Grinch Vulnerability Could Put a Hole In Your Linux Stocking

itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September. Update: 12/19 04:47 GMT by S : Reader deathcamaro points out that Red Hat and others say this is not a flaw at all, but expected behavior.

Re:Grinch is not a flaw - has no CVE!!!

[Rob+Y.]

Do you need root to add yourself to the 'wheel' group? if so, not a security hole. And the 'wheel' trick only works from the physical console - presumably intended for server machines kept under lock and key with other access security in place. Now if it's enabled by default on desktop systems, that'd be pretty nasty.

I can't see anybody using this feature except possible admins of access-restricted servers. But even for them, how hard is it to use sudo? It sounds like a pretty dumb, unnecessary feature.