Summary: | <sys-auth/polkit-0.104-r1 sets AdminIdentities to group wheel (CVE-2011-4945) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Samuli Suominen (RETIRED) <ssuominen> |
Component: | Default Configs | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 393007 | ||
Bug Blocks: |
Description
Samuli Suominen (RETIRED)
2012-01-30 13:53:23 UTC
Since this bug will obsolete bug 397755, moving things from there to here: To stabilize: =sys-auth/polkit-0.104-r1 "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86" =gnome-extra/polkit-gnome-0.105 "alpha amd64 arm ia64 ppc ppc64 sh sparc x86" and this is special SLOT designed only for =app-admin/gnome-system-tools-2.32*, so only these arch's need to stabilize: =gnome-extra/polkit-gnome-0.102 "alpha amd64 ia64 ppc sparc x86" amd64 stable Stable for HPPA. arm stable x86 done. Thanks. Stable on alpha. ia64/sh/sparc stable (In reply to comment #7) > ia64/sh/sparc stable this was never committed, adding back to CC ppc* done ia64/sh/sparc stable Thanks, everyone. Rating A1 and adding to GLSA request. Samuli, do you happen to know if this was reported upstream as a flaw? Thanks! Some references... I believe this was introduced via this commit: http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9. News item: http://www.mail-archive.com/polkit-devel@lists.freedesktop.org/msg00327.html IMPORTANT: As of release 0.103, the default Authority backend now defaults to allowing members of the 'wheel' group to authenticate as an administator since this is common usage in popular Linux distributions. Distributors can change this by patching the 50-localauthority.conf file in /etc/polkit-1/localauthority.conf.d as needed. Debian and Ubuntu appear to be using this patch to revert the behavior: http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch (In reply to comment #12) > Samuli, do you happen to know if this was reported upstream as a flaw? This was completely intentional change upstream made, mainly Fedora in mind. The upstream of polkit is the maintainer of polkit for Fedora. It has not been reported as a flaw far as I know. > Debian and Ubuntu appear to be using this patch to revert the behavior: > http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/ > 05_revert-admin-identities-unix-group-wheel.patch Our /etc/polkit-1/localauthority.conf.d/60-gentoo.conf will override /etc/polkit-1/localauthority.conf.d/50-localauthority.conf. This is how it's supposed to be, not patching over upstream defaults like Debian/Ubuntu does. Their way is dumb. This issue was resolved and addressed in GLSA 201204-06 at http://security.gentoo.org/glsa/glsa-201204-06.xml by GLSA coordinator Sean Amoss (ackle). CVE-2011-4945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4945): PolicyKit 0.103 sets the AdminIdentities to "wheel" by default, which allows local users in the wheel group to gain root privileges without authentication. |