Hacker News new | ask | show | jobs
by JdeBP 2754 days ago
This is not an overflow problem. PolicyKit is deciding to exclude negative numbers from the allowable range of user IDs, causing pkttyagent to abend with an assertion failure, and then the authorization mechanism fails open.

The proposed patch from the systemd developers, somewhat worryingly, apparently does not address the failing open. It simply stops PolicyKit from excluding negative numbers as UIDs, and thus the assertion from failing. The worry is that some other assertion might trigger in the agent, or be introduced, that causes it to fail open in some other way. It should fail closed.

* https://gitlab.freedesktop.org/polkit/polkit/merge_requests/...

We have been down this road before with assertions.

* https://news.ycombinator.com/item?id=12655048
2 comments
dustfinger 2754 days ago
Yah, the title is technically not accurate since 2*(INT_MAX -1) overflows, is not negative and cannot run arbitrary systemctl commands (I have not tested though). The title would have been clear if it had read:

> unprivileged users with negative UID can successfully execute any systemctl command

link
dustfinger 2754 days ago
I was wrong. You can create UID greater than int_max. The problem happens in a policy kit assertion. pjmlp linked the policy kit issue #74 (thanks).
link
Vogtinator 2754 days ago
> causing pkttyagent to abend with an assertion failure, and then the authorization mechanism fails open

Wrong. pkttyagent is just a frontend, it does not do any authorization itself. That's up to polkitd.

link
JdeBP 2754 days ago
I didn't say that pkttyagent was the authorization mechanism. I said that the authorization mechanism fails open after pkttyagent abends. M. Poettering looked at it with a Desktop Bus monitor to inspect the transaction.

* https://github.com/systemd/systemd/issues/11026#issuecomment...

link