Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

[Chris Boot <lists () bootc boo tc>]

On 26/01/2022 14:11, Erik Auerswald wrote:
> Hi,
>
> On Wed, Jan 26, 2022 at 02:34:26PM +0200, Henri Salo wrote:
> > On Wed, Jan 26, 2022 at 12:18:07PM +0100, Roman Medina-Heigl Hernandez wrote:
> > > PS: Untested because my Debian machine doesn't contain pkexec,
> > > even though Qualy's advisory says it is by default on Debian.
> >
> > We had discussion off-list with Roman and this is the case only when
> > Debian is updated from previous release to bullseye. In clean installs
> > pkexec is installed.
>
> I think this depends on how Debian is installed (e.g., keeping installer
> defaults for a desktop system, or using a custom package selection).
>
> The "policykit-1" containing pkexec is "optional" and thus not present
> in all Debian installations:
>
>      $ lsb_release -d ; apt-cache show policykit-1 | grep Priority
>      Description:    Debian GNU/Linux 10 (buster)
>      Priority: optional
>      Priority: optional
>
>      $ lsb_release -d ; apt-cache show policykit-1 | grep Priority
>      Description:       Debian GNU/Linux 11 (bullseye)
>      Priority: optional
>      Priority: optional

It's not as simple as this, and also depends on a lot of factors.

If you have a graphical desktop environment installed, or a wifi card, 
you will almost certainly have policykit-1 and pkexec. If you have a 
GUI-less system it's less likely that you'll have it.

With that said, lots of different packages Recommend or Depend on 
policykit-1, including: firewalld, libvirt, NetworkManager, tuned, and 
realmd. It's also "suggested" by systemd and isc-dhcp-server, so there 
are reasons to have it even if you have nothing otherwise graphical 
installed.

It's effectively an alternative to sudo. If you have it installed and 
you try to e.g. 'systemctl restart $unit' without sudo / having a root 
shell, systemd will use polkit to try to elevate and let you do it.

Cheers,
Chris

--
Chris Boot
bootc () boo tc