[Pkg-utopia-maintainers] Bug#869922: policykit-1: members of group sudo become root with pkexec while ignoring /etc/sudoers

[mviereck]

Package: policykit-1
Version: 0.105-18
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

If an unprivileged user is member of group sudo, he can achieve unrestricted root privileges with pkexec 
and his user password (instead of root password). This happens regardless if or if not package sudo is installed, 
and regardless of existing or non-existing entries in /etc/sudoers.

Command sudo and group sudo were designed to allow single privileged commands for unprivileged users.
Instead, pkexec allows full root access for members of group sudo.

I expect: 
 - pkexec does not regard group sudo. (clean way, unlinking polkit from sudo)
or
 - pkexec regards entries in /etc/sudoers. (dirty way, pkexec should not be mixed with sudo)

(Not regarding group sudo would also avoid prompting non-sudo-group users for passwords of sudo-group users)

Thanks!
Martin

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages policykit-1 depends on:
ii  dbus                   1.10.18-1
ii  libc6                  2.24-11+deb9u1
ii  libglib2.0-0           2.50.3-2
ii  libpam-systemd         232-25+deb9u1
ii  libpam0g               1.1.8-3.6
ii  libpolkit-agent-1-0    0.105-18
ii  libpolkit-backend-1-0  0.105-18
ii  libpolkit-gobject-1-0  0.105-18

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- debconf-show failed