bug#52011: pkexec: PATH environment variable

[Liliana Marie Prikler]

Hi,

Am Sonntag, den 21.11.2021, 11:33 +0330 schrieb Hamzeh Nasajpour:
> The `PATH` environment variable is hard-code here: 
> 
> https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886
> 
> We don't have any executable in these paths in guix:
> ```
> /usr/sbin:/usr/bin:/sbin:/bin:/root/bin
> ``` 
> 
> Replicate the issue:
> 1. Run the `pkexec`
> 2. Enter your password
> 3. run `echo $PATH` in the opened terminal
> 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
> 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd`
> and so on.)
> 
> Expected Behavior:
> Running all of the commands without any error.
> 
> Isn't it? Should not we patch the `PATH` environment variable in
> `pkexec` source codes? Either way, some applications like `lxqt-
> admin-user` and `lxqt-admin-time` has an issue and they can't run the
> commands via `pkexec`. I get this error when I want to change user
> password via `lxqt-admin-user`. It's using `pkexec` to change
> password.
I'm getting some flashbacks from my ITSec courses here.  pkexec is
protecting itself against a malicious PATH attack.  The paths are
chosen somewhat arbitrarily, but on traditional distros this ought to
ensure, that no privilege escalation occurs.  We could inject
/run/current-system, given that /run likewise ought to be root-writable 
only, but I'm not sure how much that helps.  The obvious solution is to
use canonical (store) paths with pkexec.

Cheers