630808 – app-misc/dnetc: root privilege escalation via "chown -R" in pkg_postinst

Bug 630808 - app-misc/dnetc: root privilege escalation via "chown -R" in pkg_postinst

Summary: app-misc/dnetc: root privilege escalation via "chown -R" in pkg_postinst

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security Audit Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	691252
	Show dependency tree

Reported:	2017-09-12 14:44 UTC by Michael Orlitzky
Modified:	2020-05-21 22:37 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-09-12 14:44:41 UTC

The dnetc ebuilds call chown recursively on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      chown -Rf dnetc:dnetc /opt/distributed.net
      ...

The dnetc user can place a hard link in /opt/distributed.net pointing to a sensitive root-owned file, and the next time that dnetc is emerged, that file will be given to the dnetc user. For example,

  1. emerge dnetc
  2. sudo su -s /bin/sh -c 'ln /etc/passwd /opt/distributed.net/foo' dnetc
  3. emerge dnetc
  4. the file /etc/passwd is owned by dnetc:dnetc

Comment 1 Michael Orlitzky gentoo-dev

2017-12-17 23:35:46 UTC

Robin recently announced that this package was up for grabs. Unmaintained and vulnerable are a bad combination -- can we please make this bug public, so that I can reference it in package.mask?

Comment 2 Michael Orlitzky gentoo-dev

2019-08-18 22:56:27 UTC

Here's the mailing list thread, if anyone is curious:

https://archives.gentoo.org/gentoo-dev/message/c43a368ff49d3e8f8c28937db9a700e1

package.mask incoming.

Comment 3 Larry the Git Cow gentoo-dev

2019-08-18 23:05:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44a0da0e02e234f1d43b1801fe2b6de12b2c6885

commit 44a0da0e02e234f1d43b1801fe2b6de12b2c6885
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2019-08-18 22:59:47 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2019-08-18 23:04:01 +0000

    profiles: mask app-misc/dnetc for eventual removal.
    
    Bug: https://bugs.gentoo.org/630808
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)

Comment 4 Andrey 2019-08-27 03:40:38 UTC

I can perhaps step up as a proxy maintainer for dnetc.

It's actually has the latest release in-tree already,
so just the chown needs to be fixed, I suppose.

Comment 5 Larry the Git Cow gentoo-dev

2019-09-14 23:30:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=446f997c23defe312ab8e5b386dcef06e01a29f1

commit 446f997c23defe312ab8e5b386dcef06e01a29f1
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-09-14 23:28:34 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-09-14 23:29:59 +0000

    app-misc/dnetc: Remove last-rited package
    
    Closes: https://bugs.gentoo.org/405521
    Closes: https://bugs.gentoo.org/691946
    Bug: https://bugs.gentoo.org/630808
    Closes: https://bugs.gentoo.org/691252
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-misc/dnetc/Manifest                |   6 --
 app-misc/dnetc/dnetc-2.9108.517.ebuild |  93 ------------------------------
 app-misc/dnetc/dnetc-2.9112.521.ebuild | 100 ---------------------------------
 app-misc/dnetc/files/dnetc.confd       |  18 ------
 app-misc/dnetc/files/dnetc.initd       |  88 -----------------------------
 app-misc/dnetc/metadata.xml            |  11 ----
 6 files changed, 316 deletions(-)