The `PATH` environment variable is hard-code here: https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886 We don't have any executable in these paths in guix: ``` /usr/sbin:/usr/bin:/sbin:/bin:/root/bin ``` Replicate the issue: 1. Run the `pkexec` 2. Enter your password 3. run `echo $PATH` in the opened terminal 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin` 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd` and so on.) Expected Behavior: Running all of the commands without any error. Isn't it? Should not we patch the `PATH` environment variable in `pkexec` source codes? Either way, some applications like `lxqt-admin-user` and `lxqt-admin-time` has an issue and they can't run the commands via `pkexec`. I get this error when I want to change user password via `lxqt-admin-user`. It's using `pkexec` to change password. ``` /run/current-system/profile/bin/lxqt-admin-user-helper: line 7: exec: passwd: not found ``` -- Hamzeh Nasajpour PantherX Team
Hi,
Am Sonntag, den 21.11.2021, 11:33 +0330 schrieb Hamzeh Nasajpour:
> The `PATH` environment variable is hard-code here:
>
> https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886
>
> We don't have any executable in these paths in guix:
> ```
> /usr/sbin:/usr/bin:/sbin:/bin:/root/bin
> ```
>
> Replicate the issue:
> 1. Run the `pkexec`
> 2. Enter your password
> 3. run `echo $PATH` in the opened terminal
> 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
> 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd`
> and so on.)
>
> Expected Behavior:
> Running all of the commands without any error.
>
> Isn't it? Should not we patch the `PATH` environment variable in
> `pkexec` source codes? Either way, some applications like `lxqt-
> admin-user` and `lxqt-admin-time` has an issue and they can't run the
> commands via `pkexec`. I get this error when I want to change user
> password via `lxqt-admin-user`. It's using `pkexec` to change
> password.
I'm getting some flashbacks from my ITSec courses here. pkexec is
protecting itself against a malicious PATH attack. The paths are
chosen somewhat arbitrarily, but on traditional distros this ought to
ensure, that no privilege escalation occurs. We could inject
/run/current-system, given that /run likewise ought to be root-writable
only, but I'm not sure how much that helps. The obvious solution is to
use canonical (store) paths with pkexec.
Cheers
Hi Lillana,
Thanks for your response and sorry for delay.
> We could inject /run/current-system, given that /run likewise ought to be root-writable
> only, but I'm not sure how much that helps. The obvious solution is to
> use canonical (store) paths with pkexec.
Honestly, I couldn't find out your solution. Can you clarify it?
Regards,
--
Hamzeh Nasajpour
PantherX Team
Am Sonntag, dem 28.11.2021 um 11:09 +0330 schrieb Hamzeh Nasajpour:
> Hi Lillana,
>
> Thanks for your response and sorry for delay.
>
> > We could inject /run/current-system, given that /run likewise ought
> > to be root-writable
> > only, but I'm not sure how much that helps. The obvious solution
> > is to
> > use canonical (store) paths with pkexec.
>
> Honestly, I couldn't find out your solution. Can you clarify it?
That is instead of writing "pkexec sh", write "pkexec /run/current-
system/profile/bin/sh" or similar.
Cheers