Security News > 2022 > January > “PwnKit” security bug gets you root on most Linux distros – what to do
After adding a Polkit rule to permit our account to do "Root" stuff, # we get automatic, temporary authorisation to run as the root user... $ pkexec ls -l /etc/polkit-1/rules.
Rules # And if we put no command and no username on the command line, pkexec # assumes that we want a shell, so it runs our preferred shell, # making us root until we exit back to the parent shell $ pkexec bash-5.1# id uid=0(root) gid=0(root) groups=0(root),... exit $ id uid=1042(duck) gid=1042(duck) groups=1042(duck),.... As well as checking its access control rules, pkexec also performs a range of other "Security hardening" operations before it runs your chosen command with added privileges.
In particular, the operating system itself automatically prunes several known-bad environment variables from any program, such as pkexec, that had the privilege to promote other software to run as root privilege.
For security reasons, pkexec ought to detect that it was given no command line arguments at all, not even its own name, and refuse to run.
If you remove the setuid bit from the pkexec executable file then this bug will no longer be exploitable, because pkexec won't automatically launch with superuser powers.
Which pkexec /usr/bin/pkexec <--probable location on most distros.