Bug 807712 (CVE-2011-4945) - CVE-2011-4945 polkit: Members of 'wheel' group allowed to become root without providing a password
Summary: CVE-2011-4945 polkit: Members of 'wheel' group allowed to become root without...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-4945
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 807730
TreeView+ depends on / blocked
 
Reported: 2012-03-28 14:38 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:51 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 16:54:49 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-03-28 14:38:36 UTC
Starting from PolicyKit version v0.103 the following upstream change:

http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9

of the default value of AdminIdentities variable of the PolicyKit Local Authority configuration enabled the local users, belonging to the 'wheel' group to be allowed to authenticate, when administrator authentication was needed. A local user, member of the 'wheel' group could use this default policy configuration settings to become privileged user (root) without providing a password. While this change has been applied by the PolicyKit upstream intentionally, some distributions are considering this change to impersonate a security flaw.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=401513
[2] http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
[3] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1

CVE request:
[4] http://www.openwall.com/lists/oss-security/2012/03/28/1

CVE assignment:
[5] http://www.openwall.com/lists/oss-security/2012/03/28/2

Comment 1 Jan Lieskovsky 2012-03-28 14:40:33 UTC
This issue did NOT affect the version of the polkit package, as shipped with Red Hat Enterprise Linux 6.

--

This issue did NOT affect the versions of the polkit package, as shipped with Fedora release of 15 and 16.

Comment 2 Jan Lieskovsky 2012-03-28 14:45:51 UTC
Statement:


Not vulnerable. This issue did not affect the version of polkit as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 763faf434b445c20ae9529100d3ef5290976d0c9 that introduced this issue.


Note You need to log in before you can comment on or make changes to this bug.