When using lighttpd, rt has an init script that takes ownership of /var/www/localhost/rt-*/var: start() { checkpath -d "${RTPATH}/var" -m 0755 -o "${RTUSER}:${RTGROUP}" A little bit later, it calls chmod on "appSocket", contained in that path: FCGI_SOCKET_PATH=${RTPATH}/var/appSocket ... if [ -a ${FCGI_SOCKET_PATH} ]; then chmod g+rwx ${FCGI_SOCKET_PATH} eend 0 else Since ${FCGI_SOCKET_PATH} lives in a directory owned by ${RTUSER}, he can replace "appSocket" with a symlink to any path on the system. When the "chmod" above is reached, it will affect the target of the symlink, and make it group-readable/writable. (To overwrite the "real" socket, you can ln -sf in a loop.) That can be used to grant root privileges to other groups on the system. For example, my /etc/portage is owned by root:portage, and making it group-writable gives the portage group root on the system.
Created attachment 516788 [details] rt.init.d-r3 Sorry for the huge delay on this. I'm pretty sure just changing the test from "if it exists" to "if it's a socket" will do the trick. The initscript also needed some additional cleanups.
Actually, this whole thing doesn't work, and upstream's recommendation is to let the web server handle it.
Initscript removed with: commit 935b1fda4c552a223ea23a8bc405571c0743c375 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Fri Jan 26 12:02:47 2018 -0500 www-apps/rt: Cleanup old and insecure Bug: https://bugs.gentoo.org/603328 Bug: https://bugs.gentoo.org/626196 Package-Manager: Portage-2.3.19, Repoman-2.3.6
@security-audit: Ping. Can we close this now? The initscript is no longer installed. It's been resolved for 18 months.
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
(In reply to Aaron W. Swenson from comment #4) > @security-audit: Ping. > > Can we close this now? The initscript is no longer installed. It's been > resolved for 18 months. Yep.