From the oss-sec mailing list:
This is not a vulnerability, this is expected behaviour.
This paragraph suggests so many things which are simply wrong, confused,
or irrelevant that i don't know what to make of the rest of the article.
* modern debian GNU/Linux systems do not have a wheel group at all. No
particular versions or flavors of "Linux system"
* on systems where members of group wheel really do have unrestricted
access to the su command, having wheel in the first place *is* the
vulnerability -- it is a misconfiguration to expect an account to be
non-privileged if it is a member of wheel.
* the last sentence appears to be about setuid/setgid binaries, but
makes no mention that the overwhelming majority of binaries are not
Later on, the post suggests that wheel group membership is related to
It also seems to assume that polkit always permits access for members of
group wheel. I can find no such configuration on a modern debian system.
I don't think there's anything significant in this ambiguous,
underspecified, and confused report.
Yeah I looked into this (the article/etc was completely confusing and
took some time to parse):
1) the article states they contacted red hat, we were unable to find
any inbound email or bugzilla entry pertaining to this issue, as always
if you have an issue you wish to report please contact secalert@...hat.com
2) this is expected behaviour, admin users can install software (do I
have to say this? really? yes. I was told I should say this).
3) don't run web apps as admin users (do I have to say this? really?
yes. I was told I should say this).
4) if you feel the need to run a web app as an admin user restrict what
they can do via SELinux, and don't let them install software (do I have
to say this? really? yes. I was told I should say this).
So TL;DR: it's not a security vulnerability, and it will NOT be getting
I can only assume this article/vuln is perhaps referring to something
like Cpanel and other control panels that people sometimes install
insecurely/improperly and then never update. Or something. Who knows.