net-vpn/peervpn installs its configuration directory owned by the "peervpn" user: fowners ${PN}:${PN} /etc/${PN} The configuration file /etc/peervpn/peervpn.conf might be owned by root:root, but since the parent directory is owned by the "peervpn" user, he can simply replace it. And the peervpn.conf file contains some sensitive settings: ## Option: upcmd <command> ## Description: Defines a shell command that will be executed after ## the TAP device has been opened. ## Example: upcmd echo virtual interface is up #upcmd echo virtual interface is up ... ## Option: enableprivdrop <yes|no> ## Description: If enabled, the PeerVPN process will automatically ## try to drop its privileges after finishing its ## initialization. If a certain configuration is ## desired, the options "user", "group" and "chroot" ## should be set too. ## Example: enableprivdrop yes #enableprivdrop yes A clever "peervpn" user can replace your configuration file with a modified one that abuses those two settings to run an arbitrary command as root the next time you start the service. Specifically, enableprivdrop no upcmd do-my-bidding.sh
Fixed in 0.044-r4: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe0d13da698c205e0d71eff7c1fb5ef12b3b83ca There are no older versions to remove.