Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630808 - app-misc/dnetc: root privilege escalation via "chown -R" in pkg_postinst
Summary: app-misc/dnetc: root privilege escalation via "chown -R" in pkg_postinst
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security Audit Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 691252
  Show dependency tree
 
Reported: 2017-09-12 14:44 UTC by Michael Orlitzky
Modified: 2020-05-21 22:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-12 14:44:41 UTC
The dnetc ebuilds call chown recursively on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      chown -Rf dnetc:dnetc /opt/distributed.net
      ...

The dnetc user can place a hard link in /opt/distributed.net pointing to a sensitive root-owned file, and the next time that dnetc is emerged, that file will be given to the dnetc user. For example,

  1. emerge dnetc
  2. sudo su -s /bin/sh -c 'ln /etc/passwd /opt/distributed.net/foo' dnetc
  3. emerge dnetc
  4. the file /etc/passwd is owned by dnetc:dnetc
Comment 1 Michael Orlitzky gentoo-dev 2017-12-17 23:35:46 UTC
Robin recently announced that this package was up for grabs. Unmaintained and vulnerable are a bad combination -- can we please make this bug public, so that I can reference it in package.mask?
Comment 2 Michael Orlitzky gentoo-dev 2019-08-18 22:56:27 UTC
Here's the mailing list thread, if anyone is curious:

https://archives.gentoo.org/gentoo-dev/message/c43a368ff49d3e8f8c28937db9a700e1

package.mask incoming.
Comment 3 Larry the Git Cow gentoo-dev 2019-08-18 23:05:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44a0da0e02e234f1d43b1801fe2b6de12b2c6885

commit 44a0da0e02e234f1d43b1801fe2b6de12b2c6885
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2019-08-18 22:59:47 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2019-08-18 23:04:01 +0000

    profiles: mask app-misc/dnetc for eventual removal.
    
    Bug: https://bugs.gentoo.org/630808
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Andrey 2019-08-27 03:40:38 UTC
I can perhaps step up as a proxy maintainer for dnetc.

It's actually has the latest release in-tree already,
so just the chown needs to be fixed, I suppose.
Comment 5 Larry the Git Cow gentoo-dev 2019-09-14 23:30:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=446f997c23defe312ab8e5b386dcef06e01a29f1

commit 446f997c23defe312ab8e5b386dcef06e01a29f1
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-09-14 23:28:34 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-09-14 23:29:59 +0000

    app-misc/dnetc: Remove last-rited package
    
    Closes: https://bugs.gentoo.org/405521
    Closes: https://bugs.gentoo.org/691946
    Bug: https://bugs.gentoo.org/630808
    Closes: https://bugs.gentoo.org/691252
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-misc/dnetc/Manifest                |   6 --
 app-misc/dnetc/dnetc-2.9108.517.ebuild |  93 ------------------------------
 app-misc/dnetc/dnetc-2.9112.521.ebuild | 100 ---------------------------------
 app-misc/dnetc/files/dnetc.confd       |  18 ------
 app-misc/dnetc/files/dnetc.initd       |  88 -----------------------------
 app-misc/dnetc/metadata.xml            |  11 ----
 6 files changed, 316 deletions(-)