Shawn, While this fixes the symptom, I think that this is actually a systemd bug as well. Libvirt handles incorrect UID entries correctly.
https://bugzilla.redhat.com/show_bug.cgi?id=1657021 The error handling in the authorization stack probably needs to be analyzed. On Thu, Dec 6, 2018 at 2:23 PM Shawn Wells <[email protected]> wrote: > > > On 12/6/18 2:20 PM, Shawn Wells wrote: > > > > On 12/6/18 2:18 PM, Shawn Wells wrote: > > > > On 12/6/18 2:13 PM, Trevor Vaughan wrote: > > On a related note to pkexec, anyone know how to mitigate this? > > https://thehackernews.com/2018/12/linux-user-privilege-policykit.html > > https://access.redhat.com/security/cve/cve-2018-19788 > > "Do not allow negative UIDs or UIDs greater than 2147483646." > > ....... which is weird, since patches were upstream: > - > https://gitlab.freedesktop.org/zbyszek/polkit/commit/fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc > - > https://gitlab.freedesktop.org/zbyszek/polkit/commit/7c8c3abdedbb991a69bc5f1ab0f96576958b55de > > I'll ask around on the RHEL product security team to see what's up. > > > If anyone wants to follow along: > https://bugzilla.redhat.com/show_bug.cgi?id=1655925 > > > update: RHEL7 patch currently going through QA and should be released > shortly. > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
