Possible privilege escalation vulnerability in the Automatic Shutdown feature

chjj / slock

Fork of suckless screen locker for the extremely paranoid.

MIT License

152 stars 23 forks source link

Possible privilege escalation vulnerability in the Automatic Shutdown feature #6

Open beomusxyz opened 2 years ago

beomusxyz commented 2 years ago

The feature is an excellent idea, and i absolutely love it, but second i saw the NOPASSWD option i instantly thought about how i could exploit something like that. Anything user writeable and root executable is a super easy way to do local privilege escalation, hell, i've done it before. Honestly that is the only thing stopping me from putting this on my daily driver laptop right now..

[username] [hostname] =NOPASSWD: /usr/bin/systemctl poweroff
 [username] [hostname] =NOPASSWD: /usr/bin/shutdown -h now

coffebar commented 2 years ago

@D1sturbing Hi, i believe on most systems we can run such command without root privileges and without edition a sudoers file /usr/bin/systemctl poweroff -i

I have this binding in my i3 config on arch and it works fine without any configuration from my side. This line was copy-pasted from somewhere, i think flag -i means something like "ignore locks, force shutdown"

beomusxyz commented 2 years ago

Just tested this, it does indeed work. I think i'll fill out a pull request now

beomusxyz commented 2 years ago

Just so happened that i distrohopped.. now i need to find a way to do that with the runit init system...