| Summary: | app-admin/mms-agent: privilege escalation via PID file manipulation | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | minor | CC: | ajak, treecleaner, ultrabug |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B4 [ebuild] | ||
| Package list: | Runtime testing required: | --- | |
Maintainer: Ping. Ping Hasn't been touched by maintainer since just before this bug was opened. I guess if no one is there this should be treecleaned. No revdeps, a couple of other bugs open. masked, due for removal in #769509 |
The init script for mms-agent gives ownership of the PID file directory to the same user that the daemon runs as: start_pre() { checkpath -d -m 0750 -o "${user}":"${group}" "${run_dir}" cd /opt/mms-monitoring-agent } As a result, the $user can write whatever he wants into the PID file. Later, that may be exploitable: when the service is stopped, root will call "kill" on the contents of that file. But there's good news: there's no need for the call to "checkpath" above. With command_background=true, OpenRC creates the PID file as root:root, and the checkpath call can be deleted if you store the PID file directly in /run. That is, if you delete the $run_dir variable, and set pidfile=/run/${RC_SVCNAME}.pid Some other minor improvements to consider while you're touching the init script: 1. Update SVCNAME to the more-modern RC_SVCNAME. 2. Use "command_user" for the user/group instead of start_stop_daemon_args. 3. Right now you have command="./mongodb-mms-monitoring-agent &>${logfile}" in order to save stderr and stdout to $logfile. I believe that you can use the --stderr and --stdout options of start-stop-daemon (through start_stop_daemon_args) to achieve the same thing.