago. It seems very strange he would write "while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))" and thus be aware of the ability of there to be an error, which data.caught_error indicates, since he explicitly uses it to terminate the while loop. And then in the very next line, ignores that? What else has he committed?

      1. Anonymous Coward
        Anonymous Coward

        His commit note (bfa5036bfb93582c5a87c44b847957479d911e38) says:

        For polkit_system_bus_name_get_process_sync(), as pointed out by Miloslav Trmac, we can securely retrieve the owner uid as well from the system bus, rather than (racily) looking it up internally. This avoids use of a deprecated API. However, this is not a security fix because nothing in the polkit codebase itself actually retrieves the uid from the result of this API call. But, it might be useful in the future.

        So he checked in a bit of code, that wasn't used anywhere else in the codebase (yet) that inexplicably ignores an error case (that he was aware of in the line before) and sets uid to 0. Lol.

        This is if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) all over again

  12. cd

    If it stinks like a polecat...

  13. Gene Cash Silver badge

    Ease of updating

    I did an "apt update;apt dist-upgrade" and my system was patched before I finished the article. I wish Windows and Oracle were so easy.

    policykit-1 (0.105-31) unstable; urgency=medium [ Salvatore Bonaccorso ]

    * d/p/CVE-2021-3560.patch: Fix local privilege escalation involving polkit_system_bus_name_get_creds_sync() (CVE-2021-3560) (Closes: #989429)

    -- Simon McVittie <smcv@debian.org> Thu, 03 Jun 2021 17:06:34 +0100

  14. AJ MacLeod

    One of the many advantages of Gentoo

    in my /etc/portage/package.mask

    #Kill Poettering's evil infections

    sys-apps/systemd

    sys-fs/udev

    sys-auth/consolekit

    sys-auth/polkit

    sys-fs/udisks

    A few years ago I had to "get involved" with polkit on a different system and the experience made me determined to rid all my own systems of it.

    1. s2bu

      Re: One of the many advantages of Gentoo

      Assuming you’re on a desktop, don’t forget his original infection: PulseAudio!

      1. AJ MacLeod

        Re: One of the many advantages of Gentoo

        Don't worry, that one got ditched so many years ago I'd forgotten about it!

    2. Anonymous Coward
      Anonymous Coward

      Re: One of the many advantages of Gentoo

      The sad thing is when software is so deeply coded to use these "helper" services, that the FreeBSD ports have to use them too.

      I refuse to install anything that requires alsa/polkit/pulseaudio/any-other-sound-server/udev/udisks etc. or related shims which are designed to work around inadequacies in Linux/GNU that don't affect FreeBSD.

      1. Will Godfrey Silver badge
        Happy

        Re: One of the many advantages of Gentoo

        The way I deal with pulse audio is to delete the server, but leave the client alone. That way all the desktop stuff that thinks it is essential and that you want to hear random notify sounds in the middle of your fave music still talk to the client, which then has nowhere to send it :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021