Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 603344

Summary: mail-filter/spamass-milter: root privilege escalation via init script
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Severity: normal CC: eras, hattya, mschiff, radhermit, robbat2, security-audit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2016-12-21 14:39:47 UTC
The init script for spamass-milter grants ownership of its socket directory to the "milter" user:

  checkpath -q -d -o ${SOCKET_USER:-milter}:${SOCKET_GROUP:-milter} \
      -m 0755 ${socketdir}

Later, it calls chown/chmod on its socket file which lives in that directory:

  chown ${SOCKET_USER:-milter}:${SOCKET_GROUP:-milter} ${SOCKET} ...
  chmod ${SOCKET_MODE:-664} ${SOCKET} ...

The "milter" user can change ${SOCKET} between the time that it is created, and the time that chown/chmod are called on it. Thus there is a race condition, and it can be used to gain root on the machine: simply replace ${SOCKET} with a symlink to some place important.

The init script runs [ -S ${SOCKET} ... ] in a loop, so I found it easiest to exploit this by constantly swapping a real socket with a symlink. For example, as the milter user in /var/run/milter,

  while true; do \
    cp -a spamass-milter.sock.bak spamass-milter.sock; \
    ln -sf /home/mjo/foo.txt ./spamass-milter.sock; \

If I start the spamass-milter service with that running, it changes ownership of /home/mjo/foo.txt to milter:milter and makes it mode 664.

Another reliable way to exploit the chown/chmod is to make your symlink point to a socket. Then the "-S" test will always succeed, so all you have to do is clobber the socket with a symlink repeatedly in a loop.
Comment 1 Michael Orlitzky gentoo-dev 2019-09-14 16:11:35 UTC
commit 30a7ed2d867921b830e8f2329519fdb34ab9cb5f
Author: Michał Górny <>
Date:   Tue May 28 15:32:15 2019 +0200

    mail-filter/spamass-milter: Remove last-rited pkg

    Signed-off-by: Michał Górny <>
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:25:28 UTC
unrestricting and re-assigning per bug 705894