The amavisd-snmp init script gives ownership of its PID file directory to the "amavis" user: start_pre() { update_command checkpath -d -o amavis /run/amavis } This is exploitable by the "amavis" user to kill root processes, because when the service is stopped, root will send a SIGTERM to the contents of that PID file. Fortunately, the call to "checkpath" above is unnecessary: $ ls /run/amavis/amavisd-snmp.pid -rw-r----- 1 root root 6 2017-09-13 10:30 /run/amavis/amavisd-snmp.pid So for a fix, I recommend setting pidfile="/run/${RC_SVCNAME}.pid" and then deleting the call to "checkpath".
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8635dce998732f7f82cc6c51bd0a7014c5e6ae6a commit 8635dce998732f7f82cc6c51bd0a7014c5e6ae6a Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2018-11-22 03:10:18 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2018-11-26 00:17:56 +0000 mail-filter/amavisd-new: new revision to clean up auxiliary init scripts. * Two new service scripts for amavisd-snmp-agent{,-zmq}. Prior, both of these programs were installed, but had only a single service script which tried to figure out what to do at runtime. The new way is cleaner, doesn't rely on bashisms (bug 630896), and fixes a security issue (bug 630898). * A new OpenRC service script for amavis-mc. This fixes an unreported (to Gentoo, anyway) security issue. This program can create its PID file only after dropping privileges, which makes it unsafe for OpenRC to later "kill" it. The new script runs the program in the foreground and lets OpenRC (safely) handle the bookkeeping. Closes: https://bugs.gentoo.org/630896 Bug: https://bugs.gentoo.org/630898 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 .../amavisd-new/amavisd-new-2.11.1-r2.ebuild | 198 +++++++++++++++++++++ mail-filter/amavisd-new/files/amavis-mc.initd-r1 | 18 ++ .../files/amavisd-snmp-subagent-zmq.initd | 26 +++ .../amavisd-new/files/amavisd-snmp-subagent.initd | 25 +++ 4 files changed, 267 insertions(+)
Please do stabilize (also blocks glibc-2.28)
(In reply to Andreas K. Hüttel from comment #2) > Please do stabilize (also blocks glibc-2.28) *thumbs up*
x86 stable
sparc stable
amd64 stable
hppa stable
Looking good on ppc64. # cat amavisd-new-630898.report USE tests started on So 17. Feb 17:16:03 CET 2019 FEATURES=' test' USE='' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='clamav courier dkim -ldap mysql -postgres -qmail razor -snmp -spamassassin -zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='clamav -courier dkim ldap mysql postgres qmail razor -snmp -spamassassin -zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='clamav courier dkim ldap mysql postgres qmail -razor snmp -spamassassin -zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='clamav -courier -dkim ldap -mysql -postgres -qmail razor snmp -spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='-clamav -courier -dkim ldap mysql postgres qmail razor snmp -spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='clamav courier -dkim -ldap -mysql -postgres -qmail -razor -snmp spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='-clamav -courier dkim ldap -mysql -postgres -qmail -razor -snmp spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='-clamav courier -dkim ldap mysql -postgres -qmail -razor -snmp spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='clamav courier dkim -ldap -mysql -postgres -qmail -razor snmp spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='clamav courier dkim ldap -mysql postgres qmail -razor snmp spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='-clamav -courier -dkim ldap -mysql postgres -qmail razor snmp spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3 USE='clamav -courier -dkim -ldap mysql -postgres qmail razor snmp spamassassin zmq' succeeded for =mail-filter/amavisd-new-2.11.1-r3
ppc64 stable thanks to ernsteiswuerfel!
All arches done
Security: Andreas also cleaned up the old vulnerable versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=072fd49134ed3c404a44e0cb8eb564b3b00f9cd9 commit 072fd49134ed3c404a44e0cb8eb564b3b00f9cd9 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2019-02-24 02:06:39 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2019-02-24 02:33:35 +0000 mail-filter/amavisd-new: remove now-unused files. Bug: https://bugs.gentoo.org/630898 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 mail-filter/amavisd-new/files/amavis-mc.initd | 17 ---------- mail-filter/amavisd-new/files/amavisd.initd-r1 | 44 -------------------------- mail-filter/amavisd-new/files/amavisd.service | 22 ------------- 3 files changed, 83 deletions(-)
