Documentation: Inform people that anon can su to root by default

\0 pointed out that this is not mentioned anywhere, technically making it a "local privilege escalation" bug. This patch adds it to the documentation, and I've also paid out the first $5 bounty to the "Kiwis for Kiwi" charity as per \0's request! http://serenityos.org/bounty/kiwis4kiwi.png
SerenityOS · Mar 30, 2020 · ec91d2e · ec91d2e
1 parent 06aec96
commit ec91d2e
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/Documentation/BuildInstructions.md b/Documentation/BuildInstructions.md
@@ -60,6 +60,9 @@ Once you've built the toolchain, go into the `Kernel/` directory, then run
 **./makeall.sh**, and if nothing breaks too much, take it for a spin by using
 **./run**.
 
+Note that the `anon` user is able to become `root` without password by default, as a development convenience.
+To prevent this, remove `anon` from the `wheel` group and he will no longer be able to run `/bin/su`.
+
 Bare curious users may even consider sourcing suitable hardware to [install Serenity on a physical PC.](https://github.com/SerenityOS/serenity/blob/master/INSTALL.md)
 
 Later on, when you `git pull` to get the latest changes, there's no need to rebuild the toolchain. You can simply rerun **./makeall.sh** in the `Kernel/` directory and you'll be good to **./run** again.