Unable to fully audit polkit rules for compliance with corporate policies

[polkit-github-migration-bot]

In gitlab.freedesktop.org by tvaughan on Apr 25, 2019, 17:41

Link to the original issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/80 While it is possible for an organization to nail down the policy files and delete all unknown files, this is usually seen as undesirable by end users and may break many (if not most) vendor supplied applications that use polkit.

Given that the policy rules are interpreted, what is the appropriate manner to determine that users/groups have not been given excessive privileges?

[polkit-github-migration-bot]

In gitlab.freedesktop.org by pillarsdotnet on Apr 25, 2019, 19:31

Seems like there oughtta be some kind of equivalent to the Windows "Show Effective Permissions" tab where you can query PolKit for the net result of all that interpretation with respect to a given user and/or object.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by tvaughan on Apr 25, 2019, 19:34

@pillarsdotnet That would be an awesome solution actually!

[polkit-github-migration-bot]

In gitlab.freedesktop.org by trevorbryant on Apr 25, 2019, 20:05

What supplementation could be used, if any, to maintain traceability?

[polkit-github-migration-bot]

In gitlab.freedesktop.org by a.c.kalker on Apr 27, 2019, 13:14

Please see my proposed tool (just a PoC for now) in issue #81. With some simple adaptation of its output format, I think it could be useful for basic auditing.

For a basic workflow, I would suggest:

• For each role (user, service) in the organisation, create a master template of the required authorizations, iteratively run the pk-list-auths for the particular case (be it an active user login session or a running service) and modify polkit policy configuration until the tool output matches expectations.
• For each role, compare the role master template output for that role with runs of the tool on any running supporting processes (which may run as different user, acquire or release authorizations during their lifecycles, etc.)
• Periodically, run the tool for each role and supporting process and compare its output with the master template output for that role to spot any changes in authorizations (which could be a result of configuration changes, software updates, etcetera).

I hope this is clear enough, any questions and suggestions are very welcome.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by jrybar on Sep 11, 2023, 12:55

Yes, this would be nice, however it seems out of scope of polkit daemon. The required functionality is tied closely to the used desktop environment. As KDE, Gnome, Xfce etc. implements their own authorization agents/helpers (i.e. windows asking for password), I believe this is more a request to the respective desktop environment developers.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by peiriannydd on Sep 11, 2023, 14:47

@jrybar I disagree (and still really want this). Basically, you literally don't know what's going to happen until you try prodding it and then you hope you got it right until someone comes along and tells you that you didn't.

In my opinion, since the configuration of polkit uses a programming language, the result of the program should be end-to-end testable.

In theory polkit was going to be better than pam, but this seems to be more inscrutable given that it's not too difficult to write something that smashes a full pam configuration together for a given target. I mean pamtester is still kicking around in distros out there for just this reason.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by jrybar on Sep 12, 2023, 08:12

I wasn't talking about auditting itself, because that can be done even now with polkit's tools (I'm writing the comment and a guide). I was talking about "Showing effective permissions" in a window manager (equivalent to Windows). We don't really do anything related to desktop environment here. That's polkit-gnome/polkit-kde/polkit-xfce etc., projects of their respective DEs, because they know best how to make a graphical functionality for their desktops.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by jrybar on Sep 12, 2023, 12:49

On auditting privileges granted to a specified user with tools provided by the polkit repository

polkit is a daemon that orchestrates communication between an unprivileged process that asks for authentication and further authorization to perform privileged actions done by a privileged process. If we realize that a shell is also a process running under a user that is logged in, we can simply check whether shell process can call a specific action under the logged-in user: 

 pkcheck -a <action> -p $$.

If we want to check for every action known to polkit, this can be done by a shell one-liner that chains pkaction (lists all actions) followed by pkcheck -a <each-action> -p $$.  

for action in pkaction; do if pkcheck -p $$ -a $action

If we want to perform checks for other users than us (and we have root), this can be done in Linux using sudo -u <user> command (or similarly su <user> -c '<command>'), IOW we run a new shell under a specified user and do the checks there.

sudo -u <user> sh -c 'for action in pkaction; do pkcheck -p $$ -a $action 2>/dev/null; retval=$?; if [[ $retval -eq 0 ]]; then echo "[ Authorized ] $action"; else if [[ $retval -eq 2 ]]; then echo "[ Challenge ] $action"; else echo "[ Denied ] $action"; fi; fi; done'

The script proposed in issue #81 works similar way, but also nicely groups the results. Similar results can be obtained by finishing the one-liner above with |sort command. This, however, may break consistency of the rules' topic in case the service's action names are not unified (org.freedesktop.<service_name>.<action>):

su <user> -c 'for action in pkaction; do pkcheck -p $$ -a $action >/dev/null 2>&1; retval=$?; if [[ $retval -eq 0 ]]; then echo "[ Authorized ] $action"; else if [[ $retval -eq 2 ]]; then echo "[ Challenge ] $action"; else echo "[ Denied ] $action"; fi; fi; done' |sort

Please note that polkit rules provide a variety of options and properties to check against, e.g. process group, newly a systemd unit etc., because .rules files are written in JavaScript, a Turing-complete language which was specifically incorporated to provide flexibility in writing the rules. Hence, the scripts above may not work for all cases.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by peiriannydd on Sep 12, 2023, 14:28

@jrybar I think there was a communications mixup in there. I think that the Windows example was just an example of what is wanted.

Personally, I want something like pamtester where I can say "Polkit API: given inputs X, Y, Z => Yes/No".

I figure, like many Linux tools, any GUI would just be a wrapper around that capability.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by peiriannydd on Sep 12, 2023, 14:36

Unfortunately, this approach is incompatible with any sort of enterprise-level deployment.

For home use, this is fine, but there are the following use cases that should be handled:

• Given that we don't want to blow up our SIEM with banner blindness false positives
  • The solution should not require a login
• Given that we want to test potential paths in existing rulesets for possible exploitation
  • The solution should not rely on existing groups and/or users
• Given that creating test accounts in every group in a distributed authentication framework (LDAP, etc..) is unsafe and infeasible
  • We should not be required to use "real" accounts
• Given that performing live penetration testing of a system using real shell accounts is inherently unsafe
  • The solution should not be required to use a real shell account

To mirror your statement:

polkit is a daemon that orchestrates communication between an unprivileged process that asks for authentication and further authorization to perform privileged actions done by a privileged process.

pam is a library that, correctly integrated, orchestrates communication between an unprivileged process that asks for authentication and further authorization to perform privileged actions done by a privileged process.

And I will definitely stand by the fact that any Turing-complete language should be testable outside of a live system. I mean, how do you run acceptance tests on evaluation polkit rulesets? I'm assuming that you don't set up a live system and run all of your permutations?

Personally, I would just like the ability to ask the polkit daemon whether or not a given set of rules will evaluate to true or false. I suppose that I could create a replica of every ruleset on every one of my systems but, as you say, being a Turing complete language, technically someone could write polkit rules that load directly from a remote source unless the daemon is otherwise constrained by the kernel.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by peiriannydd on Sep 12, 2023, 14:40

As another corollary, here are the instructions for performing tests on Open Policy Agent policies. Would polkit be open to an alternative OPA backend? Given the javascript underpinnings, passing JSON to OPA should be pretty straightforward.

[polkit-github-migration-bot]

In gitlab.freedesktop.org by jrybar on Sep 13, 2023, 14:29

Hello,
If you happen to have more requirements, please don't hesitate to list them here. Maybe our security team will be interested as well.
Writing another external engine that parses action and rules files seems redundant here. Maybe a few more options in pkcheck should suffice (to provide UID/GID and other process properties).
Anyway, running a testing VM with a given set of action and rules files is a no-go?

[polkit-github-migration-bot]

In gitlab.freedesktop.org by jrybar on Sep 13, 2023, 14:33

I don't know. Polkit used to have some sort of "ini" rules, PKLA, which were abandoned and replaced with JS because pkla wasn't flexible enough (that's what I heard).
I'd have to go through the historical records I happen to have to re-learn why exactly.
So if there are no regressions in functionality, polkit is open to anything provided that you send MR ;)

[polkit-github-migration-bot]

In gitlab.freedesktop.org by peiriannydd on Sep 13, 2023, 15:07

Combining both this and the previous comment into one response.

I appreciate the feedback on the issue and I definitely remember the rollover from the INI files to the JS files.

I posted this when working with the Compliance as Code project and trying to figure out how to properly audit polkit rules.

In a similar nature to auditd, the reality of the system is what matters, not the contents of any given file since you can get to an answer that you might not expect due to other files making other decisions.

This raised the question of exactly how you would ask polkit what decision it would make provided a given set of inputs.

While copying the files to a VM is potentially viable, as you approach enterprise scale, this doesn't really hold up (yeah, I know systems should be cattle, not pets, but we live in the real world :cry:).

So, the fundamental question I'm trying to figure out how to answer is: On a given specific system of interest, how do I know what polkit is going to answer given a known set of inputs.

Without being able to answer that question, I have no idea how to provide a correct answer as to what a given notional set of users (or groups) can, or cannot, actually do on a system.