There is a discussion on GitHub [0] and Debian [1] as well. [0] https://github.com/polkit-org/polkit/issues/545 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093276
In those reports, this issue has been verified on Debian and Linux Mint. I have verified this issue on 24.04+. Both Desktop and Server are affected. Ubuntu 22.04 is not affected. The most recent version of Fedora is not affected. ** Bug watch added: github.com/polkit-org/polkit/issues #545 https://github.com/polkit-org/polkit/issues/545 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/2095001 Title: Very weird and dangerous bug in systemd's sudoing (polkit?) process Status in policykit-1 package in Ubuntu: New Status in policykit-1 package in Debian: Confirmed Bug description: Hello, I have a YubiKey (of type "Security Key NFC"). I configured it under Linux, following their guide: https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F In particular, I've protected the running of "sudo" and "sudo-i" calls, by requiring a touch to the YubiKey after typing the password. More precisely, I added this line to these files: --- /etc/pam.d/sudo{,-i} auth required pam_u2f.so --- I just discovered the following very troubling fact: when calling, as a user, on the command line, a command that requires root privileges, I'm asked to enter my password (automatic sudo from systemd?/polkit?). This seems OK. But if I type my (correct) password, but then do not validate it by hitting return, then let the login/sudo timeout trigger, then *my actual password get copy-pasted on the command line!!!!* Example: ``` [✘] user@localmachine:~$ service ollama stop ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ==== Authentication is required to stop 'ollama.service'. Authenticating as: USER,,, (user) Password: Failed to stop ollama.service: Connection timed out ### <- Here I type my password, do not validate it with "Return", then let the timeout trigger See system logs and 'systemctl status ollama.service' for details. polkit-agent-helper-1: pam_authenticate failed: Authentication failure [✘] user@localmachine:~$ MyPassw0rd! ``` I'm not sure what mechanism is at work here, but this is VERY bad!!! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/2095001/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
