630906 – net-analyzer/munin: root privilege escalation via "chown -R" in pkg_config

Bug 630906 - net-analyzer/munin: root privilege escalation via "chown -R" in pkg_config

Summary: net-analyzer/munin: root privilege escalation via "chown -R" in pkg_config

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [ebuild?]
Keywords:

Depends on:
Blocks:

Reported:	2017-09-13 17:12 UTC by Michael Orlitzky
Modified:	2024-01-07 05:44 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-09-13 17:12:58 UTC

The pkg_config phase for munin calls "chown -R" on a directory:

  pkg_config() {
      ...
      chown -R munin:munin /var/lib/munin/.ssh || die

If this phase is run more than once (ever), the munin user can exploit this to gain root. If he places a hard link to a root-owned file under /var/lib/munin/.ssh, then the next call to "chown -R" will give ownership of root's file to the "munin" user. For example,

  1. emerge --config munin
  2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/munin/.ssh/x' munin
  3. emerge --config munin
  4. /etc/passwd is owned by "munin"

Comment 1 Hans de Graaff gentoo-dev

2017-09-16 06:36:35 UTC

This bug shows that it is under embargo, but there is no deadline. Please advice on how or when to proceed.


We know the specific files we create here, so we can use this instead:

  chown munin:munin /var/lib/munin/.ssh/id_{rsa,ecdsa}{,.pub}

Comment 2 Michael Orlitzky gentoo-dev

2017-09-16 14:42:37 UTC

(In reply to Hans de Graaff from comment #1)
> This bug shows that it is under embargo, but there is no deadline. Please
> advice on how or when to proceed.
> 
> 
> We know the specific files we create here, so we can use this instead:
> 
>   chown munin:munin /var/lib/munin/.ssh/id_{rsa,ecdsa}{,.pub}

That "chown" will still follow a symlink, so it's important that every directory involved be owned (and writable only) by root. Is that the case even though /var/lib/munin is the "munin" user's home directory (I haven't checked)?

  enewuser munin 177 -1 /var/lib/munin munin

If it will work, I would suggest instead using "su -s /bin/sh -c ... munin" to perform the key generation *as the munin user* so that you don't have to try to fix things afterwards.

Comment 3 Michael Orlitzky gentoo-dev

2017-09-16 14:43:18 UTC

(In reply to Hans de Graaff from comment #1)
> This bug shows that it is under embargo, but there is no deadline. Please
> advice on how or when to proceed.

Oh, and there's nothing special about the "embargo" status, I was just asked to keep these sorts of issues private until a fix is available.

Comment 4 Michael Orlitzky gentoo-dev

2017-09-16 17:18:33 UTC

Another thing to consider is that everyone who ran "emerge --config munin" up until now will still have "munin" owning /var/lib/munin and everything under it. Fixing that is itself a hairy proposition, so if you can use "su" to eliminate the chowns, that's one less thing to think about.

Comment 5 Robin Johnson archtester

2020-04-03 23:16:45 UTC

Unrestricting and reassigning to security@ per bug #705894

Comment 6 Robin Johnson archtester

2020-04-03 23:18:14 UTC

unrestricting per bug 705894

Comment 7 John Helmert III archtester

2021-01-25 21:45:15 UTC

Maintainers/mjo, is this now obsolete with the new user/group functionality?

Comment 8 Michael Orlitzky gentoo-dev

2021-01-25 21:51:14 UTC

No, nothing has changed.

(It would also be nice if acct-user/munin followed the devmanual's guidelines for its home directory. Right now the package and the user are pointlessly and dangerously coupled.)