Grinch Vulnerability Could Put a Hole In Your Linux Stocking

itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September. Update: 12/19 04:47 GMT by S : Reader deathcamaro points out that Red Hat and others say this is not a flaw at all, but expected behavior.

Grinch is not a flaw - has no CVE!!!

[darthcamaro]

The linked story is factually incorrect. Red Hat (and others) have publicly stated that this isn't a flaw at all but is in fact an expected and specified feature of PolicyKIt. I spoke with Red Hat on this, which is something that neither of the linked articles in this /. post did. It's not a flaw at all.
Also check out Red Hat Knowledgebase article on this too.

A report has been released detailing an issue that the reporter is naming "Grinch". This report incorrectly classifies expected behavior as a security issue.

Re:Grinch is not a flaw - has no CVE!!!

[Rob+Y.]

Do you need root to add yourself to the 'wheel' group? if so, not a security hole. And the 'wheel' trick only works from the physical console - presumably intended for server machines kept under lock and key with other access security in place. Now if it's enabled by default on desktop systems, that'd be pretty nasty.

I can't see anybody using this feature except possible admins of access-restricted servers. But even for them, how hard is it to use sudo? It sounds like a pretty dumb, unnecessary feature.

Re:Grinch is not a flaw - has no CVE!!!

As soon as I heard this, I changed my password to all control characters: ^H^U^H^U^W^U^W^U

Re:Grinch is not a flaw - has no CVE!!!

[jandrese]

About 3/4 of the way down the "article" they explained the vulnerability:

To control administrative access, Linux keeps a list of all the registered users on a machine, in a group typically known as “wheel,” who can be granted full root access (usually through the Unix sudo command).

A knowing attacker could get full root access by modifying the wheel group, either directly or by manipulating an adjoining program such as the Polkit graphical interface for setting user permissions, Alert Logic said.

This is patently stupid. Yes, if you give a badguy administrative access, bad things can happen--even if you use a fancy GUI to give the bad guy administrative access. The only thing that is even slightly newsworthy here is that maybe a novice admin won't understand the purpose of the wheel group and could be tricked into giving permissions, but there are a lot of ways you can trick a dumb admin, there's no need to single this one out.

Re:Grinch is not a flaw - has no CVE!!!

[sjames]

Yes, you do.

So to translate: News flash, designated admins can do admin things!

Re:Grinch is not a flaw - has no CVE!!!

[phoenix_rizzen]

Which Linux systems include the wheel group? Haven't come across that on Linux systems in years (if ever). That's a BSD thing, where GID 0 is "wheel".

On Linux, GID 0 is "root". Or, at least, every Linux system I've used in the past 10 years (none of which are RedHat, though; they do weird and not-so-wonderful things over there)

One of the first things we do on our Linux systems is create the "wheel" group as a system group (UID under 100), and add our admin users to that group. No users go into GID 0. And sudo is configured to only allow group wheel access to things they need access to.

Re:Grinch is not a flaw - has no CVE!!!

[fisted]

Ohh, so the wheel group does have a purpose in GNU after all. Who knew?
Enjoy the following excerpt right from info su on a Debian box:

23.6.1 Why GNU `su' does not support the `wheel' group

(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the
rest. For example, in 1984, a few users at the MIT AI lab decided to
seize power by changing the operator password on the Twenex system and
keeping it secret from everyone else. (I was able to thwart this coup
and give power back to the users by patching the kernel, but I wouldn't
know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual
`su' mechanism, once someone learns the root password who sympathizes
with the ordinary users, he or she can tell the rest. The "wheel
group" feature would make this impossible, and thus cement the power of
the rulers.

I'm on the side of the masses, not that of the rulers. If you are
used to supporting the bosses and sysadmins in whatever they do, you
might find this idea strange at first.

Makes me cringe harder every time I read it

Re:Grinch is not a flaw - has no CVE!!!

[kylemonger]

Me too, but honestly, this level of fanaticism is why every attempt at DRM is broken, every device is jailbroken, etc. Some people are crazy and simply will not take no for an answer. God Bless Them.

Re:Grinch is not a flaw - has no CVE!!!

[rubycodez]

Older than BSD, it's a TENEX thing, from 1969

Re:Grinch is not a flaw - has no CVE!!!

[gweihir]

It is fascinating what semi-competent morons think they can do a grand announcement of things that have completely misunderstood. Likely somebody like this will next decry sudo as "the next Shellshock vulnerability".

Re:Grinch is not a flaw - has no CVE!!!

[flux]

But who would put users into wheel group if not for real maintenance work? If you're going to have people in a limited group, create a new group for that purpose.

Re:Grinch is not a flaw - has no CVE!!!

[TheCarp]

It still doesn't take too terribly much to get around minor issues like that. I actually did that as part of a class once where the instructor made all the groups setup guest accounts with a known password and encouraged us to hack eachother's machines.

One group had accidently made /home owned by guest. Whoops. That was some fun figure out how to exploit.
I moved their home dirs (write permission on the parent dir), created new ones (ditto), then dropped a .profile (or whatever korn shell uses, they made us all use it for the class) which would move their bashrc back into place, exec it, and create a setuid shell for me as their user in a .directory owned by guest ;)

Hillariously, they only ever logged in as root so it never worked....that is, until the instructor got on there to prepare the class final project "everyone's system got hacked last night, you need to get back in and find out what they did".... well he found a bit of what I did and thought that the team whose server it was had found out about the upcoming project and gave them an extra hard problem that they were unable to solve lol!

We all had a good laugh about it later lol.

Re:Grinch is not a flaw - has no CVE!!!

[meta-monkey]

OMG I discovered a critical security flaw in Linux, guise! If someone has your root password and is sitting at your desk, then with just a few simple keystrokes they can have total access to your system! They can read all your shit, delete your files, anything! Haxx0rs!! It's proven, Linux is unsafe and we should all go run windows instead.

Re:Grinch is not a flaw - has no CVE!!!

[david_thornley]

If I can modify, recompile, and install bash on a system, I pretty much own it, and wondering about which method(s) I'm going to use to exert control is pointless. If I'm not supposed to be able to do that, there's already been a major security breach.

Quite possibly the stupidest vulnerability ever

"Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

Re:Quite possibly the stupidest vulnerability ever

[bill_mcgonigle]

"Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

I think what they're trying to say is that Polkit has different AAA rules than sudo does, which you might not expect. So, gain mastery of Polkit and all the other new *Kits and systemd and whatnot if you expect to be able to run a secure server.

Even if they are publicity whoring and trying to get the press excited about a "Christmas-themed" vulnerability (I was waiting for "Redhat added PolKit and you won't believe what happened next..."), there's a kernel of truth in there that's worth knowing about.

And, yeah, I wouldn't expect a CVE to be issued.

Re:Quite possibly the stupidest vulnerability ever

[JesseMcDonald]

Please; this had nothing to do with systemd. It's about PackageKit, which has been around for quite a bit longer. The problem is with the part of their PackageKit configuration which apparently allows administrators to install software without authenticating first. It's rather like putting the line

%wheel ALL = (root) NOPASSWD: /usr/bin/yum

in your sudoers file. PolicyKit can also be configured to require authentication for each action, it just wasn't set up that way on their system. There's nothing wrong with identifying the members of the "wheel" group as administrators, but the policies should be configured such that administrators need to authenticate prior to installing new software. (This seems to be the default on CentOS 6.4; I have no idea what they were running. "pkcon install" does not work by default here without authentication, even for a member of the "wheel" group.)

Your a mean one

[tyggna]

For trying to steal some of the IT spotlight on Linux, but you'll never dampen our GNU spirit--largely because this vulnerability isn't really a big deal and most of us who use it are educated enough to know that.

Wrecking a car causes damage! Film @ 11

[userw014]

The flaw we're seeing here is various "computer security journalists" (and journals) destroying their reputations.

This is on the order of discovering that big heavy things that fall on your foot can cause pain.

A Much Better Article - Separate Fact from FUD

This article is a better one. Less fear-hype, more reason:

http://blog.threatstack.com/the-linux-grinch-vulnerability-separating-the-fact-from-the-fud

Clickbait?

[imp7]

This seems to be more clickbait then anything else. How did this get onto slashdot?

yes, it took about 48 hours

[raymorris]

Yes, in the first hours there were various workarounds and fixes suggested, and people came up with ways to get around those first workarounds. About 48 hours after the release, consensus congealed around using Red Hat's fix.

There is a very limited set of cases where it could be a compatibility issue if you had custom scripts relying on the old behavior, but that was judged to be fairly insignificant.

Over-hyped.

[alanw]

From the oss-sec mailing list:

http://www.openwall.com/lists/...
This is not a vulnerability, this is expected behaviour.

http://www.openwall.com/lists/...

This paragraph suggests so many things which are simply wrong, confused,
or irrelevant that i don't know what to make of the rest of the article.

  * modern debian GNU/Linux systems do not have a wheel group at all. No
particular versions or flavors of "Linux system"

  * on systems where members of group wheel really do have unrestricted
access to the su command, having wheel in the first place *is* the
vulnerability -- it is a misconfiguration to expect an account to be
non-privileged if it is a member of wheel.

  * the last sentence appears to be about setuid/setgid binaries, but
makes no mention that the overwhelming majority of binaries are not
setuid/setgid.

Later on, the post suggests that wheel group membership is related to
sudo privileges.

It also seems to assume that polkit always permits access for members of
group wheel. I can find no such configuration on a modern debian system.

I don't think there's anything significant in this ambiguous,
underspecified, and confused report.

http://www.openwall.com/lists/...

Yeah I looked into this (the article/etc was completely confusing and
took some time to parse):

1) the article states they contacted red hat, we were unable to find
any inbound email or bugzilla entry pertaining to this issue, as always
if you have an issue you wish to report please contact secalert@...hat.com

2) this is expected behaviour, admin users can install software (do I
have to say this? really? yes. I was told I should say this).

3) don't run web apps as admin users (do I have to say this? really?
yes. I was told I should say this).

4) if you feel the need to run a web app as an admin user restrict what
they can do via SELinux, and don't let them install software (do I have
to say this? really? yes. I was told I should say this).

So TL;DR: it's not a security vulnerability, and it will NOT be getting
a CVE.

I can only assume this article/vuln is perhaps referring to something
like Cpanel and other control panels that people sometimes install
insecurely/improperly and then never update. Or something. Who knows.

The "wheel" group is an admin group

[mr_mischief]

Truth: some Linux distros have a "wheel" group.
Truth: this group is used as a list of people with elevated permissions
Truth: one of the elevated permissions often assigned to this group is the ability to become root, especially with sudo
Falsehood: all users on a Linux system are members of the "wheel" group
Falsehood: one can add oneself to the "wheel" group without having permissions already elevated above regular user status

tl;dr: someone misunderstands groups and called it a vulnerability

Jesus Slashdot

[Verdatum]

Do you guys do zero review or investigation before throwing up fear-mongering bullshit? If you haven't read TFA yet, don't even bother.

Re:Wheel Group

[Tenebrousedge]

Apologies. It's been a while since I installed debian, and I was misled by my google searches. Ubuntu-derived distros do this, and it seems Gnome/gdm does not allow root login by default. You are correct.

So, it seems I'm smoking bad google searches.

Re:Wheel Group

[RightwingNutjob]

Leaving a blank root password during install on Debian disables login access to the root account from any terminal or the root console. There is still a root account, but it can only be accessed with sudo -s; su - by a user in the wheel group.

Re:Why 'wheel'?

[rubycodez]

just shortened form of slang "big wheel", a person with authority. It was term first used for user accounts with admin privileges in the TENEX operating system (later called TOPS-20).

Extra trivia, the name TENEX was chosen because it was intended to be superior alternative to TOPS-10, as in Ten Extended. OK, that's enough, god I'm old

Re:Wheel Group

[Gunstick]

centos:
# grep wheel /etc/group
wheel:x:10:root

redhat 5
# grep wheel /etc/group
wheel:x:10:root

redhat 6
# grep wheel /etc/group
wheel:x:10:root

Re:Wheel Group

[aestrivex]

Debian does not do this by default, but recent versions of debian installer do allow not setting a root password as an option.