Package: policykit-1 Version: 0.105-18 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, If an unprivileged user is member of group sudo, he can achieve unrestricted root privileges with pkexec and his user password (instead of root password). This happens regardless if or if not package sudo is installed, and regardless of existing or non-existing entries in /etc/sudoers. Command sudo and group sudo were designed to allow single privileged commands for unprivileged users. Instead, pkexec allows full root access for members of group sudo. I expect: - pkexec does not regard group sudo. (clean way, unlinking polkit from sudo) or - pkexec regards entries in /etc/sudoers. (dirty way, pkexec should not be mixed with sudo) (Not regarding group sudo would also avoid prompting non-sudo-group users for passwords of sudo-group users) Thanks! Martin -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages policykit-1 depends on: ii dbus 1.10.18-1 ii libc6 2.24-11+deb9u1 ii libglib2.0-0 2.50.3-2 ii libpam-systemd 232-25+deb9u1 ii libpam0g 1.1.8-3.6 ii libpolkit-agent-1-0 0.105-18 ii libpolkit-backend-1-0 0.105-18 ii libpolkit-gobject-1-0 0.105-18 policykit-1 recommends no packages. policykit-1 suggests no packages. -- debconf-show failed _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
