Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 401513 (CVE-2011-4945) - <sys-auth/polkit-0.104-r1 sets AdminIdentities to group wheel (CVE-2011-4945)
Summary: <sys-auth/polkit-0.104-r1 sets AdminIdentities to group wheel (CVE-2011-4945)
Status: RESOLVED FIXED
Alias: CVE-2011-4945
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa]
Keywords:
Depends on: 393007
Blocks:
  Show dependency tree
 
Reported: 2012-01-30 13:53 UTC by Samuli Suominen (RETIRED)
Modified: 2012-10-02 21:33 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen (RETIRED) gentoo-dev 2012-01-30 13:53:23 UTC
Since polkit-0.103 the default value of AdminIdentities has been "wheel" instead of "0" which will allow users in group "wheel" to execute:

# pkexec bash

And commands similar to that, that allows you to gain root shell without actual root password.

0.104-r1 reverts this to the value 0.102 has so users won't be caught off guard
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-01-30 13:55:21 UTC
Since this bug will obsolete bug 397755, moving things from there to here:

To stabilize:

=sys-auth/polkit-0.104-r1 "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
=gnome-extra/polkit-gnome-0.105 "alpha amd64 arm ia64 ppc ppc64 sh sparc x86"

and this is special SLOT designed only for =app-admin/gnome-system-tools-2.32*,
so only these arch's need to stabilize:

=gnome-extra/polkit-gnome-0.102 "alpha amd64 ia64 ppc sparc x86"
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-30 17:15:09 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-02-02 15:28:06 UTC
Stable for HPPA.
Comment 4 Markus Meier gentoo-dev 2012-02-13 22:08:49 UTC
arm stable
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2012-02-17 15:35:26 UTC
x86 done. Thanks.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2012-02-17 17:25:05 UTC
Stable on alpha.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-02-18 19:34:09 UTC
ia64/sh/sparc stable
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2012-03-09 15:01:00 UTC
(In reply to comment #7)
> ia64/sh/sparc stable

this was never committed, adding back to CC
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2012-03-09 15:04:21 UTC
ppc* done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-03-25 17:49:44 UTC
ia64/sh/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-03-26 13:55:25 UTC
Thanks, everyone. Rating A1 and adding to GLSA request.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-03-26 21:19:25 UTC
Samuli, do you happen to know if this was reported upstream as a flaw? Thanks!


Some references...

I believe this was introduced via this commit: http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9.

News item: http://www.mail-archive.com/polkit-devel@lists.freedesktop.org/msg00327.html

IMPORTANT: As of release 0.103, the default Authority backend now
defaults to allowing members of the 'wheel' group to authenticate as
an administator since this is common usage in popular Linux
distributions. Distributors can change this by patching the
50-localauthority.conf file in /etc/polkit-1/localauthority.conf.d as
needed.

Debian and Ubuntu appear to be using this patch to revert the behavior: http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
Comment 13 Samuli Suominen (RETIRED) gentoo-dev 2012-03-27 12:46:45 UTC
(In reply to comment #12)
> Samuli, do you happen to know if this was reported upstream as a flaw?

This was completely intentional change upstream made, mainly Fedora in mind. The upstream of polkit is the maintainer of polkit for Fedora.
It has not been reported as a flaw far as I know.

> Debian and Ubuntu appear to be using this patch to revert the behavior:
> http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/
> 05_revert-admin-identities-unix-group-wheel.patch

Our /etc/polkit-1/localauthority.conf.d/60-gentoo.conf will override /etc/polkit-1/localauthority.conf.d/50-localauthority.conf. This is how it's supposed to be, not patching over upstream defaults like Debian/Ubuntu does. Their way is dumb.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-04-17 23:44:41 UTC
This issue was resolved and addressed in
 GLSA 201204-06 at http://security.gentoo.org/glsa/glsa-201204-06.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-10-02 21:33:58 UTC
CVE-2011-4945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4945):
  PolicyKit 0.103 sets the AdminIdentities to "wheel" by default, which allows
  local users in the wheel group to gain root privileges without
  authentication.