@wxcafe I'm having a massive deja-vu right now. Wasn't there some other exploit around the UID that was possible in the last year and a half or so?

Follow

@spacekookie @wxcafe That bug was that services with an invalid USER= setting (e.g. with a username that started with a digit) still got started, but as root (github.com/systemd/systemd/iss).

This one is a straight bug in polkit. I don't think there is anything that systemd can do, other than to stop using polkit entirely.

@spacekookie @wxcafe I'm pretty sure this bug also means that anything that demands authentication in e.g. KDE or GNOME, flatpak, fwupd,... will be open to users with a UID > INT_MAX.

Because those also use polkit.

Sign in to participate in the conversation
Mastodon

Fast, secure and up-to-date instance, welcoming everyone around the world. Join us! 🌍
Up since 04/04/2017. ✅

Why should you sign up on mstdn.io?

This instance is not focused on any theme or subject, feel free to talk about whatever you want. Although the main language is english, we accept every single language and country.

We're connected to the whole ActivityPub fediverse and we do not block any foreign instance nor user.

We do have rules, but the goal is to have responsible users.

The instance uses a powerful server to ensure speed and stability, and it has good uptime. We follow state-of-the-art security practices.

Also, we have over 300 custom emojis to unleash your meming potential!


Looking for a Kpop themed instance? Try kpop.social