GNU bug report logs - #52011
pkexec: PATH environment variable

Previous Next

Full log

View this message in rfc822 format

From: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
To: Hamzeh Nasajpour <h.nasajpour <at> pantherx.org>, 52011 <at> debbugs.gnu.org
Subject: bug#52011: pkexec: PATH environment variable
Date: Sun, 21 Nov 2021 15:52:24 +0100

Hi,

Am Sonntag, den 21.11.2021, 11:33 +0330 schrieb Hamzeh Nasajpour:
> The `PATH` environment variable is hard-code here: 
> 
> https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886
> 
> We don't have any executable in these paths in guix:
> ```
> /usr/sbin:/usr/bin:/sbin:/bin:/root/bin
> ``` 
> 
> Replicate the issue:
> 1. Run the `pkexec`
> 2. Enter your password
> 3. run `echo $PATH` in the opened terminal
> 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
> 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd`
> and so on.)
> 
> Expected Behavior:
> Running all of the commands without any error.
> 
> Isn't it? Should not we patch the `PATH` environment variable in
> `pkexec` source codes? Either way, some applications like `lxqt-
> admin-user` and `lxqt-admin-time` has an issue and they can't run the
> commands via `pkexec`. I get this error when I want to change user
> password via `lxqt-admin-user`. It's using `pkexec` to change
> password.
I'm getting some flashbacks from my ITSec courses here.  pkexec is
protecting itself against a malicious PATH attack.  The paths are
chosen somewhat arbitrarily, but on traditional distros this ought to
ensure, that no privilege escalation occurs.  We could inject
/run/current-system, given that /run likewise ought to be root-writable 
only, but I'm not sure how much that helps.  The obvious solution is to
use canonical (store) paths with pkexec.

Cheers

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.