Summary: | <mail-filter/milter-regex-2.2: root privilege escalation via init script race condition | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gentoo, security-audit |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Michael Orlitzky
2016-12-20 19:29:58 UTC
(In reply to Michael Orlitzky from comment #0) > > I have a dummy text file (mode 644) at /home/mjo/root. Oops, that should be /home/mjo/foo.txt. Unrestricting and reassigning to security@ per bug #705894 unrestricting per bug 705894 I'm scratching my head, because I am not calling fowners or start-stop-daemon directly:
→ cd /var/db/repos/gentoo/mail-filter/milter-regex
→ grep -r start-stop-daemon * || echo 'Not found'
Not found
→ grep -r fowners * || echo 'Not found'
Not found
> If I run [...] as the "milter" user and then start the
> milter-regex service, it starts successfully and I find
> that /home/mjo/foo.txt is now mode 666.
As defined by acct-user/milter-regex, the milter-regex's home directory is /dev/null and its shell is /sbin/nologin. If you can run any command as milter-regex other than starting out with root privileges, something is quite wrong.
What you're missing is that I filed this bug 3.5 years ago but it was only made public today =P Hehe, I missed that indeed. So, close this bug or what? security@ decides when to close it, but it's been fixed and the tree is clean of the vulnerable versions, so nothing for us to do Fixed since https://gitweb.gentoo.org/repo/gentoo.git/commit/mail-filter/milter-regex?id=a199b66a6767c285587d9a22e06a42078e8a5684 (September 2018). Closing. |