back to article Linux 'GRINCH' vuln is AWFUL. Except, er, maybe it isn't

A dispute has arisen about the seriousness of a vulnerability in Linux, dubbed "Grinch", that supposedly creates a privilege escalation risk. The flaw resides in the Linux authorisation system, which can unintentionally allow privilege escalation, granting a user “root", or full administrative, access. “With full root access …

  1. This post has been deleted by its author

  2. Stuart 22

    An easier option ...

    Climb up the outside of the building and hang upside down outside the SysAdmin's window using your smartphone to video them signing on.

    Most video editors have a 180 degree transformation tool. HTH.

    1. Anonymous Coward
      Anonymous Coward

      Re: An easier option ...

      Sysadmins with windows? Wouldn't that be nice ;)

    2. Col_Panek

      Re: An easier option ...

      Normally I'd insert a Windows or back door witticism here, but it's too early.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: An easier option ...

        > but it's too early

        Did someone die?

  3. phil dude
    Stop

    Brought to you by...

    The Microsoft (tm) FUD Dept?

    The article is bollocks isn't it? On this system (running Debian) the only user that can do anything is

    AdminIdentities=unix-user:0

    Or am I missing something?

    P.

    1. PCS

      Re: Brought to you by...

      Of course it's bollocks. Linux is bullet proof don't cha know? Or so the 'tards here would have the rest of the world believe.

      No WindowsX issues, no bash problems. Nowt to see here.

      1. McToo

        Re: Brought to you by...

        You are a troll and I claim my £5

      2. Trevor_Pott Gold badge

        Re: Brought to you by...

        "No WindowsX issues, no bash problems. Nowt to see here."

        I don't allow bash for any user and I don't even have X installed. They're servers. Why the hell install that crap? So, um...yeah. Nothing to see here...

    2. Ben Tasker

      Re: Brought to you by...

      It is bollocks.

      A user given a higher level of trust might be able to abuse that trust, go figure.

      As physical access is required (if the same user tries via SSH, they'll be prompted to enter a password) it's something of a non-issue given the huge amount of pain that could be brought by anyone who gains physical access.

      Be careful who you give higher privileges too, and be very careful about who you allow physical access to. Not an awful lot of news there.....

      The OS-Sec mailing list was particularly scathing of this 'vuln', but as a side effect, someone looking into this did discover a real privilege escalation vuln - CVE-2014-9322 - so something good has come of it at least

      1. sisk

        Re: Brought to you by...

        As physical access is required (if the same user tries via SSH, they'll be prompted to enter a password) it's something of a non-issue

        Indeed. With physical access to a machine all an attacker needs do is stick in their own disc and poke the power button to gain root access on any system. It doesn't even matter what OS the system is running at that point.

        1. Christopher E. Stith

          Re: Brought to you by...

          Full-disk encryption with the passwords kept away from the hardware would slow someone down considerably in the task of accessing the installed system, but how common is that on a server?

          1. ElReg!comments!Pierre

            Re: Brought to you by...

            Full-disk encryption with the passwords kept away from the hardware would slow someone down considerably in the task of accessing the installed system

            Not really, no, unless the server happens to be powered down when the perp gains access to it. If the system is running whole-disk encryption is a minor inconvenience only if your strategy involves rebooting the system, which in most cases would be the best way to alert the rightful admins that something is up. If you keep the system running you're not event going to notice that the disk is encrypted...

            but how common is that on a server?

            I'd guess "not very", perhaps because a server is typically designed to stay up, while whole-disk encryption is only useful to prevent either disk theft or unauthorized boot.

      2. Trevor_Pott Gold badge

        Re: Brought to you by...

        "physical access is required"

        *shrug* Give me physical access and I can just poke the system in the eye and reset the root password.

  4. Chronos
    Facepalm

    Hmm...

    Sounds like sudo. Expected behaviour, nothing to see, be more careful with your sudoers file.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm...

      Yes. It's a little lax, not the greatest system, best avoided if possible. But that's not a vuln, it's a lack of awareness among people using VPS hosting in particular, and there are much easier ways to crack a friggin' WordPress or Drupal website.

    2. tony2heads

      Physical access -game over

      Once you have physical access you can screw pretty much any system.

      If there is no remote exploit I feel OK to indulge over Christmas

      1. Michael Wojcik Silver badge

        Re: Physical access -game over

        Once you have physical access you can screw pretty much any system.

        That's a terribly simplistic threat model. Of course, it's often a useful threat model, since the guidance it provides - increase physical security until the work factor for gaining physical access is greater than the estimated reward to an attacker - is straightforward and in many cases relatively easy and inexpensive to provide.

        But where physical access has to be included in the threat model, there are a great many possible mitigation steps that increase the work factor for an attacker with such access. Just throwing up your hands and saying "game over" in such a situation would be lazy and unethical.

        For one thing, "physical access" is not well-defined. If it's taken to mean "in the same room as the server" - a common insider threat - then the machine can still be physically secured to make removal harder, the case locked closed, ports sealed, etc. Surveillance can increase the counter-threat for the attacker and so the attack cost. Disk encryption, as Charles mentioned above, prunes some attack branches (or makes them far more expensive), such as stealing the disks or rebooting. TPMs and other tamper-resistant security modules can also make booting and other extraordinary actions more difficult.

        Security is never an absolute condition, and anyone who treats a broad class of situations (such as physical access) as an absolute security situation should not be in charge of security. Any security evaluation should be justified by reference to a threat model.

  5. This post has been deleted by its author

  6. Anonymous Coward
    FAIL

    Bloody hell

    ...on my one user notebook I am in wheel group and use sudo - I am VULNERABLE

  7. Jim 59

    did I miss something?

    If you read the alertlogic page, it seems to be saying that anybody in group wheel can run sudo. Therefore, the wheel group user could potentially alter the configuration of polkit in a way that would give them full root rights.

    I agree with Red Hat, it would seem to be expect behavior. Indeed, the default sudoers on RHEL 6.6 would allow anyone in group 'wheel' to become root just by typing sudo su -, a well known feature, and no messing with polkit.

    1. admiraljkb

      Re: did I miss something?

      @Jim 59 - you didn't miss anything. The vulnerability is limited to users that could already utilize it. With that said, if an application got fired off with that user's rights and then escalated, then we might have a problem. :) As always on servers (regardless of OS), if you are on the physical console (or virtual physical for vm's), you should have a good reason for doing so.

      Net takeaway - be sensible in your assigning of sudo rights, and be sensible in how you access your servers. That is nothing new to seasoned sysadmins.

  8. Col_Panek

    We'll have to lock our doors now so hackers can't walk in? Thanks for the tip.

    1. petur
      Coat

      "We'll have to lock our doors now so hackers can't walk in? Thanks for the tip."

      nah, just your windows

  9. Rick Giles
    Linux

    Me thinks

    The author of the story just might be a Wintard... But I'll have to check.

    Linux *will* rule the world. Someday.

    1. sandman

      Re: Me thinks

      It'll be used to operate the commercial fusion powerplants ;-)

    2. Anonymous Coward
      Anonymous Coward

      Re: Me thinks

      "Linux *will* rule the world. Someday."

      It does already - millions of TV Box sets, SOHO routers, embedded devices etc.

      The problem is, serious stuff (ATM's, CNC/CMM software, medical software etc. et al, and of course businesses) still are stuck on the MS stuff.

      1. Chemist

        Re: Me thinks

        "It does already - millions of TV Box sets, SOHO routers, embedded devices etc."

        And, of course, a VAST army of servers Google/Amazon etc. Even Skype

  10. phil dude
    Coat

    total bollocks....

    It is like saying "if you leave the keys in the ignition of your car, someone may drive it away without your permission."

    sudo is a loaded gun for the amateur.

    There is an EXCELLENT article from linux journal about configuring systems to run without root being needed for just about everything.

    Ubuntu is for the playgroup crowd and comes with sudo for everything.

    Again I say it, with COW a lot of problems go away.

    Linux has snapper for admins too.

    A round of of the news. Total bollocks article where configuration option is promoted as FUD.

    The BASH one, however, was very , very clever....!

    P.

  11. Steve Graham

    What is polkit for?

    I don't have polkit on any of my systems. My cursory exposure to it suggested that it merely replicates functionality from more proven and battle-hardened software which I already have.

    Am I wrong?

    1. Anonymous Coward
      Anonymous Coward

      Re: What is polkit for?

      I think polkit was developed much in the MS style (like systemd) so that users on the system don't need to *think* to be able to do anything, i.e. enabling normal users to do admin jobs (that they shouldn't be allowed to do anyway without a bit of knowledge).

      It called the London Screwdriver.

    2. Havin_it
      Unhappy

      Re: What is polkit for?

      I'm not certain, but anecdotally its main functions on my machine appear to be making user mounts an utter crap-shoot from one "upgrade" to the next, and ensuring that I have to enter my root password and wifi passphrase at least three times each whenever the signal hiccups.

  12. Will Godfrey Silver badge
    Holmes

    Curious

    With a few notable exceptions, the 'vulnerabilities' we hear about these days all seem to require physicial access and/or already elevated priviledges.

  13. sisk

    "Vulnerability"???

    Er.....what's the point of privilege escalation for a wheels user sitting at the machine? Wouldn't such a user just modify /etc/sudoers to grant themselves elevated privileges? Assuming they didn't already have the ability to do whatever they're trying that is.

    1. Havin_it
      WTF?

      Re: "Vulnerability"???

      Members of wheel can't modify sudoers on my systems, is that normal?

  14. Henry Wertz 1 Gold badge

    I agree with Redhat

    I agree with Redhat's assessment. The wheel group is meant to be given only to users who are expected to have root access to the system. I.e.you give it to admins, not every user on the system. So, this particular package installer permits wheel-group users, if and only if they are logged into the physical console, to install packages without asking for a password. It's like being surprised that a Windows user who has been added to he Administrator group can perform Administrator activities; not particularly a surprise at all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like