Polkit

Last updated

polkit
Developer(s) David Zeuthen, Red Hat
Stable release
123 [1]   OOjs UI icon edit-ltr-progressive.svg / 28 July 2023;5 months ago (28 July 2023)
Repository
Written in C
Operating system Linux, Unix-like
Type Privilege authorization
License LGPL (free software)
Website gitlab.freedesktop.org/polkit/polkit/
KDE-based front-end. PolicyKit-KDEPlasma5.png
KDE-based front-end.

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy. It is developed and maintained by David Zeuthen from Red Hat and hosted by the freedesktop.org project. It is published as free software under the terms of version 2 of the GNU Lesser General Public License. [2]

Contents

Since version 0.105, released in April 2012, [3] [4] the name of the project was changed[ by whom? ] from PolicyKit to polkit to emphasize that the system component was rewritten [5] and that the API had changed, breaking backward compatibility. [6] [ dubious discuss ]

Fedora became the first distribution to include PolicyKit, and it has since been used in other distributions, including Ubuntu since version 8.04 and openSUSE since version 10.3. Some distributions, like Fedora, [7] have already switched to the rewritten polkit.

It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission). [8] However, it may be preferable to use sudo, as this command provides more flexibility and security, in addition to being easier to configure. [9]

Implementation

The polkitd daemon implements Polkit functionality. [10]

Vulnerability

PwnKit
CVE identifier(s) CVE- 2021-4034
Date discovered18 November 2021;2 years ago (2021-11-18)
DiscovererQualys Research Team
Affected hardwareAll architectures
Affected softwarePolkit (all versions prior to discovery)
Used byDefault on every major Linux distribution
Website qualys.com

A memory corruption vulnerability PwnKit (CVE-2021-4034 [11] ) discovered in the pkexec command (installed on all major Linux distributions) was announced on January 25, 2022. [12] [13] The vulnerability dates back to the original distribution from 2009. The vulnerability received a CVSS score of 7.8 ("High severity") reflecting serious factors involved in a possible exploit: unprivileged users can gain full root privileges, regardless of the underlying machine architecture or whether the polkit daemon is running or not.

See also

Related Research Articles

<span class="mw-page-title-main">Security-Enhanced Linux</span> Linux kernel security module

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

<span class="mw-page-title-main">YaST</span> Installation and configuration tool for openSUSE and SUSE Linux

YaST is a Linux operating system setup and configuration tool.

chroot is an operation on Unix and Unix-like operating systems that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.

udev is a device manager for the Linux kernel. As the successor of devfsd and hotplug, udev primarily manages device nodes in the /dev directory. At the same time, udev also handles all user space events raised when hardware devices are added into the system or removed from it, including firmware loading as required by certain devices.

Unix-like operating systems identify a user by a value called a user identifier, often abbreviated to user ID or UID. The UID, along with the group identifier (GID) and other access control criteria, is used to determine which system resources a user can access. The password file maps textual user names to UIDs. UIDs are stored in the inodes of the Unix file system, running processes, tar archives, and the now-obsolete Network Information Service. In POSIX-compliant environments, the shell command id gives the current user's UID, as well as more information such as the user name, primary user group and group identifier (GID).

In computer networking, xinetd is an open-source super-server daemon which runs on many Unix-like systems, and manages Internet-based connectivity.

<span class="mw-page-title-main">NetworkManager</span> Software

NetworkManager is a daemon that sits on top of libudev and other Linux kernel interfaces and provides a high-level interface for the configuration of the network interfaces.

<span class="mw-page-title-main">PulseAudio</span> Sound server for Unix-like operating systems

PulseAudio is a network-capable sound server program distributed via the freedesktop.org project. It runs mainly on Linux, including Windows Subsystem for Linux on Microsoft Windows and Termux on Android; various BSD distributions such as FreeBSD, OpenBSD, and macOS; as well as Illumos distributions and the Solaris operating system. It serves as a middleware in between applications and hardware and handles raw PCM audio streams.

HAL is a software subsystem for UNIX-like operating systems providing hardware abstraction.

<span class="mw-page-title-main">PackageKit</span>

PackageKit is a free and open-source suite of software applications designed to provide a consistent and high-level front end for a number of different package management systems. PackageKit was created by Richard Hughes in 2007, and first introduced into an operating system as a default application in May 2008 with the release of Fedora 9.

DeviceKit is a modular hardware abstraction layer designed for use in Linux systems that is designed to simplify device management and replace the current monolithic Linux HAL. DeviceKit includes the ability to enumerate system devices and send notifications when hardware is added or removed from the computer system.

<span class="mw-page-title-main">OpenSSH</span> Set of computer programs providing encrypted communication sessions

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

<span class="mw-page-title-main">Plymouth (software)</span> Graphical boot software for Linux

Plymouth is an application which provides a graphical boot experience for Linux. Plymouth supports animations using Direct Rendering Manager (DRM) and the KMS driver. Plymouth is bundled with an initial ramdisk which allows it to run before the file system is mounted. Some sources claim that Plymouth is named after Plymouth Rock, symbolizing the program's role as the first thing a user sees, but this has not been confirmed in any official capacity.

systemd Suite of system components for Linux

systemd is a software suite that provides an array of system components for Linux operating systems. The main aim is to unify service configuration and behavior across Linux distributions. Its primary component is a "system and service manager" – an init system used to bootstrap user space and manage user processes. It also provides replacements for various daemons and utilities, including device management, login management, network connection management, and event logging. The name systemd adheres to the Unix convention of naming daemons by appending the letter d. It also plays on the term "System D", which refers to a person's ability to adapt quickly and improvise to solve problems.

perf is a performance analyzing tool in Linux, available from Linux kernel version 2.6.31 in 2009. Userspace controlling utility, named perf, is accessed from the command line and provides a number of subcommands; it is capable of statistical profiling of the entire system.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

<span class="mw-page-title-main">UPower</span>

UPower is a piece of middleware for power management on Linux systems. It enumerates power sources, maintains statistics and history data on them and notifies about status changes. It consists of a daemon (upowerd), an application programming interface and a set of command line tools. The daemon provides its functionality to applications over the system bus. PolicyKit restricts access to the UPower functionality for initiating hibernate mode or shutting down the operating system (freedesktop.upower.policy). The command-line client program upower can be used to query and monitor information about the power supply devices in the system. Graphical user interfaces to the functionality of UPower include the GNOME Power Manager and the Xfce Power Manager.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

qutebrowser Free keyboard-focused web browser with a minimal GUI

qutebrowser is a QTwebengine-web browser for Linux, Windows, and macOS operating systems with Vim-style key bindings and a minimal GUI. It is keyboard-driven and is inspired by similar software such as Vimperator and dwb. It uses DuckDuckGo as the default search engine. qutebrowser is included in the native repositories of Linux distributions such as Fedora and Arch Linux. qutebrowser is developed by Florian Bruhin, for which he received a CH Open Source award in 2016.

<span class="mw-page-title-main">Phosh</span> Graphical interface for mobile devices

Phosh is a graphical user interface designed for mobile and touch-based devices and developed by Purism. It is the default shell used on several mobile Linux operating systems including PureOS, Mobian, and Fedora Mobility. It is also an option on postmarketOS, Manjaro, and openSUSE.

References

  1. "Release 123 is out". 31 July 2023. Retrieved 21 September 2023.
  2. "polkit Git COPYING". David Zeuthen. Retrieved 15 November 2012.
  3. "polkit Git NEWS". David Zeuthen. Retrieved 15 November 2012.
  4. "Polkit releases" . Retrieved 1 September 2018.
  5. "Chapter 9. PolicyKit". openSUSE Security Guide. Novell, Inc. and contributors. Archived from the original on 27 August 2012. Retrieved 15 November 2012.
  6. "Polkit and KDE: let's make the point of the situation". 22 December 2009. Retrieved 15 November 2012.
  7. "Features/PolicyKitOne". Fedora Project Wiki. Retrieved 15 November 2012.
  8. "pkexec". polkit Reference Manual. Retrieved 25 May 2013.
  9. "When to use pkexec vs. gksu/gksudo?" . Retrieved 25 May 2013.
  10. Команда разработчиков BLFS (5 September 2017). "4: Bezopasnost'". За пределами проекта "Linux® с нуля". Версия 7.4 [Beyond Linux from scratch] (in Russian). Vol. 1. Moscow: Litres (published 2017). p. 169. ISBN   9785457831186 . Retrieved 5 September 2017.
  11. "CVE listing for CVE-2021-4034". Mitre. Retrieved 25 January 2022.
  12. "PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit's pkexec (CVE-2021-4034)". Qualys. 25 January 2022. Retrieved 25 January 2022.
  13. "Major Linux PolicyKit security vulnerability uncovered: Pwnkit". ZDNet. 25 January 2022. Retrieved 25 January 2022.
Free and open-source software logo (2009).svg

This free and open-source software article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.