Software:Polkit
 | |
| Developer(s) | David Zeuthen, Red Hat |
|---|---|
| Written in | C |
| Operating system | Linux, Unix-like |
| Type | Privilege authorization |
| License | LGPL (free software) |
| Website | gitlab |
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy. It is developed and maintained by David Zeuthen from Red Hat and hosted by the freedesktop.org project. It is published as free software under the terms of version 2 of the GNU Lesser General Public License.[1]
Since version 0.105, released in April 2012,[2][3] the name of the project was changed[by whom?] from PolicyKit to polkit to emphasize that the system component was rewritten[4] and that the API had changed, breaking backward compatibility.[5][dubious ]
Fedora became the first distribution to include PolicyKit, and it has since been used in other distributions, including Ubuntu since version 8.04 and openSUSE since version 10.3. Some distributions, like Fedora,[6] have already switched to the rewritten polkit.
It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).[7] However, it may be preferable to use sudo, as this command provides more flexibility and security, in addition to being easier to configure.[8]
Implementation
The polkitd daemon implements Polkit functionality.[9]
Vulnerability
| CVE identifier(s) | CVE-2021-4034 |
|---|---|
| Date discovered | 18 November 2021 |
| Discoverer | Qualys Research Team |
| Affected hardware | All architectures |
| Affected software | Polkit (all versions prior to discovery) |
| Used by | Default on every major Linux distribution |
| Website | qualys.com |
A memory corruption vulnerability PwnKit (CVE-2021-4034[10]) discovered in the pkexec command (installed on all major Linux distributions) was announced on January 25, 2022.[11][12] The vulnerability dates back to the original distribution from 2009. The vulnerability received a CVSS score of 7.8 ("High severity") reflecting serious factors involved in a possible exploit: unprivileged users can gain full root privileges, regardless of the underlying machine architecture or whether the polkit daemon is running or not.
See also
- Pluggable authentication module
- Principle of least privilege
- PackageKit
- User Account Control – a similar feature introduced in Windows Vista and still exists in Windows 11
References
- ↑ "polkit Git COPYING". David Zeuthen. https://cgit.freedesktop.org/polkit/tree/COPYING.
- ↑ "polkit Git NEWS". David Zeuthen. https://cgit.freedesktop.org/polkit/tree/NEWS.
- ↑ "Polkit releases". https://www.freedesktop.org/software/polkit/releases/.
- ↑ "Chapter 9. PolicyKit". openSUSE Security Guide. Novell, Inc. and contributors. http://doc.opensuse.org/documentation/html/openSUSE_113/opensuse-security/cha.security.policykit.html.
- ↑ "Polkit and KDE: let's make the point of the situation". 22 December 2009. https://drfav.wordpress.com/2009/12/22/polkit-and-kde-lets-make-the-point-of-the-situation/.
- ↑ "Features/PolicyKitOne". Fedora Project Wiki. https://fedoraproject.org/w/index.php?title=Features/PolicyKitOne&oldid=126848.
- ↑ "pkexec". polkit Reference Manual. https://www.freedesktop.org/software/polkit/docs/latest/pkexec.1.html.
- ↑ "When to use pkexec vs. gksu/gksudo?". https://askubuntu.com/questions/78352/when-to-use-pkexec-vs-gksu-gksudo.
- ↑ Команда разработчиков BLFS (5 September 2017). "4: Bezopasnost'" (in ru). За пределами проекта "Linux® с нуля". Версия 7.4. 1. Moscow: Litres (published 2017). p. 169. ISBN 9785457831186. https://books.google.com/books?id=OWn5CQAAQBAJ. Retrieved 5 September 2017.
- ↑ "CVE listing for CVE-2021-4034". https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034. Retrieved January 25, 2022.
- ↑ "PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit's pkexec (CVE-2021-4034)". January 25, 2022. https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034. Retrieved January 25, 2022.
- ↑ "Major Linux PolicyKit security vulnerability uncovered: Pwnkit". January 25, 2022. https://www.zdnet.com/article/major-linux-policykit-security-vulnerability-uncovered-pwnkit/. Retrieved January 25, 2022.
External links
- polkit GitLab repository at freedesktop.org
- Documentation at freedesktop.org
- Why polkit explaining polkit's role in a modern system
 |  |
