#pkexec — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #pkexec, aggregated by home.social.
-
While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:
Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.
Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.
I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.
```nix
boot.blacklistedKernelModules = [
"algif_aead"
];security.sudo.enable = false;
security.wrappers = {
su.enable = false;
pkexec.enable = false;
# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
``` -
While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:
Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.
Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.
I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.
```nix
boot.blacklistedKernelModules = [
"algif_aead"
];security.sudo.enable = false;
security.wrappers = {
su.enable = false;
pkexec.enable = false;
# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
``` -
While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:
Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.
Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.
I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.
```nix
boot.blacklistedKernelModules = [
"algif_aead"
];security.sudo.enable = false;
security.wrappers = {
su.enable = false;
pkexec.enable = false;
# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
``` -
While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:
Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.
Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.
I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.
```nix
boot.blacklistedKernelModules = [
"algif_aead"
];security.sudo.enable = false;
security.wrappers = {
su.enable = false;
pkexec.enable = false;
# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
``` -
While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:
Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.
Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.
I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.
```nix
boot.blacklistedKernelModules = [
"algif_aead"
];security.sudo.enable = false;
security.wrappers = {
su.enable = false;
pkexec.enable = false;
# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
``` -
@debacle @xpac: #pkexec alleine ist schon grusig, siehe z.B. CVE-2021-4034. Und da dann noch #JavaScript dahinter? 🤮
Gut, dass man auch sehr gut ohne #PolicyKit, #sudo und ähnliche #LPE-anfällige Programme leben kann — auch auf dem #Linux #Desktop.
-
Major Bug Grants Root for All Major Linux Distributions - One of the major reasons behind choosing Linux as an operating system is that it’s... - https://hackaday.com/2022/01/26/major-bug-grants-root-for-all-major-linux-distributions/ #securityhacks #vulnerability #linuxhacks #security #exploit #pkexec #polkit #update #admin #linux #patch #root