Bug 629414

Summary:	dev-db/aerospike-server-community: system executable owned by non-root user
Product:	Gentoo Security	Reporter:	Michael Orlitzky <mjo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	patrick
Priority:	Normal	Keywords:	PMASKED
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---
Deadline:	2021-01-17

Description Michael Orlitzky gentoo-dev

2017-08-31 01:48:00 UTC

The /usr/bin/asd program installed by dev-db/aerospike-server-community is owned by the "aerospike" user:

  -rwxr-xr-x 1 aerospike aerospike 2.8M 2017-08-30 21:33 /usr/bin/asd

That's in root's PATH, and it could conceivably be run as root during testing or debugging. If that ever happens, it's trivial for the "aerospike" user to gain root. Instead, that executable should probably be root:root.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-05 20:28:36 UTC

Is this a Gentoo specific issue? it may be good to report upstream about this.

Gentoo Security Padawan
ChrisADR

Comment 2 Michael Orlitzky gentoo-dev

2017-10-06 02:04:46 UTC

The ebuild does,

  fowners aerospike:aerospike /usr/bin/asd

so it's probably not upstream. If /usr/bin/asd is still owned by a non-root user after deleting that line, then we can blame upstream.

Comment 3 Michael Orlitzky gentoo-dev

2019-09-14 16:25:47 UTC

This should be a pretty easy issue to fix within two years =P

Comment 4 Sam James archtester

2020-06-20 02:03:25 UTC

ping...

Comment 5 John Helmert III archtester

2021-01-25 19:12:09 UTC

Package was treecleaned:

commit 7a467253e33c4cd9d4b65cd6fb088fa69952b115
Author: Michał Górny <mgorny@gentoo.org>
Date:   Tue Jan 19 09:37:19 2021 +0100

    dev-db/aerospike-server-community: Remove last-rited pkg

    Bug: https://bugs.gentoo.org/736050
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

All versions unstable so all done here.