oss-sec mailing list archives
Re: What is the "Grinch" polkit/wheel group issue?
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 17 Dec 2014 12:27:30 -0500
On 12/17/2014 12:00 PM, Marcus Meissner wrote:
This probably needs a CVE too, or does it have one? https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/ http://www.pcworld.com/article/2860032/this-linux-grinch-could-put-a-hole-in-your-security-stocking.html Although it seems that the user is in the "wheel" group for this to be exploitable and is hard to specify what actions should be safed by another query or which should not.
from your first link:
Wheel is a special user group that controls access to the su command, which allows a user to masquerade as another user. When a Linux system is built, the default user is assigned to the wheel group that allows for administrative task execution within the system. For example, if the file is owned by user XYZ and group wheel, it will run as XYZ:wheel, no matter who executes the file.
This paragraph suggests so many things which are simply wrong, confused, or irrelevant that i don't know what to make of the rest of the article. * modern debian GNU/Linux systems do not have a wheel group at all. No particular versions or flavors of "Linux system" * on systems where members of group wheel really do have unrestricted access to the su command, having wheel in the first place *is* the vulnerability -- it is a misconfiguration to expect an account to be non-privileged if it is a member of wheel. * the last sentence appears to be about setuid/setgid binaries, but makes no mention that the overwhelming majority of binaries are not setuid/setgid. Later on, the post suggests that wheel group membership is related to sudo privileges. It also seems to assume that polkit always permits access for members of group wheel. I can find no such configuration on a modern debian system. I don't think there's anything significant in this ambiguous, underspecified, and confused report. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- What is the "Grinch" polkit/wheel group issue? Marcus Meissner (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Elad Alfassa (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Todd C. Miller (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Nicolas Vigier (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Daniel Kahn Gillmor (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Kurt Seifried (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Dean Pierce (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Grandma Eubanks (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Daniel Micay (Dec 17)
- Re: What is the "Grinch" polkit/wheel group issue? Dean Pierce (Dec 17)