[Pkg-utopia-maintainers] Bug#860040: policykit-1: Hardening /proc in fstab with hidepid=1 or 2 blocks pkexec

Tony Sultana chaz.anton at gmail.com
Mon Apr 10 15:40:23 UTC 2017 

Package: policykit-1
Version: 0.105-17
Severity: normal

Dear Maintainer,

Hardening my Debian Stretch system with lynis, I enabled hardening /proc to
limit non-superuser access to /proc directories.

proc     /proc     proc     defaults,hidepid=2     0     0

After reboot, all programs that required root authentication via a popup are
blocked from opening the window.  Programs tested include; /usr/bin/synaptic-
pkexec and /usr/bin/gufw-pkexec.

/var/log/auth.log
Apr  9 12:07:30 hostname polkitd(authority=local): Registered Authentication
Agent for unix-process:21299:214113 (system bus name :1.88 [pkexec
/usr/sbin/synaptic], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr  9 12:07:33 hostname polkitd(authority=local): Operator of unix-
process:21299:214113 FAILED to authenticate to gain authorization for action
com.ubuntu.pkexec.synaptic for unix-process:21299:214113 [/bin/sh
/usr/bin/synaptic-pkexec] (owned by unix-user:username)
Apr  9 12:07:33 hostname pkexec[21300]: username: Error executing command as
another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/username]
[COMMAND=/usr/sbin/synaptic]
Apr  9 12:07:33 hostname polkitd(authority=local): Unregistered Authentication
Agent for unix-process:21299:214113 (system bus name :1.88, object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

In fstab, hidepid=1 or hidepid=2 causes the same behavior.  Commenting out the
/proc line in fstab and rebooting solves the issue but reduces my hardening.

The behavior of blocking the user from running a program as root seems to be
correct.  However, there is no warning to the user that they are being blocked
from running the program since the popup window to enter authentication never
opens.

I suggest that if the authentication window cannot open then a warning window
is displayed to the user that permission is denied.

Debian Stretch 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
lightdm 1.18.3
Openbox 3.6.1
LXQt Version: 0.11.1




-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages policykit-1 depends on:
ii  dbus                   1.10.16-1
ii  libc6                  2.24-9
ii  libglib2.0-0           2.50.3-2
ii  libpam-systemd         232-22
ii  libpam0g               1.1.8-3.5
ii  libpolkit-agent-1-0    0.105-17
ii  libpolkit-backend-1-0  0.105-17
ii  libpolkit-gobject-1-0  0.105-17

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list