GNU bug report logs -
#52011
pkexec: PATH environment variable
Previous Next
Full log
Message #8 received at 52011 <at> debbugs.gnu.org (full text, mbox):
Hi,
Am Sonntag, den 21.11.2021, 11:33 +0330 schrieb Hamzeh Nasajpour:
> The `PATH` environment variable is hard-code here:
>
> https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886
>
> We don't have any executable in these paths in guix:
> ```
> /usr/sbin:/usr/bin:/sbin:/bin:/root/bin
> ```
>
> Replicate the issue:
> 1. Run the `pkexec`
> 2. Enter your password
> 3. run `echo $PATH` in the opened terminal
> 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
> 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd`
> and so on.)
>
> Expected Behavior:
> Running all of the commands without any error.
>
> Isn't it? Should not we patch the `PATH` environment variable in
> `pkexec` source codes? Either way, some applications like `lxqt-
> admin-user` and `lxqt-admin-time` has an issue and they can't run the
> commands via `pkexec`. I get this error when I want to change user
> password via `lxqt-admin-user`. It's using `pkexec` to change
> password.
I'm getting some flashbacks from my ITSec courses here. pkexec is
protecting itself against a malicious PATH attack. The paths are
chosen somewhat arbitrarily, but on traditional distros this ought to
ensure, that no privilege escalation occurs. We could inject
/run/current-system, given that /run likewise ought to be root-writable
only, but I'm not sure how much that helps. The obvious solution is to
use canonical (store) paths with pkexec.
Cheers
This bug report was last modified 2 years and 279 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.