Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 139354 - net-misc/tor: non-root users should not own CHROOTDIR
Summary: net-misc/tor: non-root users should not own CHROOTDIR
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gustavo Felisberto (RETIRED)
URL:
Whiteboard: A?
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-05 11:53 UTC by Hank Leininger
Modified: 2006-10-22 09:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2006-07-05 11:53:15 UTC 
emerge --version  (I doubt you need full --info output)

Portage 2.1.1_pre2-r2 (default-linux/amd64/2006.0, gcc-4.1.1/amd64-hardened, glibc-2.4-r3, 2.6.16-hardened-r7 x86_64)

After a fresh emerge bind (bind-9.3.2-r1), setting CHROOT in
/etc/conf.d/named, and running emerge --config (as documented in
bind's ebuild), I end up with:

  drwx------ 5 named named 4096 Jul  5 11:56 /var/chroot/named

This is a bad, bad idea.  By user named owning that dir, it will own /
in its chroot.  User named can then easily move the existing subdirs
out of the way and create new ones containing trojaned config files,
etc.  So, breaking BIND and getting access to user named, is likely
just one restart of named away from breaking root (it's actually worse
with this chroot setup, than if one were running bind without chroot).
    
Proper ownership/permissions would be something like root:named,
mode 750.

It looks like there are some other ebuilds that know how to do
their own chroot-dir setup; I don't know if they make a similar
mistake.  I did a quick grep to find other possibly similarly-
done packages, and then did an emerge; configure chroot; check
ownership:

  # find /usr/portage -name \*.ebuild | \
      xargs egrep -l 'CHROOT.*/etc/conf.d/' | \
      cut -d/ -f4,5 | sort -u

  net-dns/bind               # named:named mode 700; bad
  net-misc/dhcp              # root:root mode 755; OK
  net-misc/ip-sentinel       # root:root mode 755; OK [1]
  net-misc/tor               # tor:tor mode 700; bad [2]

I didn't look at these ebuilds too closely to see what's
different about their chroot-setup code, or at their
revision histories to see which may have copied code from
which, where the bug was introduced and/or fixed, etc.

[1] Added ~amd64 to KEYWORDS to test on this box.
[2] Most recent tor ebuild doesn't support chroot; had to
    install one rev back.
    
Thanks,
    
Hank Leininger <hlein@korelogic.com>
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-06 02:15:44 UTC 
> This is a bad, bad idea.  By user named owning that dir, it will own /
> in its chroot.  User named can then easily move the existing subdirs
> out of the way and create new ones containing trojaned config files,
> etc.  So, breaking BIND and getting access to user named, is likely
> just one restart of named away from breaking root (it's actually worse
> with this chroot setup, than if one were running bind without chroot).


So, if bind is remotely compromised, the user named can inject troyan inside its own chroot, thus compromising bind again ?
The question is : is there a way to elevate privileges outside of the chroot ?
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2006-07-30 09:18:57 UTC 
and the answer is no :)

I dont consider this a security bug, if you compromise the service you can already patch the process to do whatever you want, but you cant break out of the chroot. Nevertheless, I would agree that this is a configuration error, so reassigning to the owners.
Comment 3 Konstantin Arkhipov (RETIRED) gentoo-dev 2006-07-30 15:37:18 UTC 
fixed net-dns/bind - 9.2.6-r3 and 9.3.2-r3.

reassigning to humpback for net-misc/tor.
Comment 4 Gustavo Felisberto (RETIRED) gentoo-dev 2006-10-22 09:07:09 UTC 
Fixed tor-0.1.0.18-r1.