Since polkit-0.103 the default value of AdminIdentities has been "wheel" instead of "0" which will allow users in group "wheel" to execute:
# pkexec bash
And commands similar to that, that allows you to gain root shell without actual root password.
0.104-r1 reverts this to the value 0.102 has so users won't be caught off guard
Since this bug will obsolete bug 397755, moving things from there to here:
=sys-auth/polkit-0.104-r1 "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
=gnome-extra/polkit-gnome-0.105 "alpha amd64 arm ia64 ppc ppc64 sh sparc x86"
and this is special SLOT designed only for =app-admin/gnome-system-tools-2.32*,
so only these arch's need to stabilize:
=gnome-extra/polkit-gnome-0.102 "alpha amd64 ia64 ppc sparc x86"
Stable for HPPA.
x86 done. Thanks.
Stable on alpha.
(In reply to comment #7)
> ia64/sh/sparc stable
this was never committed, adding back to CC
Thanks, everyone. Rating A1 and adding to GLSA request.
Samuli, do you happen to know if this was reported upstream as a flaw? Thanks!
I believe this was introduced via this commit: http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9.
News item: http://firstname.lastname@example.org/msg00327.html
IMPORTANT: As of release 0.103, the default Authority backend now
defaults to allowing members of the 'wheel' group to authenticate as
an administator since this is common usage in popular Linux
distributions. Distributors can change this by patching the
50-localauthority.conf file in /etc/polkit-1/localauthority.conf.d as
Debian and Ubuntu appear to be using this patch to revert the behavior: http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
(In reply to comment #12)
> Samuli, do you happen to know if this was reported upstream as a flaw?
This was completely intentional change upstream made, mainly Fedora in mind. The upstream of polkit is the maintainer of polkit for Fedora.
It has not been reported as a flaw far as I know.
> Debian and Ubuntu appear to be using this patch to revert the behavior:
Our /etc/polkit-1/localauthority.conf.d/60-gentoo.conf will override /etc/polkit-1/localauthority.conf.d/50-localauthority.conf. This is how it's supposed to be, not patching over upstream defaults like Debian/Ubuntu does. Their way is dumb.
This issue was resolved and addressed in
GLSA 201204-06 at http://security.gentoo.org/glsa/glsa-201204-06.xml
by GLSA coordinator Sean Amoss (ackle).
PolicyKit 0.103 sets the AdminIdentities to "wheel" by default, which allows
local users in the wheel group to gain root privileges without