Created attachment 492370 [details] opendkim-2.10.3-r4.ebuild The opendkim init script gives ownership of its PID file directory to the "milter" user: if [ ! -d "${PIDDIR}" ] ; then checkpath -q -d -o milter:milter -m 0755 "${PIDDIR}" || return 1 fi This can be exploited by the "milter" user to kill root processes, because when you try to stop the service, root will send a SIGTERM to the contents of that PID file (which are under the control of the "milter" user). I actually use OpenDKIM, so I tried to fix some other issues at the same time. The PID file was actually the easy part: OpenDKIM already creates its PID file as root, so all I had to do there was leave PidFile commented-out in opendkim.conf and force pidfile=/run/${RC_SVCNAME}.pid on the command-line. Some other things... 1. I fixed bug 425960 by adding "GPL-2" to LICENSE. 2. I changed everything from "milter" to "opendkim" (fixes bug 629888). 3. I tried to update the advice about sharing a socket with your MTA. If you use a KeyTable and SigningTable, OpenDKIM will read them *after* it drops privileges. That complicates the instructions, because if you tried to add e.g. postfix to the old "milter" group, you would get a message like, Sep 3 23:50:50 mail2 opendkim[8345]: orlitzky.com-mail2: key data is not secure: /var/lib/opendkim/orlitzky.com/mail2.key is in group 101 which has multiple users (e.g., "postfix") To work around that, you need yet another group, containing both the opendkim user and postfix. 4. Fixed detection of "Background no", when the user chooses some other word than "no". For example, "0" and "False" are also accepted. 5. The socket is now obtained from a conf.d file so we don't have to parse it with sed. Moreover, the init script now ensures that the directory containing the socket exists and is owned by the opendkim user. In the old init script, this just happened to work because the elog instructions told people to put the socket in the PID file directory. Now that the PID directory isn't writable by the opendkim user, we needed another plan. 6. I eliminated the start() and stop() functions from the init script. The defaults work fine. 7. Set safer permissions in the ebuild. The /var/lib/opendkim directory can be owned by root, and read-only to whatever group that opendkim runs as. 8. Throw an error if we can't remove a stale socket. And here's what I didn't do: much at all with systemd. I did update the service file to run as opendkim:opendkim, and I added a conf file to pass the OPENDKIM_SOCKET to the daemon on the command-like (for consistency). However, that isn't tested, and I don't know how the socket creation is supposed to work with systemd.
Created attachment 492372 [details] opendkim.confd
Created attachment 492374 [details] opendkim.init.r4
Created attachment 492376 [details] opendkim.service.conf
Created attachment 492378 [details] opendkim-r2.service
@Maintainers please call for stabilization when ready. Gentoo Security Padawan ChrisADR
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28706fe998d7ea18549d78aa1bfee4da6bb18ffa commit 28706fe998d7ea18549d78aa1bfee4da6bb18ffa Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2019-03-27 15:48:17 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2019-03-27 17:18:07 +0000 mail-filter/opendkim: new revision to overhaul service scripts. The OpenRC service script has been largely rewritten in this revision, to solve a number of problems: * The PID file is now stored securely (bug 629914). * Different PID files are used for multiple instances (bug 536162). * The detection of boolean options in the config file is more robust, allowing "1", "0", "yes", "false", et cetera. * The socket is now located in a conf.d file, rather than parsed from the config file. The service script ensures that the directory containing the socket has the correct permissions, and the conf.d file comes with a big warning to that effect. Note that the (commented- out) example directory IS NOT shared with the PID file. * An error is thrown if we can't remove a stale socket. * Modern OpenRC service script standards have been adopted. Some minor changes have been made to the systemd service for consistency, but none of them have been tested. More work needs to be done here anyway; for example, we most likely want a tmpfiles.d entry for the local socket directory if the user configures one. This should be documented in opendkim.service.conf, and tested by someone who uses systemd. Closes: https://bugs.gentoo.org/536162 Bug: https://bugs.gentoo.org/629914 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 .../{opendkim-r2.service => opendkim-r3.service} | 2 +- mail-filter/opendkim/files/opendkim.confd | 18 ++++++ mail-filter/opendkim/files/opendkim.init.r4 | 55 ---------------- mail-filter/opendkim/files/opendkim.init.r5 | 73 ++++++++++++++++++++++ mail-filter/opendkim/files/opendkim.service.conf | 2 + ...-2.10.3-r6.ebuild => opendkim-2.10.3-r7.ebuild} | 26 ++++---- 6 files changed, 109 insertions(+), 67 deletions(-)
@Michael, thank you for the thorough commit log and work on all the various PID file issues in the tree! @arches, please stabilize.
amd64 stable
x86 stable
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d424c81f020cada007c5ca23be5acc73f4cf6600 commit d424c81f020cada007c5ca23be5acc73f4cf6600 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2019-04-06 11:31:17 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2019-04-06 11:31:38 +0000 mail-filter/opendkim: remove old vulnerable revision. Bug: https://bugs.gentoo.org/629914 Bug: https://bugs.gentoo.org/629888 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 mail-filter/opendkim/opendkim-2.10.3-r3.ebuild | 204 ------------------------- 1 file changed, 204 deletions(-)
This issue was resolved and addressed in GLSA 201904-22 at https://security.gentoo.org/glsa/201904-22 by GLSA coordinator Aaron Bauman (b-man).
