Grinch Vulnerability Could Put a Hole In Your Linux Stocking

itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September. Update: 12/19 04:47 GMT by S : Reader deathcamaro points out that Red Hat and others say this is not a flaw at all, but expected behavior.

Grinch is not a flaw - has no CVE!!!

[darthcamaro]

The linked story is factually incorrect. Red Hat (and others) have publicly stated that this isn't a flaw at all but is in fact an expected and specified feature of PolicyKIt. I spoke with Red Hat on this, which is something that neither of the linked articles in this /. post did. It's not a flaw at all.
Also check out Red Hat Knowledgebase article on this too.

A report has been released detailing an issue that the reporter is naming "Grinch". This report incorrectly classifies expected behavior as a security issue.

Re:Grinch is not a flaw - has no CVE!!!

[Rob+Y.]

Do you need root to add yourself to the 'wheel' group? if so, not a security hole. And the 'wheel' trick only works from the physical console - presumably intended for server machines kept under lock and key with other access security in place. Now if it's enabled by default on desktop systems, that'd be pretty nasty.

I can't see anybody using this feature except possible admins of access-restricted servers. But even for them, how hard is it to use sudo? It sounds like a pretty dumb, unnecessary feature.

Re:Grinch is not a flaw - has no CVE!!!

As soon as I heard this, I changed my password to all control characters: ^H^U^H^U^W^U^W^U

Re:Grinch is not a flaw - has no CVE!!!

[jandrese]

About 3/4 of the way down the "article" they explained the vulnerability:

To control administrative access, Linux keeps a list of all the registered users on a machine, in a group typically known as “wheel,” who can be granted full root access (usually through the Unix sudo command).

A knowing attacker could get full root access by modifying the wheel group, either directly or by manipulating an adjoining program such as the Polkit graphical interface for setting user permissions, Alert Logic said.

This is patently stupid. Yes, if you give a badguy administrative access, bad things can happen--even if you use a fancy GUI to give the bad guy administrative access. The only thing that is even slightly newsworthy here is that maybe a novice admin won't understand the purpose of the wheel group and could be tricked into giving permissions, but there are a lot of ways you can trick a dumb admin, there's no need to single this one out.

Re:Grinch is not a flaw - has no CVE!!!

[sjames]

Yes, you do.

So to translate: News flash, designated admins can do admin things!

Re:Grinch is not a flaw - has no CVE!!!

[phoenix_rizzen]

Which Linux systems include the wheel group? Haven't come across that on Linux systems in years (if ever). That's a BSD thing, where GID 0 is "wheel".

On Linux, GID 0 is "root". Or, at least, every Linux system I've used in the past 10 years (none of which are RedHat, though; they do weird and not-so-wonderful things over there)

One of the first things we do on our Linux systems is create the "wheel" group as a system group (UID under 100), and add our admin users to that group. No users go into GID 0. And sudo is configured to only allow group wheel access to things they need access to.

Re:Grinch is not a flaw - has no CVE!!!

[WarJolt]

Relax dude. Now that the media is hyping vulnerabilities, this is just a way for the TV networks to make a movie about the vulnerability that stole Christmas from some poor sysadmins. They'll replay it every Christmas until the end of time. Our great great grandchildren will have to suffer through it.

Re:Grinch is not a flaw - has no CVE!!!

This sums it up but basically from the windows world.

http://blogs.msdn.com/b/oldnewthing/archive/2014/12/17/10581257.aspx

In other words you are already root. Anything else is style points.

Re:Grinch is not a flaw - has no CVE!!!

[pouar]

One of those rare events where the bug really is a feature.

Re:Grinch is not a flaw - has no CVE!!!

There's at least one factually incorrect statement in the eweek story: the Dr. Seuss book is called "How the Grinch Stole Christmas", and not "The Grinch Who Stole Christmas". ;)

Re:Grinch is not a flaw - has no CVE!!!

[fisted]

Ohh, so the wheel group does have a purpose in GNU after all. Who knew?
Enjoy the following excerpt right from info su on a Debian box:

23.6.1 Why GNU `su' does not support the `wheel' group

(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the
rest. For example, in 1984, a few users at the MIT AI lab decided to
seize power by changing the operator password on the Twenex system and
keeping it secret from everyone else. (I was able to thwart this coup
and give power back to the users by patching the kernel, but I wouldn't
know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual
`su' mechanism, once someone learns the root password who sympathizes
with the ordinary users, he or she can tell the rest. The "wheel
group" feature would make this impossible, and thus cement the power of
the rulers.

I'm on the side of the masses, not that of the rulers. If you are
used to supporting the bosses and sysadmins in whatever they do, you
might find this idea strange at first.

Makes me cringe harder every time I read it

Re:Grinch is not a flaw - has no CVE!!!

[kylemonger]

Me too, but honestly, this level of fanaticism is why every attempt at DRM is broken, every device is jailbroken, etc. Some people are crazy and simply will not take no for an answer. God Bless Them.

Re:Grinch is not a flaw - has no CVE!!!

Not necessarily. You can gain "physical" access through remote KVM, vPro, and even serial consoles connected SSH/telnet appliances.

Re:Grinch is not a flaw - has no CVE!!!

[reanjr]

I'm pretty sure Debian used to. I don't know if it still does. Ubuntu certainly does not.

Re:Grinch is not a flaw - has no CVE!!!

Well, there does seem to be a potential configuration issue. If you are in the wheel group, restricted via sudo to limited stuff, and have the ability to run polkit, it seems like your access via polkit gets you more access than intended. So there is a potential security misconfiguration here.

Re:Grinch is not a flaw - has no CVE!!!

RHEL and CentOS both have a wheel group. I always set it up so only users in the wheel group can sudo or su.

Re:Grinch is not a flaw - has no CVE!!!

[sjames]

Sure, but the potential to mis-configure a subsystem that has big red asterisks around it anyway such that a trusted user might exceed authority is a far cry from a security vulnerability that might put a hole in my Christmas stocking. Other things to avoid include making /bin/bash suid root, chmod -R o+rwx /, etc etc.

Re:Grinch is not a flaw - has no CVE!!!

[rubycodez]

Older than BSD, it's a TENEX thing, from 1969

Re:Grinch is not a flaw - has no CVE!!!

[gweihir]

It is fascinating what semi-competent morons think they can do a grand announcement of things that have completely misunderstood. Likely somebody like this will next decry sudo as "the next Shellshock vulnerability".

Re:Grinch is not a flaw - has no CVE!!!

[gweihir]

Of course you do. If non-root users could add themselves to groups, a lot more things would break.

Re:Grinch is not a flaw - has no CVE!!!

[flux]

But who would put users into wheel group if not for real maintenance work? If you're going to have people in a limited group, create a new group for that purpose.

Re: Grinch is not a flaw - has no CVE!!!

So it's not a bug but a feature? Where did I hear this last time? Sorry, Linux Nutters, you have been outed as the snake oil peddlers you are. Your credibility is gone forever.

Re:Grinch is not a flaw - has no CVE!!!

[Gunstick]

in other news: chmod +s bash does not work as bash has code which does not allow itself to be SUID.
Seems too many people actually did that :-)

Re:Grinch is not a flaw - has no CVE!!!

On linux, RMS purposefully broke "wheel" out of (IMO flawed) ideological butthurt. This he describes very well himself in "info su".

There is no real reason to use a non-0 GID for wheel. It works nicely in either case, except on linux only after you tell various things to honour it because you are one of those fascist administrators who shuts out normal users from accessing root functions with more than a shared password.

Re: Grinch is not a flaw - has no CVE!!!

Cannot tell if being ironic or genuinely idiot.
Please clarify

Re:Grinch is not a flaw - has no CVE!!!

[TheCarp]

I think the ONLY interesting point they have is that there are environments where a lot of people have wheel for one reason or another, or where wheel may be even given out by default. In such an environment, then installing this PackageKit software allows anyone to install software.... as expected.

This really is some of the dumbest clickbait disguiesed as a vulnerability that I have ever seen.

Best solution...don't put every account in wheel, and um, don't install PackageKit...unless this is what you want....perfectly reasonable on some systems like desktops.

Re:Grinch is not a flaw - has no CVE!!!

But you can modify the source and compile your own bash that re-enables running SUID.
Care to help find a name for that huge security risk? ;)

Re:Grinch is not a flaw - has no CVE!!!

[TheCarp]

It still doesn't take too terribly much to get around minor issues like that. I actually did that as part of a class once where the instructor made all the groups setup guest accounts with a known password and encouraged us to hack eachother's machines.

One group had accidently made /home owned by guest. Whoops. That was some fun figure out how to exploit.
I moved their home dirs (write permission on the parent dir), created new ones (ditto), then dropped a .profile (or whatever korn shell uses, they made us all use it for the class) which would move their bashrc back into place, exec it, and create a setuid shell for me as their user in a .directory owned by guest ;)

Hillariously, they only ever logged in as root so it never worked....that is, until the instructor got on there to prepare the class final project "everyone's system got hacked last night, you need to get back in and find out what they did".... well he found a bit of what I did and thought that the team whose server it was had found out about the upcoming project and gave them an extra hard problem that they were unable to solve lol!

We all had a good laugh about it later lol.

Re:Grinch is not a flaw - has no CVE!!!

[rdnetto]

Do you need root to add yourself to the 'wheel' group?

Yes.
Hint: on Debian-based distros, wheel is better known as sudoers.

Re:Grinch is not a flaw - has no CVE!!!

[meta-monkey]

OMG I discovered a critical security flaw in Linux, guise! If someone has your root password and is sitting at your desk, then with just a few simple keystrokes they can have total access to your system! They can read all your shit, delete your files, anything! Haxx0rs!! It's proven, Linux is unsafe and we should all go run windows instead.

Re: Grinch is not a flaw - has no CVE!!!

[kamathln]

Thats more an idiot-admin proofing issue than a security risk.

Re:Grinch is not a flaw - has no CVE!!!

[david_thornley]

If I can modify, recompile, and install bash on a system, I pretty much own it, and wondering about which method(s) I'm going to use to exert control is pointless. If I'm not supposed to be able to do that, there's already been a major security breach.

Re:Grinch is not a flaw - has no CVE!!!

[kimvette]

In a related story, going to the console and booting to single user mode will allow you to set the root password to anything you like. ZOMG!!!

Re:Grinch is not a flaw - has no CVE!!!

[MoarSauce123]

It all comes down to what quality assurance would define as "bug": A bug is anything that negatively impacts the user experience. In this case I can clearly make the case that with the default configuration a negative user experience exists. I quite irked that developers (or in this case RedHat) just state "this is not a bug" when in fact it is from a user perspective. Even more, this behavior is controlled through a configuration setting and thus can be easily fixed by updating the default behavior...as it was in place in previous RH releases. The fact that there is no CVE means absolutely nothing! The argument that a vulnerability does not exist because nobody made an entry into a vulnerability tracking database is just flawed. There are plenty of vulnerabilities in existence that do not have a CVE. Are you suggesting that due to the missing tracking record they simply do not exist? I wish it were that easy...we could destroy all CVEs and have totally secure software. I come across this type of discussion frequently with developers. I state "this is a bug" and the response I get is "this is not a bug, because I designed it to do this". OK, so there is no incorrect code, but flawed design. That only changes the cause, but not the effect and definitely not the fact that a fix is needed. What is even worse, the time it takes to debate this is typically more than is needed for fixing, testing, and deploying a patch that satisfy the users' needs.

OK... but... ?

How about some actual details about the vulnerability ?

Re:OK... but... ?

no details because there is no vulnerability other than user error. no different than running windows as an admin user.

Re:OK... but... ?

no details because there is no vulnerability other than user error. no different than running windows

fixed that for you

Quite possibly the stupidest vulnerability ever

"Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

Re:Quite possibly the stupidest vulnerability ever

[bill_mcgonigle]

"Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

I think what they're trying to say is that Polkit has different AAA rules than sudo does, which you might not expect. So, gain mastery of Polkit and all the other new *Kits and systemd and whatnot if you expect to be able to run a secure server.

Even if they are publicity whoring and trying to get the press excited about a "Christmas-themed" vulnerability (I was waiting for "Redhat added PolKit and you won't believe what happened next..."), there's a kernel of truth in there that's worth knowing about.

And, yeah, I wouldn't expect a CVE to be issued.

Re:Quite possibly the stupidest vulnerability ever

[sxpert]

which is yet another excellent reason to get rid of this crap that systemd and it's ilk are

Re:Quite possibly the stupidest vulnerability ever

"Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

Actually, wheel doesn't grant superuser by default. Being in wheel + installation of a *non-stock* sudo = superuser. Being in wheel and knowing root's password = su superuser. Wheel group != admin, despite what some distros would have you believe.

That wheel == administrators is a bad, poorly documented assumption on the part of the polkit+packagekit authors. The original group writing the original report about the issue were able to install software as root without a prompt and without knowing a password. This is significantly different from typing a sudo password, despite what polkit/packagkit people would have you believe. If you read the original post (they used this as part of an audit/pentest where they couldn't do anything else successfully), polkit+packagekit opened the door to the system.

Polkit gave up root where sudo, su, and other "wheel" tools didn't. So is this a wheel problem, or a pol/packagekit problem? In a properly configured system, wheel grants nothing more than the *access* to the admin tools; authentication and authroization are supposed to come later. The idea that wheel group automatically == root is a relatively new and dangerous development.

Re:Quite possibly the stupidest vulnerability ever

[JesseMcDonald]

Please; this had nothing to do with systemd. It's about PackageKit, which has been around for quite a bit longer. The problem is with the part of their PackageKit configuration which apparently allows administrators to install software without authenticating first. It's rather like putting the line

%wheel ALL = (root) NOPASSWD: /usr/bin/yum

in your sudoers file. PolicyKit can also be configured to require authentication for each action, it just wasn't set up that way on their system. There's nothing wrong with identifying the members of the "wheel" group as administrators, but the policies should be configured such that administrators need to authenticate prior to installing new software. (This seems to be the default on CentOS 6.4; I have no idea what they were running. "pkcon install" does not work by default here without authentication, even for a member of the "wheel" group.)

Re:Quite possibly the stupidest vulnerability ever

[dissy]

"Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

Or put another way:
"Oh no, Windows includes an "Administrators" group by default that grants superuser privileges to users in it! And an existing administrator could possibly add themselves to that group and gain administrator access!"

Agreed, stupidest vulnerability ever.

Re:Quite possibly the stupidest vulnerability ever

PackageKit, Pol(icy)?Kit, ConsoleKit, and, Network Manager are all either precursors or fellow travellers with systemd. All those separate packages have had separate lives apart from systemd and can find use in non-systemd systems, but the development trajector of all of them has been converging toward systemd. The article pointed out how the line of investigation into systemd, which had already implicated journald, a systemd component, now went on to examine problems in one of those fellow travellers, Package Kit.

It's all too new, too fast, too untested, too much pride setting itself up for a fall.

Captcha: frauds

Re:Quite possibly the stupidest vulnerability ever

[Gunstick]

we need a tacky name for that windows vulnerability, else it's never going to make the news!

Re:Quite possibly the stupidest vulnerability ever

I think what they're trying to say is that Polkit has different AAA rules than sudo does, which you might not expect. So, gain mastery of Polkit and all the other new *Kits and systemd and whatnot if you expect to be able to run a secure server.

Which is not a vulnerability. That's just 'know how your system works'.

Root password Vulnerability

I have both a user password and a root password for my system.

Its afflicted with the ominous.. horrid "User Pilot Error" Malware Softbody Virus

It's completely vulnerable to Idiotic Users and Shrill Security Trolls

In the immortal words of George Takei.. Oh My!!!

This is dumb

[barbariccow]

Adding users to a group is done by a root user with full permission.... In other news: Administrative user that installs back door leads to back door being installed! Administrative user that changes password on system and puts that password in the MOTD effectivly gives full permissions to everyone who can read that MOTD And the whole calling it "Grinch" thing... like some stuck up jackass "I'll show you Linux, you're not secure! I'll ruin Christmas!" He's the true Grinch.

Let me make sure I understand this . . .

[mmell]

Fixing the issue is as simple as managing PolKit authorization rules or properly managing group privileges for users.

I get the impression this means that we're looking at a PEBKAC issue rather than a software bug. Sorry, I know of no OS which can be secured against PEBKAC exploits.

Also, to exploit the PEBKAC error requires the Chair to be locally attached via the system console. Uh, hate to bust your bubble guys, but if somebody has console access (physical access) to a server they OWN that server for all practical purposes. I'm surprised they didn't note the "insert a CD and reboot" exploit for hacking a system - it's about as usable and extremely well documented.

Re:Let me make sure I understand this . . .

[gweihir]

Indeed. This definitely is a Layer-8 problem.

Re:Let me make sure I understand this . . .

[Gunstick]

or reboot, interact with grub, start a shell ...
instructions are a google search away for "recover from lost root password"

Your a mean one

[tyggna]

For trying to steal some of the IT spotlight on Linux, but you'll never dampen our GNU spirit--largely because this vulnerability isn't really a big deal and most of us who use it are educated enough to know that.

Original Author itching for a story

The original author has written pieces for many publications, as he has a university degree in writing. He could have written stories about medicine, or law, or cooking. Instead Joab Jackson writes about computer stuff. He is always itching for a good story (one that gets a lot of eyeballs and makes his publisher smile and say "good job Jack!"). In this case, a sensational headline, and what looks like a menacing scoop. But is it the Shellshock bug? Is it the Heartbleed bug? No. Its normal behavior on a RedHat system (doesn't affect any other flavor of Linux), and worse, its expected, documented, normal behaviour on those systems. But there is no story in "expected behaviour", so we add just a dash of "Sensational Headline" and ignore relevant facts, and *Presto Chango* we have eyeballs and the publisher saying "good job Jack!" And it gets picked up by /. because their editorial department is some guy from Dice who doesn't fact check any of this 'pewter stuff anyway, and its Thursday before Christmas and we need a few inches of publication space burning a hole in the pocket, and if we can get people worried about Linux just before the Christmas buying season, then they will run to the ever luvin' arms of mickeysoft instead of finally switching and saving by using Linux. Sure its a plant piece and unethical. But since its the world of business, the ethics department was de-funded by accounting so we don't have to worry about that anymore.

Re:Original Author itching for a story

[dbIII]

And it gets picked up by /. because their editorial department is some guy from Dice

when there is ridiculous clueless hype like the itworld article it's worth having a slashdot article about it just so that people here can discuss how it is clueless hype giving a featured platform a bad name for no reason.

Wrecking a car causes damage! Film @ 11

[userw014]

The flaw we're seeing here is various "computer security journalists" (and journals) destroying their reputations.

This is on the order of discovering that big heavy things that fall on your foot can cause pain.

Re:Wrecking a car causes damage! Film @ 11

Big heavy things falling on your foot, only happens to stupid people who insist in living down a gravity well! :-)

Re:Wrecking a car causes damage! Film @ 11

[rubycodez]

Let me tell you about the time I was living outside the gravity well, not pretty there either, turns out when big heavy things collide with your foot inertia can be a bitch too

Re:Wrecking a car causes damage! Film @ 11

Outside the gravity well, those big things aren't heavy because "heavy" is a word describing weight, which is the force of gravity applied to mass. The word "big" will suffice to give a vague indication of its mass without the gravity component. Since you mention inertia, perhaps you should call them "big fast things".

Re:Wrecking a car causes damage! Film @ 11

[rubycodez]

outside the gravity well, "heavy" can mean "being painful to de-acelerate" using part of the body such as foot due to possessing great inertia. Heavy really is all about lack of ease of acceleration

As bad as ShellShock

[buchner.johannes]

So is ShellShock fixed now?
I gathered the basic variant is, but then people developed other variants.

Uh Oh

[jeffmeden]

"Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September"

While a big deal, Shellshock was very limited in scope and the large scale exploit implications were stamped out very quickly through updates to vulnerable web front-ends (which was just about the only exploitable path, despite so many proclamations that the sky was falling and every internet-connected linux device will get rooted in a matter of days). If this is as severe as Shellshock, I will take notice but at the same time sigh that it's not going to be very bad at all.

Re:Uh Oh

[countach]

Well pretty much all vulnerabilities can be solved by updating the web front end. But shellshock was pretty much as bad as it gets, because it was extremely widely deployed in web servers, and so simple to exploit that even your mother could do it. It doesn't get worse than that.

Aaaaand...

[quote]n a blog post Tuesday, security service [b]provider[/b][/quote]
and that's where I stopped reading...

Thank you Alert Logic

I've never before heard of you, but now you've made the world aware of your incompetence. We can safely just ignore everything from them as non-news. If I see anything "new" from you, I'll know it's utter garbage. Thank you for making that an easy choice.

Re:Thank you Alert Logic

[fche]

I'd really like to hear what Bennett Haselton has to say about that.

Any user in the wheel group ..

[lippydude]

'we know that any user in the wheel group has “most” admin privileges'

"Local administrators are trusted users .. This isn't something you hand out to everybody."

So, you have to be an administrator in order to achieve administrator level ...

A Much Better Article - Separate Fact from FUD

This article is a better one. Less fear-hype, more reason:

http://blog.threatstack.com/the-linux-grinch-vulnerability-separating-the-fact-from-the-fud

Clickbait?

[imp7]

This seems to be more clickbait then anything else. How did this get onto slashdot?

Re:Clickbait?

This seems to be more clickbait then anything else. How did this get onto slashdot?

Good question, since there's another article calling this issue on its BS sitting in the Firehose right now (and dated 30 minutes before this one's publication timestamp)

My linux stocking?

[nimbius]

just how many obscure daemons does SystemD have now a days?

Re:My linux stocking?

[rubycodez]

if your linux stocking gets holey, SystemD will darn it

Local users

[jimjag]

Seems to me that if you are a "local user", which is someone with access to the actual keyboard of the server, you likely have direct access to the actual server itself, which is even more a security risk.

yes, it took about 48 hours

[raymorris]

Yes, in the first hours there were various workarounds and fixes suggested, and people came up with ways to get around those first workarounds. About 48 hours after the release, consensus congealed around using Red Hat's fix.

There is a very limited set of cases where it could be a compatibility issue if you had custom scripts relying on the old behavior, but that was judged to be fairly insignificant.

Change headline or remove article

[markdavis]

Can we vote the ARTICLE down so it will go away? Or change the headline/summary? Nothing like spreading yet more false security FUD. :(

Why, yes you did.

[mmell]

I make it a point to ignore the ignorant. TTFN, Al.

Re:Why, yes you did.

Fi chikumz n' watermellin's all you need.

Over-hyped.

[alanw]

From the oss-sec mailing list:

http://www.openwall.com/lists/...
This is not a vulnerability, this is expected behaviour.

http://www.openwall.com/lists/...

This paragraph suggests so many things which are simply wrong, confused,
or irrelevant that i don't know what to make of the rest of the article.

  * modern debian GNU/Linux systems do not have a wheel group at all. No
particular versions or flavors of "Linux system"

  * on systems where members of group wheel really do have unrestricted
access to the su command, having wheel in the first place *is* the
vulnerability -- it is a misconfiguration to expect an account to be
non-privileged if it is a member of wheel.

  * the last sentence appears to be about setuid/setgid binaries, but
makes no mention that the overwhelming majority of binaries are not
setuid/setgid.

Later on, the post suggests that wheel group membership is related to
sudo privileges.

It also seems to assume that polkit always permits access for members of
group wheel. I can find no such configuration on a modern debian system.

I don't think there's anything significant in this ambiguous,
underspecified, and confused report.

http://www.openwall.com/lists/...

Yeah I looked into this (the article/etc was completely confusing and
took some time to parse):

1) the article states they contacted red hat, we were unable to find
any inbound email or bugzilla entry pertaining to this issue, as always
if you have an issue you wish to report please contact secalert@...hat.com

2) this is expected behaviour, admin users can install software (do I
have to say this? really? yes. I was told I should say this).

3) don't run web apps as admin users (do I have to say this? really?
yes. I was told I should say this).

4) if you feel the need to run a web app as an admin user restrict what
they can do via SELinux, and don't let them install software (do I have
to say this? really? yes. I was told I should say this).

So TL;DR: it's not a security vulnerability, and it will NOT be getting
a CVE.

I can only assume this article/vuln is perhaps referring to something
like Cpanel and other control panels that people sometimes install
insecurely/improperly and then never update. Or something. Who knows.

fud

FUD article, it's not an exploit, well yes "admin user can mess up your computer especially if you configured repositories to allow installation of troyanned software from bad repository" well DUUUUUH.

So if you have root access,

[therealkevinkretz]

... you can get root access.

The "wheel" group is an admin group

[mr_mischief]

Truth: some Linux distros have a "wheel" group.
Truth: this group is used as a list of people with elevated permissions
Truth: one of the elevated permissions often assigned to this group is the ability to become root, especially with sudo
Falsehood: all users on a Linux system are members of the "wheel" group
Falsehood: one can add oneself to the "wheel" group without having permissions already elevated above regular user status

tl;dr: someone misunderstands groups and called it a vulnerability

Re:The "wheel" group is an admin group

I just heard about another MAJOR linux vulnerability. It's called the idiot virus.
Copy and paste the following code to see if you're infected:

$ echo 'rpub "Lbh ernyyl *NER* na vqvbg, $HFRE (HVQ=$HVQ, RHVQ=$RHVQ)."' | tr 'A-Za-z' 'N-ZA-Mn-za-m' | sudo bash

Re:The "wheel" group is an admin group

To be fair, this could result in a misconfiguration if the user has sudo access restricted to certain minimal tasks, is a member of wheel, and has the ability to run polkit. I mean, it may not be the most critical issue, but it does look like something that could subvert intended behavior (as intended by the admin)

Jesus Slashdot

[Verdatum]

Do you guys do zero review or investigation before throwing up fear-mongering bullshit? If you haven't read TFA yet, don't even bother.

Re:Jesus Slashdot

Do you guys do zero review or investigation before throwing up fear-mongering bullshit? If you haven't read TFA yet, don't even bother.

Like /. "editors" have time to RTFA before posting. We're lucky if they read the frickin' summaries.

Wheel Group

[Tenebrousedge]

Debian derived distros disable the password on the root account by default, and only use the wheel group. RedHat distros set a root password during install, but also require the creation of a non-root user; this user is added to the wheel group. What Linux systems have you been using that are not RedHat or Debian derived?

Re:Wheel Group

[phoenix_rizzen]

What are you smoking?

Debian installer specifically asks for a root password, won't let you install the system without a non-root users, and there's no wheel group in /etc/group. There is a sudo group that the first user created during the install is added to.

What Debian system are you using?

Re:Wheel Group

[Trepidity]

Debian does not use a "wheel" group. Some Debian-derived distros might, but Debian itself doesn't. I recently installed a Debian server, and it is not how you describe: a root password was set during install, and there is no wheel group. This was from the official Debian 7 "wheezy" installer.

Re:Wheel Group

[Tenebrousedge]

Apologies. It's been a while since I installed debian, and I was misled by my google searches. Ubuntu-derived distros do this, and it seems Gnome/gdm does not allow root login by default. You are correct.

So, it seems I'm smoking bad google searches.

Re:Wheel Group

[RightwingNutjob]

Leaving a blank root password during install on Debian disables login access to the root account from any terminal or the root console. There is still a root account, but it can only be accessed with sudo -s; su - by a user in the wheel group.

Re:Wheel Group

[speederaser]

RedHat distros set a root password during install, but also require the creation of a non-root user; this user is added to the wheel group.

I don't know if you meant to include Fedora but on all my Fedora installs the only member of the wheel group has been root. I believe the same is true of Centos but I don't have it installed anywhere right now to check.

Re:Wheel Group

[Gunstick]

centos:
# grep wheel /etc/group
wheel:x:10:root

redhat 5
# grep wheel /etc/group
wheel:x:10:root

redhat 6
# grep wheel /etc/group
wheel:x:10:root

Re:Wheel Group

[Tenebrousedge]

I very much appreciate the information and the correction, and I am sure that others do as well.

Don't mind me, I'm just gonna be curling into a ball and hoping that it's all over soon.

Re: Wheel Group

Ubuntu uses "admin," and has for years.

Re:Wheel Group

are you trying to break the internet? you don't apologize when you are wrong!
you start attacking the person.

Re:Wheel Group

ITYM Ubuntu, but I find it noteworthy that it only disables the root password/em>.
Put your public SSH key in /root/.ssh/authorized_keys, and SSHing in as root with your private key as auth works just fine.

Re:Wheel Group

[aestrivex]

Debian does not do this by default, but recent versions of debian installer do allow not setting a root password as an option.

Re:Wheel Group

Ubuntu-derived distros do this

Not on any of my Xubuntu 14.04 systems. None of the users is a member of the wheel group, not even the sudoers. In fact, there is no wheel group at all. TFA is utter garbage.

I read the report and was perplexed

[dominux]

being an Ubuntu user I don't have a wheel group, but this seems to be related to the fact that local users don't need root to install packages from the repositories. If there is a bad package in a trusted repository, then an untrusted local user could install it and the bad package could give that user root access. This is expected behaviour, I don't think you can install local packages through this rule (if you can then there is a vulnerability, create your own deb package with an install script that gives you root, then install it) but the point of trusted repositories is that you trust them, so you can install updates and new packages without admin access. The report seemed more concerned about talking about wheels and grinches than actually explaining the vulnerability.

Re:I read the report and was perplexed

[mSparks43]

cowsay is a program which generates ASCII pictures of a cow with a message.

I think someone sent him a prank saying that if you can install cowsay

cowsay got root?

will tell you whether you have root access or not.
When in fact it just prints an ascii picture of a cow.

Re:I read the report and was perplexed

I figured it has something to do with systemd but alas it is only a non-event story. SystemD is going to destroy GNU/Linux with its Microsoft Windows EventViewer-esque binary logging system. I tried BSD but compiling packages from source is not of interest as part of normal day-to-day maintenance. Debian GNU/Linux used to be the platinum standard, now it is the whore of the community.

Re:I read the report and was perplexed

I tried BSD but compiling packages from source is not of interest as part of normal day-to-day maintenance.

You can get precompiled packages for BSDs if you want. It isn't yet the most common way to upgrade I think, but if people believe it doesn't exist it might as well not be there.

Not Ubuntu

Ubuntu does not have the wheel group: the initial user is added to the "sudo" group to give them access to sudo, but yea, most linux groups have used the wheel group ( though not at gid=0 ) since the '90s.

Re:Polkit is for desktops, not servers

*Kits are intended for use on desktops, and not typically installed on servers, at least not in Ubuntu. Maybe redhat is silly here, I don't know. systemd is a non sequitur here.

Thanks Polkit

[Gothmolly]

And all the other *Kits - for making things fancy and GUI and creating a generation of Linux admins who don't actually know how things work.

Frightening

[Lawrence_Bird]

to think that I remember when Wheel actually meant something! TOPS-20 forever! What a great OS, even if it had a lot of security holes.

Why 'wheel'?

Anybody knows why this group is called 'wheel' and not 'sudoers' or 'admins' or something along those lines? I mean if you have a novice home user and a random program asks for permission to be added to the 'wheel' group... "Wheel? What's that? Yeah, sure, whatever." 'Admins' at least might be cause for pause...

Re:Why 'wheel'?

[rubycodez]

just shortened form of slang "big wheel", a person with authority. It was term first used for user accounts with admin privileges in the TENEX operating system (later called TOPS-20).

Extra trivia, the name TENEX was chosen because it was intended to be superior alternative to TOPS-10, as in Ten Extended. OK, that's enough, god I'm old

Redmond Propaganda Operations

We hear all the time about Bullshit "security holes" like this. Complete with newly minted codenames ("grinch" in this case).

They also like to inflate benign things massively. Like the recent BASH exploit, which affected only strange folks who use bash scripting for internet-based services. M$ spun it as "everybody who has bash installed is affected", which is big fat BS, as probably 0.01% of Linux computers expose bash to strangers via an internet service.

Everybody else uses bash after having authenticated via ssh, so the "exploit" is not applicable. You cannot hack yourself, can you ?

Beware of the nastiness of the Sleazy Businessman !

hahahahaha

Just switch to xBSD and take the remaining part of Linux with you. Or L4 from Uni Dresden.

Or, just use one of the forks which does not do Systemd. Actually YOU COULD DO THE FORK YOURSELF.

Everybody who can think rationally needs to consider that Linus Thorvalds one day turns into an NSA asset, if he hasnt done that a long time ago.

So, what gives ? Expect the worst and have contingency plans for that.

I know the Russkies have a bad rep in Pax Americana these days, BUT - maybe we need their ELBRUS CPU like Snwoden needed their asylum one day.

You know, when Jeb Bush has declared the War For The War Industry 5.0 and we find out they have pwned all x86 and ARM CPUs "so that we can pursue the WAR efficiently and put everybody under surveillance".

No news is good news..

No news is good news.. there is news all over the place.

Re: Quite possibly the stupidest vulnerability eve

[cloudmaster]

Krampus, obviously.

Answer a question, mmell

What's it like getting your ass kicked by apk + downmodding to hide it 20x http://tech.slashdot.org/comme... ?

Answer a question, mmell

What's it like getting your ass kicked by apk + downmodding to hide it 20x http://tech.slashdot.org/comme... ?

Oh so scary!

So their big scary bug is that, if you can somehow manage to insert yourself into the superuser group, you can gain superuser access to the machine? No shit Sherlocks.

Bootloader password

[buchanmilne]

If you are concerned about security, you will have a boot loader password configured, no changing the kernel command line. Of course, you would also have ensured no removable media are bootable, and have set a bios password, and have kept the server physically secured (no removing the BIOS battery, removing any disks etc.).

Very fuddy!

This is a very real vulnerability exploits a human's irrational fear of things they don't understand.

And they say Microsoft's stock grew 3 sizes that day.