Hi, Am Sonntag, den 21.11.2021, 11:33 +0330 schrieb Hamzeh Nasajpour: > The `PATH` environment variable is hard-code here: > > https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886 > > We don't have any executable in these paths in guix: > ``` > /usr/sbin:/usr/bin:/sbin:/bin:/root/bin > ``` > > Replicate the issue: > 1. Run the `pkexec` > 2. Enter your password > 3. run `echo $PATH` in the opened terminal > 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin` > 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd` > and so on.) > > Expected Behavior: > Running all of the commands without any error. > > Isn't it? Should not we patch the `PATH` environment variable in > `pkexec` source codes? Either way, some applications like `lxqt- > admin-user` and `lxqt-admin-time` has an issue and they can't run the > commands via `pkexec`. I get this error when I want to change user > password via `lxqt-admin-user`. It's using `pkexec` to change > password. I'm getting some flashbacks from my ITSec courses here. pkexec is protecting itself against a malicious PATH attack. The paths are chosen somewhat arbitrarily, but on traditional distros this ought to ensure, that no privilege escalation occurs. We could inject /run/current-system, given that /run likewise ought to be root-writable only, but I'm not sure how much that helps. The obvious solution is to use canonical (store) paths with pkexec.
Cheers
