The /usr/bin/asd program installed by dev-db/aerospike-server-community is owned by the "aerospike" user: -rwxr-xr-x 1 aerospike aerospike 2.8M 2017-08-30 21:33 /usr/bin/asd That's in root's PATH, and it could conceivably be run as root during testing or debugging. If that ever happens, it's trivial for the "aerospike" user to gain root. Instead, that executable should probably be root:root.
Is this a Gentoo specific issue? it may be good to report upstream about this. Gentoo Security Padawan ChrisADR
The ebuild does, fowners aerospike:aerospike /usr/bin/asd so it's probably not upstream. If /usr/bin/asd is still owned by a non-root user after deleting that line, then we can blame upstream.
This should be a pretty easy issue to fix within two years =P
ping...
Package was treecleaned: commit 7a467253e33c4cd9d4b65cd6fb088fa69952b115 Author: Michał Górny <mgorny@gentoo.org> Date: Tue Jan 19 09:37:19 2021 +0100 dev-db/aerospike-server-community: Remove last-rited pkg Bug: https://bugs.gentoo.org/736050 Signed-off-by: Michał Górny <mgorny@gentoo.org> All versions unstable so all done here.