Exploitable to gain root access with non-priveleged user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
policykit-gnome (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Initial setup is a machine running Ubuntu 8.10 (Intrepid) with root account enabled, /etc/sudoers defaults with rootpw set. Am using policykit-gnome 0.9-1ubuntu1.
After (mistakenly) running
#passwd -l root
without changing /etc/sudoers to grant root privileges to my user account, I was unable to either use su, boot into recovery root console or invoke sudo. After several reboots (as my system worked well other than lacking administrative power) I discovered that (despite lacking sudo privileges) the Users and Groups panel (users-admin) still prompted me for my password to unlock - and accepted my password, allowing me to change the root password and reboot into recovery mode to gain control over the system again.
What should have happened is the users-admin application failing to authorize me.
To summarize, when armed with only an unprivileged user password, I was able to gain root. It looks like this issue is specifically in the gnome authorization code, which seems to span several tools and may therefore affect other portions of the gnome policy kit.
Thanks for reporting this issue.
PolicyKit was written to give access rights to ordinary users without giving them root credentials. If your user had the right to administer users using PolicyKit, than this is expected behaviour.
Closing this bug. Please feel free to reopen it if you can reproduce it without your unprivileged user having PolicyKit rights.