| Summary: | sci-misc/boinc: root privilege escalation via init script | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | jlec, security-audit, soap, sven.eden |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=540006 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
I have updated my latest PR at https://github.com/gentoo/gentoo/pull/3056 to deal with the issue. - start_pre() no longer uses "chown -R" on the runtime directory. - create_work_directory() now changes the ownership on the runtime directory only, and only if it was just created. Thank you for pointing that issue out! I think this is now safe:
if [[ ! -d "${RUNTIMEDIR}" ]]; then
einfo "Directory ${RUNTIMEDIR} does not exist, creating now."
mkdir -p "${RUNTIMEDIR}"
if [[ ! -d "${RUNTIMEDIR}" ]]; then
eeror "Directory ${RUNTIMEDIR} could not be created!"
return 1
fi
# ensure proper ownership
chown "${USER}:${GROUP}" "${RUNTIMEDIR}"
fi
However (and I should have mentioned this...), that entire stanza can now be accomplished with one line =)
checkpath -d -o "${USER}:${GROUP}" "${RUNTIMEDIR}"
The "checkpath" command is part of OpenRC (see `man openrc-run`), so it's actually more portable than using mkdir and chown, which may have different implementations on weird systems. Checkpath is also slightly more secure, since it won't follow symlinks/hardlinks (bug #540006).
Thanks for the fast response!
(In reply to Michael Orlitzky from comment #2) > However (and I should have mentioned this...), that entire stanza can now be > accomplished with one line =) > > checkpath -d -o "${USER}:${GROUP}" "${RUNTIMEDIR}" Wow! I never knew about that one! The "stanza" is a relic from the ancieant depths of the boinc package. ...aaaand I just updated my PR again. I have tested the new init script using checkpath with a fake RUNTIMEDIR and had some fun messing around with the ownership and permissions. It works like a charm! Thank you very much again! This issue had been fixed with the mentioned PR, but I forgot to close the bug. (In reply to Sven Eden from comment #4) > but I forgot to close the bug. Actually, you didn't =) The security team prefers to close these bugs themselves, usually after the fixed version has been stabilized and after somebody mentions the word GLEP. @security: it should be safe to make this public and do what you gotta do. (In reply to Michael Orlitzky from comment #5) > the word GLEP. GLSA, GLEP, I'm very tired. Or I can do it, whatever =) unrestricting and re-assigning per bug 705894 |
The init script for boinc calls "chown -R" on a directory: chown -R "${USER}:${GROUP}" "${RUNTIMEDIR}" After doing that once, it's no longer safe to trust the contents of that directory. For example, the "boinc" user can create a hardlink within ${RUNTIMEDIR} pointing to a file that he does not own: $ sudo su boinc -c 'ln /var/lib/portage/world /var/lib/boinc/world' The next time the daemon is started, the init script (as root) will give ownership of the *target* of the hardlink to the boinc user: $ sudo /etc/init.d/boinc start * Starting boinc ... $ ls /var/lib/portage/world -rw-rw-r-- 3 boinc boinc 3.7K 2016-12-22 16:46 /var/lib/portage/world and of course he can use that to gain root. Users of gentoo-sources and hardened-sources are not vulnerable to that hard-link attack (thanks to one of our patches), but may be to others. In this case, I would guess the solution is to use "checkpath" to create $RUNTIMEDIR, and then to not mess with the ownership/permissions after that. Each file in $RUNTIMEDIR will be created by either boinc itself, in which case its permissions will be correct, or by root, and in that case you should leave them alone.