Since polkit-0.103 the default value of AdminIdentities has been "wheel" instead of "0" which will allow users in group "wheel" to execute: # pkexec bash And commands similar to that, that allows you to gain root shell without actual root password. 0.104-r1 reverts this to the value 0.102 has so users won't be caught off guard
Since this bug will obsolete bug 397755, moving things from there to here: To stabilize: =sys-auth/polkit-0.104-r1 "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86" =gnome-extra/polkit-gnome-0.105 "alpha amd64 arm ia64 ppc ppc64 sh sparc x86" and this is special SLOT designed only for =app-admin/gnome-system-tools-2.32*, so only these arch's need to stabilize: =gnome-extra/polkit-gnome-0.102 "alpha amd64 ia64 ppc sparc x86"
amd64 stable
Stable for HPPA.
arm stable
x86 done. Thanks.
Stable on alpha.
ia64/sh/sparc stable
(In reply to comment #7) > ia64/sh/sparc stable this was never committed, adding back to CC
ppc* done
Thanks, everyone. Rating A1 and adding to GLSA request.
Samuli, do you happen to know if this was reported upstream as a flaw? Thanks! Some references... I believe this was introduced via this commit: http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9. News item: http://www.mail-archive.com/polkit-devel@lists.freedesktop.org/msg00327.html IMPORTANT: As of release 0.103, the default Authority backend now defaults to allowing members of the 'wheel' group to authenticate as an administator since this is common usage in popular Linux distributions. Distributors can change this by patching the 50-localauthority.conf file in /etc/polkit-1/localauthority.conf.d as needed. Debian and Ubuntu appear to be using this patch to revert the behavior: http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
(In reply to comment #12) > Samuli, do you happen to know if this was reported upstream as a flaw? This was completely intentional change upstream made, mainly Fedora in mind. The upstream of polkit is the maintainer of polkit for Fedora. It has not been reported as a flaw far as I know. > Debian and Ubuntu appear to be using this patch to revert the behavior: > http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/ > 05_revert-admin-identities-unix-group-wheel.patch Our /etc/polkit-1/localauthority.conf.d/60-gentoo.conf will override /etc/polkit-1/localauthority.conf.d/50-localauthority.conf. This is how it's supposed to be, not patching over upstream defaults like Debian/Ubuntu does. Their way is dumb.
This issue was resolved and addressed in GLSA 201204-06 at http://security.gentoo.org/glsa/glsa-201204-06.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2011-4945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4945): PolicyKit 0.103 sets the AdminIdentities to "wheel" by default, which allows local users in the wheel group to gain root privileges without authentication.