Skip to main content

How can privilege escalation through pkexec be prevented? [Resolved]

I've managed to elevate privileges on a Linux machine (3.19) using pkexec, but I don't understand the mechanics. /usr/bin/pkexec has the SUID bit set (which is normal, I gather), and simply using it to invoke /bin/sh and authenticating with my low-priv user results in root privileges.

How this works and how to prevent it are unclear to me. I've read up on pkexec (and polkit), but I just don't get it. Any explanation would be helpful.


Question Credit: user3347901
Question Reference
Asked March 25, 2019
Posted Under: Security
85 views
1 Answers

Configuration, basically.

If you're on Ubuntu, have a look in /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf:

 [Configuration]
 AdminIdentities=unix-group:sudo;unix-group:admin

Any member of the unix groups sudo or admin can use pkexec to gain administrative capabilities. The user created during installation of Ubuntu is a member of those groups, as it is the system administrator. If you create a new user that is not member of those groups, it cannot use pkexec.

man polkit gives you some information about how to configure policy kit.


credit: vidarlo
Answered March 25, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA