Hacker News new | past | comments | ask | show | jobs | submit login

I asked this in a thread about this from last night and didn't get a reply. For context, the way "run0" works is to apparently send a signal to polkit that requests a command under the root user's ID and permissions, thereby getting a privileged shell without SUID:

> How hard would it be to create a program to send a signal to polkit "impersonating" run0 and obtain a root shell without entering a password?

Anybody know how this is being authenticated?




Without looking at the he specific implementation

There should be a service running as uid=0 that exposes an unprivileged API.

This service then takes the RPC and does authorization with polkit.

I.e. the unprivileged part doesn't talk to polkit directly. But a privileged part uses polkit instead of a custom sudoers style config.


I would assume the authentication happens in polkit, so a fake client would only be able to run a command if it had the necessary credentials.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: