[Touch-packages] [Bug 2095001] Re: Very weird and dangerous bug in systemd's sudoing (polkit?) process

Tue, 08 Apr 2025 01:25:48 -0700 

** Changed in: policykit-1 (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/2095001

Title:
  Very weird and dangerous bug in systemd's sudoing (polkit?) process

Status in PolicyKit:
  New
Status in policykit-1 package in Ubuntu:
  Confirmed
Status in policykit-1 package in Debian:
  Confirmed

Bug description:
  Hello,

  I have a YubiKey (of type "Security Key NFC"). I configured it under Linux, 
following their guide:
  
https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F
  In particular, I've protected the running of "sudo" and "sudo-i" calls, by 
requiring a touch to the YubiKey after typing the password. More precisely, I 
added this line to these files:
  --- /etc/pam.d/sudo{,-i}
  auth       required   pam_u2f.so
  ---

  I just discovered the following very troubling fact: when calling, as a user, 
on the command line, a command that requires root privileges, I'm asked to 
enter my password (automatic sudo from systemd?/polkit?). This seems OK.
  But if I type my (correct) password, but then do not validate it by hitting 
return, then let the login/sudo timeout trigger, then *my actual password get 
copy-pasted on the command line!!!!*
  Example:
  ```
  [✘] user@localmachine:~$ service ollama stop
  ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
  Authentication is required to stop 'ollama.service'.
  Authenticating as: USER,,, (user)
  Password: Failed to stop ollama.service: Connection timed out   ### <- Here I 
type my password, do not validate it with "Return", then let the timeout trigger
  See system logs and 'systemctl status ollama.service' for details.
  polkit-agent-helper-1: pam_authenticate failed: Authentication failure
  [✘] user@localmachine:~$ MyPassw0rd!
  ```

  I'm not sure what mechanism is at work here, but this is VERY bad!!!

To manage notifications about this bug go to:
https://bugs.launchpad.net/policykit-1/+bug/2095001/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to