Hello everyone! I am one of the maintainers of KDE's default file manager Dolphin and currently looking into security topics.
One aspect of polkit I was surprised about is that there seems to be nothing stopping malware from registering as the polkit authentication agent. I at least couldn't find anything preventing this while skimming through the polkit code base. I therefore see the following potential privilege escalation scheme: 1. A user runs any malware as themselves. 2. The malware registers its own polkit authentication agent with polkitd which has the same look and feel as the system-provided one. 3. The next time the user is prompted by polkit for root/admin authentication the malicious authentication agent jumps in and fishes the password. 4. The malware now has full control over the system and the user doesn't know about it. So what am I missing? Isn't this an issue? Why is there no prevention of malicious polkit authentification agents? I am looking forward to your response(s) and have a nice day! Felix Ernst
