Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629414 - dev-db/aerospike-server-community: system executable owned by non-root user
Summary: dev-db/aerospike-server-community: system executable owned by non-root user
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2021-01-17
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2017-08-31 01:48 UTC by Michael Orlitzky
Modified: 2021-01-25 19:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-08-31 01:48:00 UTC 
The /usr/bin/asd program installed by dev-db/aerospike-server-community is owned by the "aerospike" user:

  -rwxr-xr-x 1 aerospike aerospike 2.8M 2017-08-30 21:33 /usr/bin/asd

That's in root's PATH, and it could conceivably be run as root during testing or debugging. If that ever happens, it's trivial for the "aerospike" user to gain root. Instead, that executable should probably be root:root.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 20:28:36 UTC 
Is this a Gentoo specific issue? it may be good to report upstream about this.

Gentoo Security Padawan
ChrisADR
Comment 2 Michael Orlitzky gentoo-dev 2017-10-06 02:04:46 UTC 
The ebuild does,

  fowners aerospike:aerospike /usr/bin/asd

so it's probably not upstream. If /usr/bin/asd is still owned by a non-root user after deleting that line, then we can blame upstream.
Comment 3 Michael Orlitzky gentoo-dev 2019-09-14 16:25:47 UTC 
This should be a pretty easy issue to fix within two years =P
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 02:03:25 UTC 
ping...
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 19:12:09 UTC 
Package was treecleaned:

commit 7a467253e33c4cd9d4b65cd6fb088fa69952b115
Author: Michał Górny <mgorny@gentoo.org>
Date:   Tue Jan 19 09:37:19 2021 +0100

    dev-db/aerospike-server-community: Remove last-rited pkg

    Bug: https://bugs.gentoo.org/736050
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

All versions unstable so all done here.