Summary: | sci-misc/boinc: root privilege escalation via init script | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jlec, security-audit, soap, sven.eden |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=540006 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Michael Orlitzky
2016-12-22 23:04:39 UTC
I have updated my latest PR at https://github.com/gentoo/gentoo/pull/3056 to deal with the issue. - start_pre() no longer uses "chown -R" on the runtime directory. - create_work_directory() now changes the ownership on the runtime directory only, and only if it was just created. Thank you for pointing that issue out! I think this is now safe: if [[ ! -d "${RUNTIMEDIR}" ]]; then einfo "Directory ${RUNTIMEDIR} does not exist, creating now." mkdir -p "${RUNTIMEDIR}" if [[ ! -d "${RUNTIMEDIR}" ]]; then eeror "Directory ${RUNTIMEDIR} could not be created!" return 1 fi # ensure proper ownership chown "${USER}:${GROUP}" "${RUNTIMEDIR}" fi However (and I should have mentioned this...), that entire stanza can now be accomplished with one line =) checkpath -d -o "${USER}:${GROUP}" "${RUNTIMEDIR}" The "checkpath" command is part of OpenRC (see `man openrc-run`), so it's actually more portable than using mkdir and chown, which may have different implementations on weird systems. Checkpath is also slightly more secure, since it won't follow symlinks/hardlinks (bug #540006). Thanks for the fast response! (In reply to Michael Orlitzky from comment #2) > However (and I should have mentioned this...), that entire stanza can now be > accomplished with one line =) > > checkpath -d -o "${USER}:${GROUP}" "${RUNTIMEDIR}" Wow! I never knew about that one! The "stanza" is a relic from the ancieant depths of the boinc package. ...aaaand I just updated my PR again. I have tested the new init script using checkpath with a fake RUNTIMEDIR and had some fun messing around with the ownership and permissions. It works like a charm! Thank you very much again! This issue had been fixed with the mentioned PR, but I forgot to close the bug. (In reply to Sven Eden from comment #4) > but I forgot to close the bug. Actually, you didn't =) The security team prefers to close these bugs themselves, usually after the fixed version has been stabilized and after somebody mentions the word GLEP. @security: it should be safe to make this public and do what you gotta do. (In reply to Michael Orlitzky from comment #5) > the word GLEP. GLSA, GLEP, I'm very tired. Or I can do it, whatever =) unrestricting and re-assigning per bug 705894 |