Grinch Vulnerability Could Put a Hole In Your Linux Stocking

itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September. Update: 12/19 04:47 GMT by S : Reader deathcamaro points out that Red Hat and others say this is not a flaw at all, but expected behavior.

Grinch is not a flaw - has no CVE!!!

[darthcamaro]

The linked story is factually incorrect. Red Hat (and others) have publicly stated that this isn't a flaw at all but is in fact an expected and specified feature of PolicyKIt. I spoke with Red Hat on this, which is something that neither of the linked articles in this /. post did. It's not a flaw at all.
Also check out Red Hat Knowledgebase article on this too.

A report has been released detailing an issue that the reporter is naming "Grinch". This report incorrectly classifies expected behavior as a security issue.

Re:Grinch is not a flaw - has no CVE!!!

[jandrese]

About 3/4 of the way down the "article" they explained the vulnerability:

To control administrative access, Linux keeps a list of all the registered users on a machine, in a group typically known as “wheel,” who can be granted full root access (usually through the Unix sudo command).

A knowing attacker could get full root access by modifying the wheel group, either directly or by manipulating an adjoining program such as the Polkit graphical interface for setting user permissions, Alert Logic said.

This is patently stupid. Yes, if you give a badguy administrative access, bad things can happen--even if you use a fancy GUI to give the bad guy administrative access. The only thing that is even slightly newsworthy here is that maybe a novice admin won't understand the purpose of the wheel group and could be tricked into giving permissions, but there are a lot of ways you can trick a dumb admin, there's no need to single this one out.

Re:Grinch is not a flaw - has no CVE!!!

[sjames]

Yes, you do.

So to translate: News flash, designated admins can do admin things!

Re:Grinch is not a flaw - has no CVE!!!

[fisted]

Ohh, so the wheel group does have a purpose in GNU after all. Who knew?
Enjoy the following excerpt right from info su on a Debian box:

23.6.1 Why GNU `su' does not support the `wheel' group

(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the
rest. For example, in 1984, a few users at the MIT AI lab decided to
seize power by changing the operator password on the Twenex system and
keeping it secret from everyone else. (I was able to thwart this coup
and give power back to the users by patching the kernel, but I wouldn't
know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual
`su' mechanism, once someone learns the root password who sympathizes
with the ordinary users, he or she can tell the rest. The "wheel
group" feature would make this impossible, and thus cement the power of
the rulers.

I'm on the side of the masses, not that of the rulers. If you are
used to supporting the bosses and sysadmins in whatever they do, you
might find this idea strange at first.

Makes me cringe harder every time I read it

Quite possibly the stupidest vulnerability ever

"Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

A Much Better Article - Separate Fact from FUD

This article is a better one. Less fear-hype, more reason:

http://blog.threatstack.com/the-linux-grinch-vulnerability-separating-the-fact-from-the-fud

Over-hyped.

[alanw]

From the oss-sec mailing list:

http://www.openwall.com/lists/...
This is not a vulnerability, this is expected behaviour.

http://www.openwall.com/lists/...

This paragraph suggests so many things which are simply wrong, confused,
or irrelevant that i don't know what to make of the rest of the article.

  * modern debian GNU/Linux systems do not have a wheel group at all. No
particular versions or flavors of "Linux system"

  * on systems where members of group wheel really do have unrestricted
access to the su command, having wheel in the first place *is* the
vulnerability -- it is a misconfiguration to expect an account to be
non-privileged if it is a member of wheel.

  * the last sentence appears to be about setuid/setgid binaries, but
makes no mention that the overwhelming majority of binaries are not
setuid/setgid.

Later on, the post suggests that wheel group membership is related to
sudo privileges.

It also seems to assume that polkit always permits access for members of
group wheel. I can find no such configuration on a modern debian system.

I don't think there's anything significant in this ambiguous,
underspecified, and confused report.

http://www.openwall.com/lists/...

Yeah I looked into this (the article/etc was completely confusing and
took some time to parse):

1) the article states they contacted red hat, we were unable to find
any inbound email or bugzilla entry pertaining to this issue, as always
if you have an issue you wish to report please contact secalert@...hat.com

2) this is expected behaviour, admin users can install software (do I
have to say this? really? yes. I was told I should say this).

3) don't run web apps as admin users (do I have to say this? really?
yes. I was told I should say this).

4) if you feel the need to run a web app as an admin user restrict what
they can do via SELinux, and don't let them install software (do I have
to say this? really? yes. I was told I should say this).

So TL;DR: it's not a security vulnerability, and it will NOT be getting
a CVE.

I can only assume this article/vuln is perhaps referring to something
like Cpanel and other control panels that people sometimes install
insecurely/improperly and then never update. Or something. Who knows.

The "wheel" group is an admin group

[mr_mischief]

Truth: some Linux distros have a "wheel" group.
Truth: this group is used as a list of people with elevated permissions
Truth: one of the elevated permissions often assigned to this group is the ability to become root, especially with sudo
Falsehood: all users on a Linux system are members of the "wheel" group
Falsehood: one can add oneself to the "wheel" group without having permissions already elevated above regular user status

tl;dr: someone misunderstands groups and called it a vulnerability

Re:Wheel Group

[RightwingNutjob]

Leaving a blank root password during install on Debian disables login access to the root account from any terminal or the root console. There is still a root account, but it can only be accessed with sudo -s; su - by a user in the wheel group.

Re:Why 'wheel'?

[rubycodez]

just shortened form of slang "big wheel", a person with authority. It was term first used for user accounts with admin privileges in the TENEX operating system (later called TOPS-20).

Extra trivia, the name TENEX was chosen because it was intended to be superior alternative to TOPS-10, as in Ten Extended. OK, that's enough, god I'm old

Re:Wheel Group

[Gunstick]

centos:
# grep wheel /etc/group
wheel:x:10:root

redhat 5
# grep wheel /etc/group
wheel:x:10:root

redhat 6
# grep wheel /etc/group
wheel:x:10:root