GNU bug report logs - #52011
pkexec: PATH environment variable

Previous Next

Package: guix;

Reported by: "Hamzeh Nasajpour" <h.nasajpour <at> pantherx.org>

Date: Sun, 21 Nov 2021 08:04:02 UTC

Severity: normal

To reply to this bug, email your comments to 52011 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#52011; Package guix. (Sun, 21 Nov 2021 08:04:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to "Hamzeh Nasajpour" <h.nasajpour <at> pantherx.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 21 Nov 2021 08:04:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "Hamzeh Nasajpour" <h.nasajpour <at> pantherx.org>
To: bug-guix <at> gnu.org
Subject: pkexec: PATH environment variable
Date: Sun, 21 Nov 2021 11:33:05 +0330

The `PATH` environment variable is hard-code here: 
https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886

We don't have any executable in these paths in guix:
```
/usr/sbin:/usr/bin:/sbin:/bin:/root/bin
``` 

Replicate the issue:
1. Run the `pkexec`
2. Enter your password
3. run `echo $PATH` in the opened terminal
4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd` and so on.)

Expected Behavior:
Running all of the commands without any error.

Isn't it? Should not we patch the `PATH` environment variable in `pkexec` source codes? Either way, some applications like `lxqt-admin-user` and `lxqt-admin-time` has an issue and they can't run the commands via `pkexec`. I get this error when I want to change user password via `lxqt-admin-user`. It's using `pkexec` to change password.

```
/run/current-system/profile/bin/lxqt-admin-user-helper: line 7: exec: passwd: not found
``` 

--

Hamzeh Nasajpour
PantherX Team
Information forwarded to bug-guix <at> gnu.org:
bug#52011; Package guix. (Sun, 21 Nov 2021 14:53:02 GMT) Full text and rfc822 format available.

Message #8 received at 52011 <at> debbugs.gnu.org (full text, mbox):

From: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
To: Hamzeh Nasajpour <h.nasajpour <at> pantherx.org>, 52011 <at> debbugs.gnu.org
Subject: Re: pkexec: PATH environment variable
Date: Sun, 21 Nov 2021 15:52:24 +0100

Hi,

Am Sonntag, den 21.11.2021, 11:33 +0330 schrieb Hamzeh Nasajpour:
> The `PATH` environment variable is hard-code here: 
> 
> https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886
> 
> We don't have any executable in these paths in guix:
> ```
> /usr/sbin:/usr/bin:/sbin:/bin:/root/bin
> ``` 
> 
> Replicate the issue:
> 1. Run the `pkexec`
> 2. Enter your password
> 3. run `echo $PATH` in the opened terminal
> 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
> 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd`
> and so on.)
> 
> Expected Behavior:
> Running all of the commands without any error.
> 
> Isn't it? Should not we patch the `PATH` environment variable in
> `pkexec` source codes? Either way, some applications like `lxqt-
> admin-user` and `lxqt-admin-time` has an issue and they can't run the
> commands via `pkexec`. I get this error when I want to change user
> password via `lxqt-admin-user`. It's using `pkexec` to change
> password.
I'm getting some flashbacks from my ITSec courses here.  pkexec is
protecting itself against a malicious PATH attack.  The paths are
chosen somewhat arbitrarily, but on traditional distros this ought to
ensure, that no privilege escalation occurs.  We could inject
/run/current-system, given that /run likewise ought to be root-writable 
only, but I'm not sure how much that helps.  The obvious solution is to
use canonical (store) paths with pkexec.

Cheers
Information forwarded to bug-guix <at> gnu.org:
bug#52011; Package guix. (Sun, 28 Nov 2021 07:41:02 GMT) Full text and rfc822 format available.

Message #11 received at 52011 <at> debbugs.gnu.org (full text, mbox):

From: "Hamzeh Nasajpour" <h.nasajpour <at> pantherx.org>
To: "Liliana Marie Prikler" <liliana.prikler <at> gmail.com>, 52011 <at> debbugs.gnu.org
Subject: Re: pkexec: PATH environment variable
Date: Sun, 28 Nov 2021 11:09:42 +0330

Hi Lillana,

Thanks for your response and sorry for delay.

> We could inject /run/current-system, given that /run likewise ought to be root-writable 
> only, but I'm not sure how much that helps.  The obvious solution is to
> use canonical (store) paths with pkexec.

Honestly, I couldn't find out your solution. Can you clarify it?

Regards,

-- 

Hamzeh Nasajpour
PantherX Team
Information forwarded to bug-guix <at> gnu.org:
bug#52011; Package guix. (Fri, 09 Sep 2022 16:11:02 GMT) Full text and rfc822 format available.

Message #14 received at 52011 <at> debbugs.gnu.org (full text, mbox):

From: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
To: Hamzeh Nasajpour <h.nasajpour <at> pantherx.org>, 52011 <at> debbugs.gnu.org
Subject: Re: pkexec: PATH environment variable
Date: Fri, 09 Sep 2022 18:10:06 +0200

Am Sonntag, dem 28.11.2021 um 11:09 +0330 schrieb Hamzeh Nasajpour:
> Hi Lillana,
> 
> Thanks for your response and sorry for delay.
> 
> > We could inject /run/current-system, given that /run likewise ought
> > to be root-writable 
> > only, but I'm not sure how much that helps.  The obvious solution
> > is to
> > use canonical (store) paths with pkexec.
> 
> Honestly, I couldn't find out your solution. Can you clarify it?
That is instead of writing "pkexec sh", write "pkexec /run/current-
system/profile/bin/sh" or similar.

Cheers
This bug report was last modified 2 years and 279 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.