Hi folks!
For anyone who hasn't seen it yet - there's quite a kerfuffle today about a major security issue in polkit:
https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-...
turns out that ever since it was invented, `pkexec` has had a bug allowing for local root privilege escalation. Which is...bad.
The issue and some of the comments around it prompted me to wonder - why is `pkexec` still a thing? Particularly, why is it still a thing we are shipping by default in just about every Fedora install?
My best recollection is that pkexec was kinda a kludge to allow us to get rid of consolehelper: some apps weren't getting rewritten to the Right Way of doing things under policykit, they still just wanted to have the entire app run as root, and pkexec was a way to make that happen.
But that was then, and this is now. Does anything in Workstation use pkexec? Does anything in KDE use it? I'm pretty sure (at least I really hope!) nothing in Server uses it. I don't think any of our documentation recommends its use for interactive execution of things as root (these days we tend to just specify `sudo` for that and assume the install has an admin user).
Should we just split it out of the polkit package into a subpackage and stop shipping the subpackage on those editions/spins at least? If there's anything in other desktops still using it, it can grow a dependency on the subpackage...
Am I forgetting some other reason we still need it?
On Wed, Jan 26, 2022 at 02:21:19PM -0800, Adam Williamson wrote:
My best recollection is that pkexec was kinda a kludge to allow us to get rid of consolehelper: some apps weren't getting rewritten to the Right Way of doing things under policykit, they still just wanted to have the entire app run as root, and pkexec was a way to make that happen.
That sounds right to me too. I mean not "right", but what happened.
I'd also love to get rid of the entire javascript configuration system. That's... more CVEs waiting to happen.
On Thu, Jan 27, 2022 at 1:05 PM Matthew Miller mattdm@fedoraproject.org wrote:
On Wed, Jan 26, 2022 at 02:21:19PM -0800, Adam Williamson wrote:
My best recollection is that pkexec was kinda a kludge to allow us to get rid of consolehelper: some apps weren't getting rewritten to the Right Way of doing things under policykit, they still just wanted to have the entire app run as root, and pkexec was a way to make that happen.
That sounds right to me too. I mean not "right", but what happened.
I'd also love to get rid of the entire javascript configuration system. That's... more CVEs waiting to happen.
Some years ago, Ikey Doherty made a patchset to allow polkit to use regular config files instead of JavaScript[1]. He did it in Solus[2], but the discussion upstream petered out and nothing happened. Maybe we could talk to Ikey about reviving it and integrating it upstream finally?
[1]: https://lists.freedesktop.org/archives/polkit-devel/2017-October/000547.html [2]: https://dev.getsol.us/T4824
Hello all,
Matthew Miller [2022-01-27 13:05 -0500]:
I'd also love to get rid of the entire javascript configuration system. That's... more CVEs waiting to happen.
Honestly, I am still stumped how this ever made it past distro review. Debian/Ubuntu never adopted that and have maintained a fork ever since, as mozjs was (rightfully) not deemed supportable for a distro's stable lifetime. So if Fedora ever needs to get off the mozjs thing and go back to the declarative .pkla files, there's always that option.
(Also, FWIW: security policies should be declarative and auditable, not imperative and Turing complete. Lua instead of mozjs if you really must, but rules we ship and recommend should be declarative...)
Thanks,
Martin
On Fri, Jan 28, 2022 at 06:37:18AM +0100, Martin Pitt wrote:
Hello all,
Matthew Miller [2022-01-27 13:05 -0500]:
I'd also love to get rid of the entire javascript configuration system. That's... more CVEs waiting to happen.
So if Fedora ever needs to get off the mozjs thing and go back to the declarative .pkla files, there's always that option.
There's also a work to replace mozjs with Duktape: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
On Fri, 2022-01-28 at 08:19 +0100, Tomasz Torcz wrote:
On Fri, Jan 28, 2022 at 06:37:18AM +0100, Martin Pitt wrote:
Hello all,
Matthew Miller [2022-01-27 13:05 -0500]:
I'd also love to get rid of the entire javascript configuration system. That's... more CVEs waiting to happen.
So if Fedora ever needs to get off the mozjs thing and go back to the declarative .pkla files, there's always that option.
There's also a work to replace mozjs with Duktape: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
If you follow it all the way through, this was actually replaced by a successor MR that has now (three days ago) been merged:
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/97#note_edc0b6...
So, we should get it downstream soon.
The MRs also link davidz's blog post from forever ago justifying why he thought a Turing-complete language was necessary for this purpose, and why he thought it's safe:
https://davidz25.blogspot.com/2012/06/authorization-rules-in-polkit.html
Jan (current maintainer) apparently basically subscribes to the same ideas (as he linked that post approvingly).
Again I'm not enough of a domain expert to really have an opinion on whether this is correct. But it does seem interesting that there was a lot of momentum behind the "switch to duktape" MRs, but there didn't seem to be much movement in the discussion in favor of "why not just throw it out entirely and go back to declarative rules".
server@lists.fedoraproject.org