The init script for spamass-milter grants ownership of its socket directory to the "milter" user: checkpath -q -d -o ${SOCKET_USER:-milter}:${SOCKET_GROUP:-milter} \ -m 0755 ${socketdir} Later, it calls chown/chmod on its socket file which lives in that directory: chown ${SOCKET_USER:-milter}:${SOCKET_GROUP:-milter} ${SOCKET} ... chmod ${SOCKET_MODE:-664} ${SOCKET} ... The "milter" user can change ${SOCKET} between the time that it is created, and the time that chown/chmod are called on it. Thus there is a race condition, and it can be used to gain root on the machine: simply replace ${SOCKET} with a symlink to some place important. The init script runs [ -S ${SOCKET} ... ] in a loop, so I found it easiest to exploit this by constantly swapping a real socket with a symlink. For example, as the milter user in /var/run/milter, while true; do \ cp -a spamass-milter.sock.bak spamass-milter.sock; \ ln -sf /home/mjo/foo.txt ./spamass-milter.sock; \ done; If I start the spamass-milter service with that running, it changes ownership of /home/mjo/foo.txt to milter:milter and makes it mode 664. Another reliable way to exploit the chown/chmod is to make your symlink point to a socket. Then the "-S" test will always succeed, so all you have to do is clobber the socket with a symlink repeatedly in a loop.
commit 30a7ed2d867921b830e8f2329519fdb34ab9cb5f Author: Michał Górny <mgorny@gentoo.org> Date: Tue May 28 15:32:15 2019 +0200 mail-filter/spamass-milter: Remove last-rited pkg Bug: https://bugs.gentoo.org/630986 Signed-off-by: Michał Górny <mgorny@gentoo.org>
unrestricting and re-assigning per bug 705894
