The init script for clair gives ownership of its PID file directory to its runtime user: start_pre() { checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}" } This can be exploited by that runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by $user). Fortunately, the call to checkpath above is unnecessary: when OpenRC creates the PID file, it does so as root. So the vulnerability can be fixed by setting, pidfile="/run/${RC_SVCNAME}.pid" and deleting the start_pre() function. Some other unrelated improvements: 1. Change the deprecated $SVCNAME to $RC_SVCNAME. 2. Use command_user instead of --user and --group in start_stop_daemon_args. 3. One of "need net" and "after net" is redundant 4. The ebuild runs, fowners ${PN}:${PN} /var/log/${PN} but the init script gives you the ability to switch users. If the user and group are ever switched, the ownership information on /var/log/clair will be wrong. Unless there's a good reason for it, I would settle on user=group=clair and leave it unconfigurable.
Thanks, fixed in: commit 561022e669b16cf3a4c509f2aa9155db129ac9bc (HEAD -> master, origin/master, origin/HEAD) Author: Manuel Rüger <mrueg@gentoo.org> Date: Tue Sep 19 18:16:02 2017 +0200 dev-util/clair: Remove old Package-Manager: Portage-2.3.8, Repoman-2.3.3 commit 6f4dd6b9fba7d6951317298878eef5754e8ec882 Author: Manuel Rüger <mrueg@gentoo.org> Date: Tue Sep 19 18:15:21 2017 +0200 dev-util/clair: Version bump to 2.0.1 Package-Manager: Portage-2.3.8, Repoman-2.3.3
(In reply to Manuel Rüger from comment #1) > Thanks, fixed in: > Thank you Manuel. Gentoo Security Padawan ChrisADR
