| Summary: | <net-misc/peervpn-0.044-r2: root privilege escalation | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security Audit Team <security-audit> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | zmedico |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ~1 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
In peervpn-0.044-r1 it's fixed to use chown --no-dereference: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=012351c00a0b366bbf052222306cf939e9471db1 The --no-dereference flag avoids the issue for symlinks, but not for hardlinks. Fortunately, on newer Linux kernels, there are hardlink restrictions governed by the fs.protected_hardlinks sysctl (default: 1) that prevent me from creating the link to a root-owned file in the first place: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 On the other hand... why chown the log file at all? It will be created by the peervpn user/group in a directory that it owns, so I think it will be owned by $user:$group anyway. Crap, those defaults were changed. You can see now that those protections are OFF by default in the vanilla kernel: https://github.com/torvalds/linux/blob/master/fs/namei.c We have a patch (1510_fs-enable-link-security-restrictions-by-default.patch) that turns them back on in gentoo-sources and hardened-sources. (In reply to Michael Orlitzky from comment #2) > On the other hand... why chown the log file at all? It will be created by > the peervpn user/group in a directory that it owns, so I think it will be > owned by $user:$group anyway. The thing is, start-stop-daemon creates the logs owned by root, because it starts peervpn as root (which later drops privileges). I suppose we could simply allow the log to be owned by root. Removed the chown call in peervpn-0.044-r2: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f36646ec19b50b45cbf6def47e8e34ac2237b3c8 From my understanding /var/log/${SVCNAME}/${SVCNAME}.log is only used by s-s-d because the application itself doesn't create any logs nor provides a real daemon. I.e. peervpn always run in foreground and that's our solution to save the output.
So if peervpn itself doesn't write to that log file, the peervpn user/group doesn't need access to that file, right? And maybe not even to /var/log/peervpn folder ...
Am I wrong and peervpn needs access to that file and folder?
(In reply to Thomas Deutschmann from comment #6) > From my understanding /var/log/${SVCNAME}/${SVCNAME}.log is only used by > s-s-d because the application itself doesn't create any logs nor provides a > real daemon. I.e. peervpn always run in foreground and that's our solution > to save the output. > > So if peervpn itself doesn't write to that log file, the peervpn user/group > doesn't need access to that file, right? And maybe not even to > /var/log/peervpn folder ... Right, so that's why peervpn-0.044-r2 removes the chown calls. Public via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f36646ec19b50b45cbf6def47e8e34ac2237b3c8 Should be all done now, tree is clean, no GLSA required because package was never stable. |
The ebuild for peervpn does, fowners ${PN}:${PN} /var/log/${PN} after which the "peervpn" user controls the contents of /var/log/peervpn. In particular, he can overwrite /var/log/peervpn/peervpn.log with a symlink to any file on the system. The init script then does, start_post() { chown "${user}":"${group}" "${logfile}" } which will call "chown" on the symlink. In that manner, the peervpn user can take ownership of any file on the system.