The ebuilds for cluster-glue call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { chown -R hacluster:haclient /var/lib/heartbeat/cores chown -R hacluster:haclient /var/lib/heartbeat/lrm } That can be exploited by the "hacluster" user (and probably anyone in the "haclient" group) to gain root. If a hard link is placed in one of those directories and it points to a root-owned file, then the next time the cluster-glue package is upgraded or reinstalled, the "chown -R" will affect the target of the link and give the file to hacluster:haclient. For example, 1. emerge cluster-glue 2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/heartbeat/lrm/x' hacluster 3. emerge cluster-glue 4. /etc/passwd is owned by hacluster:haclient
Note that the ebuilds also set /dev/null as login shell. pkg_setup() { enewgroup haclient enewuser hacluster -1 /dev/null /var/lib/heartbeat haclient } I expect no security implications there but that probably ought to be fixed in this same effort: enewuser hacluster -1 -1 /var/lib/heartbeat haclient
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
