Hi Nix Devs,
I came across a question when discussing Polkit with a colleague.
It's possible to create an action file for pkexec, that allows execution
of another program with superuser privileges using the pkexec annotation:
```
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate
key="org.freedesktop.policykit.exec.path">/path/to/some/program</annotate>
```
What if a user created a Nix package that had an action file like the
above, and then proceeded to install that package into their
user-profile. This wouldn't require superuser privileges. If the above
action file then gets symlinked into the polkit action directory
(apparently any package with `share/...` directory in the output
directory gets symlinked), then doesn't that mean that the user can now
execute the program specified in the path annotation with superuser
privileges?
I imagine that if during a user-profile installation, the action file
may not in fact be symlinked into the system share directory (like
`/run/current-system/sw/share...`), therefore the action file wouldn't
take effect, and then there is no security vulnerability.
Thanks,
Roger
--
Founder of Matrix AI
https://matrix.ai/
+61420925975
_______________________________________________
nix-dev mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-dev
