Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Linux IT

Grinch Vulnerability Could Put a Hole In Your Linux Stocking 118

itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September. Update: 12/19 04:47 GMT by S : Reader deathcamaro points out that Red Hat and others say this is not a flaw at all, but expected behavior.
This discussion has been archived. No new comments can be posted.

Grinch Vulnerability Could Put a Hole In Your Linux Stocking

Comments Filter:
  • by darthcamaro ( 735685 ) on Thursday December 18, 2014 @03:55PM (#48628735)
    The linked story is factually incorrect. Red Hat (and others) have publicly stated that this isn't a flaw at all but is in fact an expected and specified feature of PolicyKIt. I spoke [eweek.com] with Red Hat on this, which is something that neither of the linked articles in this /. post did. It's not a flaw at all.
    Also check out Red Hat Knowledgebase article [redhat.com] on this too.

    A report has been released detailing an issue that the reporter is naming "Grinch". This report incorrectly classifies expected behavior as a security issue.

    • Re: (Score:3, Insightful)

      by Rob Y. ( 110975 )

      Do you need root to add yourself to the 'wheel' group? if so, not a security hole. And the 'wheel' trick only works from the physical console - presumably intended for server machines kept under lock and key with other access security in place. Now if it's enabled by default on desktop systems, that'd be pretty nasty.

      I can't see anybody using this feature except possible admins of access-restricted servers. But even for them, how hard is it to use sudo? It sounds like a pretty dumb, unnecessary feature

      • by sjames ( 1099 ) on Thursday December 18, 2014 @04:28PM (#48628953) Homepage Journal

        Yes, you do.

        So to translate: News flash, designated admins can do admin things!

        • by meta-monkey ( 321000 ) on Friday December 19, 2014 @12:02PM (#48635223) Journal

          OMG I discovered a critical security flaw in Linux, guise! If someone has your root password and is sitting at your desk, then with just a few simple keystrokes they can have total access to your system! They can read all your shit, delete your files, anything! Haxx0rs!! It's proven, Linux is unsafe and we should all go run windows instead.

          • In a related story, going to the console and booting to single user mode will allow you to set the root password to anything you like. ZOMG!!!

      • by fisted ( 2295862 ) on Thursday December 18, 2014 @06:23PM (#48629759)
        Ohh, so the wheel group does have a purpose in GNU after all. Who knew?
        Enjoy the following excerpt right from info su on a Debian box:

        23.6.1 Why GNU `su' does not support the `wheel' group

        (This section is by Richard Stallman.)

        Sometimes a few of the users try to hold total power over all the
        rest. For example, in 1984, a few users at the MIT AI lab decided to
        seize power by changing the operator password on the Twenex system and
        keeping it secret from everyone else. (I was able to thwart this coup
        and give power back to the users by patching the kernel, but I wouldn't
        know how to do that in Unix.)

        However, occasionally the rulers do tell someone. Under the usual
        `su' mechanism, once someone learns the root password who sympathizes
        with the ordinary users, he or she can tell the rest. The "wheel
        group" feature would make this impossible, and thus cement the power of
        the rulers.

        I'm on the side of the masses, not that of the rulers. If you are
        used to supporting the bosses and sysadmins in whatever they do, you
        might find this idea strange at first.

        Makes me cringe harder every time I read it

        • Me too, but honestly, this level of fanaticism is why every attempt at DRM is broken, every device is jailbroken, etc. Some people are crazy and simply will not take no for an answer. God Bless Them.
      • by gweihir ( 88907 )

        Of course you do. If non-root users could add themselves to groups, a lot more things would break.

      • by TheCarp ( 96830 )

        I think the ONLY interesting point they have is that there are environments where a lot of people have wheel for one reason or another, or where wheel may be even given out by default. In such an environment, then installing this PackageKit software allows anyone to install software.... as expected.

        This really is some of the dumbest clickbait disguiesed as a vulnerability that I have ever seen.

        Best solution...don't put every account in wheel, and um, don't install PackageKit...unless this is what you want..

      • by rdnetto ( 955205 )

        Do you need root to add yourself to the 'wheel' group?

        Yes.
        Hint: on Debian-based distros, wheel is better known as sudoers.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      As soon as I heard this, I changed my password to all control characters: ^H^U^H^U^W^U^W^U

    • by jandrese ( 485 ) <kensama@vt.edu> on Thursday December 18, 2014 @04:22PM (#48628921) Homepage Journal
      About 3/4 of the way down the "article" they explained the vulnerability:

      To control administrative access, Linux keeps a list of all the registered users on a machine, in a group typically known as “wheel,” who can be granted full root access (usually through the Unix sudo command).

      A knowing attacker could get full root access by modifying the wheel group, either directly or by manipulating an adjoining program such as the Polkit graphical interface for setting user permissions, Alert Logic said.

      This is patently stupid. Yes, if you give a badguy administrative access, bad things can happen--even if you use a fancy GUI to give the bad guy administrative access. The only thing that is even slightly newsworthy here is that maybe a novice admin won't understand the purpose of the wheel group and could be tricked into giving permissions, but there are a lot of ways you can trick a dumb admin, there's no need to single this one out.

      • 'we know that any user in the wheel group has “most” admin privileges'

        "Local administrators are trusted users .. This isn't something you hand out to everybody."

        So, you have to be an administrator in order to achieve administrator level ...
      • by phoenix_rizzen ( 256998 ) on Thursday December 18, 2014 @04:56PM (#48629147)

        Which Linux systems include the wheel group? Haven't come across that on Linux systems in years (if ever). That's a BSD thing, where GID 0 is "wheel".

        On Linux, GID 0 is "root". Or, at least, every Linux system I've used in the past 10 years (none of which are RedHat, though; they do weird and not-so-wonderful things over there)

        One of the first things we do on our Linux systems is create the "wheel" group as a system group (UID under 100), and add our admin users to that group. No users go into GID 0. And sudo is configured to only allow group wheel access to things they need access to.

        • Debian derived distros disable the password on the root account by default, and only use the wheel group. RedHat distros set a root password during install, but also require the creation of a non-root user; this user is added to the wheel group. What Linux systems have you been using that are not RedHat or Debian derived?

          • What are you smoking?

            Debian installer specifically asks for a root password, won't let you install the system without a non-root users, and there's no wheel group in /etc/group. There is a sudo group that the first user created during the install is added to.

            What Debian system are you using?

            • Apologies. It's been a while since I installed debian, and I was misled by my google searches. Ubuntu-derived distros do this, and it seems Gnome/gdm does not allow root login by default. You are correct.

              So, it seems I'm smoking bad google searches.

              • by Anonymous Coward

                are you trying to break the internet? you don't apologize when you are wrong!
                you start attacking the person.

              • Debian does not do this by default, but recent versions of debian installer do allow not setting a root password as an option.
          • by Trepidity ( 597 )

            Debian does not use a "wheel" group. Some Debian-derived distros might, but Debian itself doesn't. I recently installed a Debian server, and it is not how you describe: a root password was set during install, and there is no wheel group. This was from the official Debian 7 "wheezy" installer [debian.org].

          • RedHat distros set a root password during install, but also require the creation of a non-root user; this user is added to the wheel group.

            I don't know if you meant to include Fedora but on all my Fedora installs the only member of the wheel group has been root. I believe the same is true of Centos but I don't have it installed anywhere right now to check.

          • Re:Wheel Group (Score:4, Informative)

            by Gunstick ( 312804 ) on Friday December 19, 2014 @03:32AM (#48631933) Homepage

            centos:
            # grep wheel /etc/group
            wheel:x:10:root

            redhat 5
            # grep wheel /etc/group
            wheel:x:10:root

            redhat 6
            # grep wheel /etc/group
            wheel:x:10:root

            • I very much appreciate the information and the correction, and I am sure that others do as well.

              Don't mind me, I'm just gonna be curling into a ball and hoping that it's all over soon.

        • by reanjr ( 588767 )

          I'm pretty sure Debian used to. I don't know if it still does. Ubuntu certainly does not.

        • Older than BSD, it's a TENEX thing, from 1969

        • by Anonymous Coward

          On linux, RMS purposefully broke "wheel" out of (IMO flawed) ideological butthurt. This he describes very well himself in "info su".

          There is no real reason to use a non-0 GID for wheel. It works nicely in either case, except on linux only after you tell various things to honour it because you are one of those fascist administrators who shuts out normal users from accessing root functions with more than a shared password.

    • So is ShellShock fixed now?
      I gathered the basic variant is, but then people developed other variants.

      • Yes, in the first hours there were various workarounds and fixes suggested, and people came up with ways to get around those first workarounds. About 48 hours after the release, consensus congealed around using Red Hat's fix.

        There is a very limited set of cases where it could be a compatibility issue if you had custom scripts relying on the old behavior, but that was judged to be fairly insignificant.

    • by WarJolt ( 990309 )

      Relax dude. Now that the media is hyping vulnerabilities, this is just a way for the TV networks to make a movie about the vulnerability that stole Christmas from some poor sysadmins. They'll replay it every Christmas until the end of time. Our great great grandchildren will have to suffer through it.

    • by pouar ( 2629833 )
      One of those rare events where the bug really is a feature.
    • by gweihir ( 88907 )

      It is fascinating what semi-competent morons think they can do a grand announcement of things that have completely misunderstood. Likely somebody like this will next decry sudo as "the next Shellshock vulnerability".

    • It all comes down to what quality assurance would define as "bug": A bug is anything that negatively impacts the user experience. In this case I can clearly make the case that with the default configuration a negative user experience exists. I quite irked that developers (or in this case RedHat) just state "this is not a bug" when in fact it is from a user perspective. Even more, this behavior is controlled through a configuration setting and thus can be easily fixed by updating the default behavior...as it
  • by Anonymous Coward

    "Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

    • "Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

      I think what they're trying to say is that Polkit has different AAA rules than sudo does, which you might not expect. So, gain mastery of Polkit and all the other new *Kits and systemd and whatnot if you expect to be able to run a secure server.

      Even if they are publicity whoring and trying to get the press excited about a "Chri

      • by sxpert ( 139117 )

        which is yet another excellent reason to get rid of this crap that systemd and it's ilk are

        • Please; this had nothing to do with systemd. It's about PackageKit, which has been around for quite a bit longer. The problem is with the part of their PackageKit configuration which apparently allows administrators to install software without authenticating first. It's rather like putting the line

          %wheel ALL = (root) NOPASSWD: /usr/bin/yum

          in your sudoers file. PolicyKit can also be configured to require authentication for each action, it just wasn't set up that way on their system. There's nothing wrong with identifying the members of the "wheel" g

    • by Anonymous Coward

      "Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

      Actually, wheel doesn't grant superuser by default. Being in wheel + installation of a *non-stock* sudo = superuser. Being in wheel and knowing root's password = su superuser. Wheel group != admin, despite what some distros would have you believe.

      That wheel == administrators is a bad, poorly documented assumption on the part of the polkit+packagekit authors. The original group writing the original report about the issue were able to install software as root without a prompt and without knowing a password. T

    • by dissy ( 172727 )

      "Oh no, Linux includes a "wheel" user group by default that grants superuser privileges to users in it! And someone could possibly add themselves to that group and gain root access!"

      Or put another way:
      "Oh no, Windows includes an "Administrators" group by default that grants superuser privileges to users in it! And an existing administrator could possibly add themselves to that group and gain administrator access!"

      Agreed, stupidest vulnerability ever.

  • Adding users to a group is done by a root user with full permission.... In other news: Administrative user that installs back door leads to back door being installed! Administrative user that changes password on system and puts that password in the MOTD effectivly gives full permissions to everyone who can read that MOTD And the whole calling it "Grinch" thing... like some stuck up jackass "I'll show you Linux, you're not secure! I'll ruin Christmas!" He's the true Grinch.
  • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      Indeed. This definitely is a Layer-8 problem.

    • or reboot, interact with grub, start a shell ...
      instructions are a google search away for "recover from lost root password"

      • If you are concerned about security, you will have a boot loader password configured, no changing the kernel command line. Of course, you would also have ensured no removable media are bootable, and have set a bios password, and have kept the server physically secured (no removing the BIOS battery, removing any disks etc.).

  • For trying to steal some of the IT spotlight on Linux, but you'll never dampen our GNU spirit--largely because this vulnerability isn't really a big deal and most of us who use it are educated enough to know that.
  • by Anonymous Coward

    The original author has written pieces for many publications, as he has a university degree in writing. He could have written stories about medicine, or law, or cooking. Instead Joab Jackson writes about computer stuff. He is always itching for a good story (one that gets a lot of eyeballs and makes his publisher smile and say "good job Jack!"). In this case, a sensational headline, and what looks like a menacing scoop. But is it the Shellshock bug? Is it the Heartbleed bug? No. Its normal behavior

    • by dbIII ( 701233 )

      And it gets picked up by /. because their editorial department is some guy from Dice

      when there is ridiculous clueless hype like the itworld article it's worth having a slashdot article about it just so that people here can discuss how it is clueless hype giving a featured platform a bad name for no reason.

  • by userw014 ( 707413 ) on Thursday December 18, 2014 @04:25PM (#48628935) Homepage

    The flaw we're seeing here is various "computer security journalists" (and journals) destroying their reputations.

    This is on the order of discovering that big heavy things that fall on your foot can cause pain.

  • "Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September"

    While a big deal, Shellshock was very limited in scope and the large scale exploit implications were stamped out very quickly through updates to vulnerable web front-ends (which was just about the only exploitable path, despite so many proclamations that the sky was falling and every internet-connected linux device will get rooted in a matter of days). If this is as severe as Shellshock, I will t

    • Well pretty much all vulnerabilities can be solved by updating the web front end. But shellshock was pretty much as bad as it gets, because it was extremely widely deployed in web servers, and so simple to exploit that even your mother could do it. It doesn't get worse than that.

  • by Anonymous Coward

    This article is a better one. Less fear-hype, more reason:

    http://blog.threatstack.com/the-linux-grinch-vulnerability-separating-the-fact-from-the-fud

  • This seems to be more clickbait then anything else. How did this get onto slashdot?
  • Comment removed based on user account deletion
  • Seems to me that if you are a "local user", which is someone with access to the actual keyboard of the server, you likely have direct access to the actual server itself, which is even more a security risk.

  • Can we vote the ARTICLE down so it will go away? Or change the headline/summary? Nothing like spreading yet more false security FUD. :(

  • Over-hyped. (Score:5, Informative)

    by alanw ( 1822 ) <alan@wylie.me.uk> on Thursday December 18, 2014 @04:56PM (#48629137) Homepage

    From the oss-sec mailing list:

    http://www.openwall.com/lists/... [openwall.com]
    This is not a vulnerability, this is expected behaviour.

    http://www.openwall.com/lists/... [openwall.com]

    This paragraph suggests so many things which are simply wrong, confused,
    or irrelevant that i don't know what to make of the rest of the article.

      * modern debian GNU/Linux systems do not have a wheel group at all. No
    particular versions or flavors of "Linux system"

      * on systems where members of group wheel really do have unrestricted
    access to the su command, having wheel in the first place *is* the
    vulnerability -- it is a misconfiguration to expect an account to be
    non-privileged if it is a member of wheel.

      * the last sentence appears to be about setuid/setgid binaries, but
    makes no mention that the overwhelming majority of binaries are not
    setuid/setgid.

    Later on, the post suggests that wheel group membership is related to
    sudo privileges.

    It also seems to assume that polkit always permits access for members of
    group wheel. I can find no such configuration on a modern debian system.

    I don't think there's anything significant in this ambiguous,
    underspecified, and confused report.

    http://www.openwall.com/lists/... [openwall.com]

    Yeah I looked into this (the article/etc was completely confusing and
    took some time to parse):

    1) the article states they contacted red hat, we were unable to find
    any inbound email or bugzilla entry pertaining to this issue, as always
    if you have an issue you wish to report please contact secalert@...hat.com

    2) this is expected behaviour, admin users can install software (do I
    have to say this? really? yes. I was told I should say this).

    3) don't run web apps as admin users (do I have to say this? really?
    yes. I was told I should say this).

    4) if you feel the need to run a web app as an admin user restrict what
    they can do via SELinux, and don't let them install software (do I have
    to say this? really? yes. I was told I should say this).

    So TL;DR: it's not a security vulnerability, and it will NOT be getting
    a CVE.

    I can only assume this article/vuln is perhaps referring to something
    like Cpanel and other control panels that people sometimes install
    insecurely/improperly and then never update. Or something. Who knows.

  • ... you can get root access.

  • by mr_mischief ( 456295 ) on Thursday December 18, 2014 @05:03PM (#48629205) Journal

    Truth: some Linux distros have a "wheel" group.
    Truth: this group is used as a list of people with elevated permissions
    Truth: one of the elevated permissions often assigned to this group is the ability to become root, especially with sudo
    Falsehood: all users on a Linux system are members of the "wheel" group
    Falsehood: one can add oneself to the "wheel" group without having permissions already elevated above regular user status

    tl;dr: someone misunderstands groups and called it a vulnerability

  • by Verdatum ( 1257828 ) on Thursday December 18, 2014 @05:04PM (#48629209)
    Do you guys do zero review or investigation before throwing up fear-mongering bullshit? If you haven't read TFA yet, don't even bother.
  • being an Ubuntu user I don't have a wheel group, but this seems to be related to the fact that local users don't need root to install packages from the repositories. If there is a bad package in a trusted repository, then an untrusted local user could install it and the bad package could give that user root access. This is expected behaviour, I don't think you can install local packages through this rule (if you can then there is a vulnerability, create your own deb package with an install script that gives

    • cowsay is a program which generates ASCII pictures of a cow with a message.

      I think someone sent him a prank saying that if you can install cowsay

      cowsay got root?

      will tell you whether you have root access or not.
      When in fact it just prints an ascii picture of a cow.

  • to think that I remember when Wheel actually meant something! TOPS-20 forever! What a great OS, even if it had a lot of security holes.

news: gotcha

Working...