The permissions themselves do not indicate vulnerability; changing the permissions is a workaround for those that cannot update to v0.120 of Polkit.

Security updates were released by major distros on 25th January (last Tuesday) - as an Arch user you just need to update as normal to receive the patched version of Polkit, and not worry about permissions.

The workaround is more for people who either cannot update (for whatever reason), or who might be using distros with unique repos but without security teams/advisories (which therefor might take longer to receive the patch).

1 members found this post helpful.

thanks man

I run updates daily (just once daily) and by the time I read about the issue with polkit I was already running the fixed version. (I run Manjaro.)
ARCH updated before Manjaro, so pure ARCH based distributions should have been safe first IF UPDATED.

From what I can tell all pure DEBIAN based distributions (say Sparky and VSIDO) should also have been patched before the word even got out widely about the vulnerability.

If your arch system is up-to-date then pkexec is at v 0.120 and you can undo the workaround.

edit: what wpeckham said.

Is a one liner to test if you're still vulnerable. It downloads c code that exploits the policykit bug, compiles it and runs it.

When vulnerable, running it gives you root shell prompt; asking it whoami you get root as response as shown in screenshot.
When not vulnerable, running it does not give you shell prompt at all.

Attached Thumbnails

 

Blindly downloading, compiling and executing code from a random server is not a good idea.

i thought that too :O