Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Dec 2014 18:24:19 +0100
From: Nicolas Vigier <boklm@...s-attacks.org>
To: oss-security@...ts.openwall.com
Subject: Re: What is the "Grinch" polkit/wheel group issue?

On Wed, 17 Dec 2014, Marcus Meissner wrote:

> Hi,
> 
> This probably needs a CVE too, or does it have one?
> 
> https://www.alertlogic.com/blog/dont-let-grinch-steal-christmas/
> http://www.pcworld.com/article/2860032/this-linux-grinch-could-put-a-hole-in-your-security-stocking.html
> 
> Although it seems that the user is in the "wheel" group for this to be exploitable
> and is hard to specify what actions should be safed by another query or which should not.

This looks like expected behaviour:

https://docs.fedoraproject.org/en-US/Fedora/20/html/Installation_Guide/sn-firstboot-systemuser.html

"Check the Make this user administrator box if you would like
administrative privileges. This will place you in the wheel group, which
gives you access to all administrative functions, including installing
and updating software, creating and altering configuration files, and
administering other users."


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.