Linux grinch

[lexon]

If anyone cares.

http://www.pcworld.com/article/2860032/ ... picks=true

L

[karlchen]

Hm, might be one more of the articles designed to get public attention and to feed the kind of paranoia which is caused by lack of knowledge.
Lots of words, but very little hard facts, this article has.
By the way, on Ubuntu 14.04 there is no user group "wheel" to which all user accounts will be added. And no user group "wheel" is mentioned in the /etc/sudoers file.
And before anyone asks: there is no other group taking the role of "wheel".
I would not be amazed if the whole story ended like the Grinch movie: what started as a monster in the end turns out to be a nice chap.

To make one thing clear:
I do not consider Linux inherently secure, just because it is Linux and not Windows. This is nonsense. But nonetheless, computer magazines like PCWorld might be more interested in lurid stories which increase the print-run. I would not consider them as first class security experts.

[r00t]

Might I add that Linux Mint doesn't have the wheel group either. However, there is an 'admin' group that works similar to wheel. But Android does not have either of these groups, as far as I know. As for it being called a "vulnerability," that is nonsense. Use a good password, and don't set anything up to 'auto login.' cough cough

.... which can inadvertently allow privilege escalation ....

'inadvertently' apparently means "on purpose" these days. Either that, or PCWorld didn't do their homework. Adding such a group is by design, allowing the system administrator to easily manage who can run as root or not.

Like the so-called "Shellshock" it was given a name only so people can make a big deal about it. Shellshock only affected people who were running things like webservers (with poorly checked CGI scripts), or broken DHCP servers. What average user runs a webserver? Shellshock only takes into effect after post-auth SSH wise. If the attacker has already authenticated and logged in successfully, you have bigger problems than Shellshock. As for this latest scare, again, this wheel group is by design. It might be called something else in Ubuntu/Linux Mint, but the idea is the same: Allows for easy managing of administrators.

Have a good password, don't do anything stupid like let an admin account auto-login, and the most important thing: Use common sense.

[lexon]

Yeah. Quite wordy.
Similar to watching weather reports today.
I have been using Linux since 2003 and no issues with security.
l

[xenopeek]

Red Hat's knowledge base article on this is an informative read: https://access.redhat.com/articles/1298913

eWeek's article on this is a better summary than what OP linked to: http://www.eweek.com/security/the-grinc ... linux.html

What I took from it:

Local administrators, which on Linux is commonly somebody who's a member of the wheel group (on Ubuntu and Linux Mint wheel isn't used, instead groups like admin and sudo are used for the same), if so configured, can use pkcon to install packages without requiring their password if they are physically present at a server--meaning they are using they server's keyboard. If they are logged in through a remote connection, like SSH, this doesn't work. To be clear, pkcon is designed to work this way.

The author alleges that with pkcon a person with malicious intent could install a package from the repositories with this, and if the person knows one of those packages to have a security vulnerability they could exploit that to gain further control over a server. That is, if this person has local administrator access to a server and has physical access to the server's keyboard.

[karlchen]

Almost at the same time that the 'grinch' story came up, a real security vulnerability was detected in Redhat kernel 3.10.x. The CVE no. is CVE-2014-9322.
Redhat seems to have provided a kernel patch fixing CVE-2013-9322 already.

Checked the relevant Ubuntu pages:
+ http://www.ubuntu.com/usn/usn-2446-1/ (Ubuntu 14.04 - Mint 17 & Mint 17.1, K3.13.0-43.72)
+ http://www.ubuntu.com/usn/usn-2443-1/ (Ubuntu 12.04 - Mint 13, K3.2.0-74.109)

They do not mention CVE-2014-9322. I am not sure whether this means both kernel series are not affected or whether it means we may expect new kernel security fixes soon.

Karl

[xenopeek]

All kernels before 3.17.5 would appear to be affected: http://www.cvedetails.com/cve/CVE-2014-9322/

On Fedora CVE-2013-9322 has been fixed by the fix for CVE-2014-9090; that CVE is mentioned as fixed in the USNs you reference.

(Aren't I happy to run 3.17.6 )

[karlchen]

Hm, I have not checked whether CVE-2014-9090 might mention CVE-2013-9322, I admit.
I'm pretty confident that one or two bugs will be found in the kernel 3.17.6 and above soon.

[WinterTroubles]

Taken from here http://www.techworm.net/2014/12/privile ... -9322.html

Lutomirski has stated that the fix which was released for CVE-2014-9090 also patches CVE-2014-9322

[karlchen]

Oh great! The Grinch turned out to be a harmless grumbler. And my kernels have already been patched! One sleepless night less!

[DrHu]

You could either add other groups, say installer, maintenance or some grouping that makes sense and edit /etc/sudoers to control such groups
--since sudoers are logged you would get some info on their activities
http://linuxpoison.blogspot.ca/2008/12/ ... rs-to.html
---or you could make a wheel group, but understanding that it is just another groupname that you can define

They don't mention windows in the security link, but one of windows OS advantages over Linux OS is the more finely grained acl (access control lists), as compared to Linux posix acl
15 attributes vs 12
--so windows has some access or user control advantage for permissions to fodders and files..

• Although for a home user with few others on their systems, the Linux UGO (UserGroupOther) is sufficient..

[Ph0z3]

is this RHEL only or all of *nix ??

[excollier]

Would be poetic if it only affected RHEL.....

[karlchen]

Would be poetic if it only affected RHEL.....

The Grinch as everybody will know who has read this thread carefully is/was a Redhat only story.
The kernel bugs having been assigned the number CVE-2014-9090 and CVE-2014-9322 affect all Linux kernels older than K3.17.6.
Ubuntu and hence Mint, too, have fixed both kernel bugs by fixing CVE-2014-9090. Patched kernels are 3.2.0-74(109) and 3.13.0-43(72).
The Grinch and the kernel bugs are unrelated, but happened to be detected roundabout the same time.

Karl