Binary package hint: policykit-1
I use an LDAP server for centralized identification of local domain users and administrators on ubuntu client workstations.
Local identification is done through the PAM system using pam_ldap module.
When an application asks for special privileges through the policykit system, the list of domain administrators is correctly displayed and privileged user's login/password is correctly checked against the pam_ldap.so module but then polkit-agent-helper-1 cannot send back the authentication token to the DBus interface.
So, remote administrators' identification and privileges escalation work well with local and remote groups, su, sudo and related tools (gksu, gksudo), but nothing never works when privileges escalation goes through the policykit system.
It seems that the reason of this bug comes from polkit-agent-helper-1.
This executable is setuid root to allow communication with DBus (needed to confirm authentication if I've understood well this part of the code).
Unfortunately, during PAM verification some of the PAM modules may revoke permanently process credentials.
This is the case for the pam_ldap module (and maybe for other PAM modules too but I only checked with this one).
Here is an explanation of what occurs in polkitagent/polkitagenthelper-pam.c.
Let's say that we try to get special privileges for user 1000 (who is local or remote, this changes nothing to the issue).
First we try with a local administrator account and then with a remote (LDAP) administrator account.
With the LOCAL administrator account:
- Before pam_authenticate() call, real uid is 1000, effective uid is 0 (polkit-agent-helper-1 is setuid root) and saved uid is 0.
- After pam_authenticate() call, all uids are the same because the local administrator account has been authorized through the pam_unix module and it has not changed process credentials.
As effective uid is still 0, call to send_dbus_message() works well and special privileges have been granted to user 1000.
With the REMOTE (LDAP) administrator account:
- Before pam_authenticate() call, real uid is 1000, effective uid is 0 and saved uid is 0.
- After pam_authenticate() call, real uid is 1000, effective uid is 1000 and saved uid is 1000. The remote administrator has been authorized through the pam_ldap module and this module has revoked permanently process credentials.
As effective uid is now different from 0, call to send_dbus_message() always fails and then it is impossible to grant privileges to user 1000.
I made a little patch that stores process credentials before PAM processing, then forces real uid to 0 to prevent PAM modules from revoking setuid root, and then restores previous process credentials after PAM processing.
I'm not sure this is the best way to resolve this issue but it works well and it may be a good workaround until someone finds a best solution.
I don't think either that it may cause further security issues as polkit-agent-helper-1 is already setuid root, but it may require further investigation on that particular subject.
This patch also corrects a memory leak at the end of conversation_function().
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: policykit-1 0.101-1ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-9.43-generic 2.6.38.4
Uname: Linux 2.6.38-9-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Thu May 12 16:14:52 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
LANGUAGE=fr_FR:en
LANG=fr_FR.UTF-8
SHELL=/bin/bash
SourcePackage: policykit-1
UpgradeStatus: Upgraded to natty on 2011-05-06 (6 days ago)
Status changed to 'Confirmed' because the bug affects multiple users.