Privilege escalation with polkit: How to get root on Linux with a seven-year-ol
Polkit is a system service installed by default on many Linux distributions. It's used by systemd, so any Linux distribution that uses systemd also uses polkit. A few weeks ago, I found a privilege escalation vulnerability in polkit. The bug has a slightly different history on Debian and its derivatives, because Debian uses a fork of polkit with a different version numbering scheme. The behavior of polkit system bus name get creds sync is strange, because when an error occurs, the function sets the error parameter but still returns TRUE. It wasn't clear to me, when I wrote my bug report, whether that was a bug or a deliberate design choice. User of subject = polkit backend session monitor get user for subject; if goto out; /* special case: uid 0, root, is always authorized for anything */ if && polkit unix user get uid. To sum up, the authentication bypass only works on polkit actions that are implied by another polkit action.