Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630908 - net-analyzer/sguil-server: root privilege escalation via "chown -R" in pkg_postinst
Summary: net-analyzer/sguil-server: root privilege escalation via "chown -R" in pkg_po...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2020-10-26
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2017-09-13 17:18 UTC by Michael Orlitzky
Modified: 2020-10-29 03:15 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-13 17:18:00 UTC
The ebuilds for sguil-server call "chown -R" in pkg_postinst:

  pkg_postinst(){
      ...
      chown -R sguil:sguil "${ROOT}"/etc/sguil/sguild.*
      chown -R sguil:sguil "${ROOT}"/usr/lib/sguild

This can be exploited by the "sguil" user to gain root if he places a hard link to a root-owned file in one of those directories. For example,

  1. emerge sguil-server
  2. su -s /bin/sh -c 'ln /etc/passwd /usr/lib/sguild/x' sguil
  3. emerge sguil-server
  4. /etc/passwd is owned by the "sguil" user.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:36 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:21 UTC
unrestricting per bug 705894
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-10-26 07:41:49 UTC
Package removed.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-29 03:15:15 UTC
All unstable so no GLSA.