oss-sec mailing list archives
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
From: Chris Boot <lists () bootc boo tc>
Date: Thu, 27 Jan 2022 12:16:28 +0000
On 26/01/2022 14:11, Erik Auerswald wrote:
Hi, On Wed, Jan 26, 2022 at 02:34:26PM +0200, Henri Salo wrote:On Wed, Jan 26, 2022 at 12:18:07PM +0100, Roman Medina-Heigl Hernandez wrote:PS: Untested because my Debian machine doesn't contain pkexec, even though Qualy's advisory says it is by default on Debian.We had discussion off-list with Roman and this is the case only when Debian is updated from previous release to bullseye. In clean installs pkexec is installed.I think this depends on how Debian is installed (e.g., keeping installer defaults for a desktop system, or using a custom package selection). The "policykit-1" containing pkexec is "optional" and thus not present in all Debian installations: $ lsb_release -d ; apt-cache show policykit-1 | grep Priority Description: Debian GNU/Linux 10 (buster) Priority: optional Priority: optional $ lsb_release -d ; apt-cache show policykit-1 | grep Priority Description: Debian GNU/Linux 11 (bullseye) Priority: optional Priority: optional
It's not as simple as this, and also depends on a lot of factors.If you have a graphical desktop environment installed, or a wifi card, you will almost certainly have policykit-1 and pkexec. If you have a GUI-less system it's less likely that you'll have it.
With that said, lots of different packages Recommend or Depend on policykit-1, including: firewalld, libvirt, NetworkManager, tuned, and realmd. It's also "suggested" by systemd and isc-dhcp-server, so there are reasons to have it even if you have nothing otherwise graphical installed.
It's effectively an alternative to sudo. If you have it installed and you try to e.g. 'systemctl restart $unit' without sudo / having a root shell, systemd will use polkit to try to elevate and let you do it.
Cheers, Chris -- Chris Boot bootc () boo tc
Current thread:
- pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Qualys Security Advisory (Jan 25)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Sam James (Jan 25)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Roman Medina-Heigl Hernandez (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Henri Salo (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Erik Auerswald (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Chris Boot (Jan 27)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Roman Medina-Heigl Hernandez (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Sam James (Jan 25)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Dominik Czarnota (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Kai Lüke (Jan 27)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Bastian Blank (Jan 27)