Bug 629914

Summary:

<mail-filter/opendkim-2.10.3-r8: privilege escalation via PID file manipulation

Product:

Gentoo Security

Reporter:

Michael Orlitzky <mjo>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

gentoo, klondike, net-mail+disabled, proxy-maint

Priority:

Normal

Flags:

stable-bot: sanity-check+

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

B3 [glsa+]

Package list:

=mail-filter/opendkim-2.10.3-r8

Runtime testing required:

---

Attachments:

Description	Flags
opendkim-2.10.3-r4.ebuild	none
opendkim.confd	none
opendkim.init.r4	none
opendkim.service.conf	none
opendkim-r2.service	none

Description Michael Orlitzky gentoo-dev

2017-09-04 20:46:50 UTC

Created attachment 492370 [details]
opendkim-2.10.3-r4.ebuild

The opendkim init script gives ownership of its PID file directory to the "milter" user:

  if [ ! -d  "${PIDDIR}" ] ; then
      checkpath -q -d -o milter:milter -m 0755 "${PIDDIR}" || return 1
  fi

This can be exploited by the "milter" user to kill root processes, because when you try to stop the service, root will send a SIGTERM to the contents of that PID file (which are under the control of the "milter" user).

I actually use OpenDKIM, so I tried to fix some other issues at the same time. The PID file was actually the easy part: OpenDKIM already creates its PID file as root, so all I had to do there was leave PidFile commented-out in opendkim.conf and force pidfile=/run/${RC_SVCNAME}.pid on the command-line.

Some other things...

1. I fixed bug 425960 by adding "GPL-2" to LICENSE.

2. I changed everything from "milter" to "opendkim" (fixes bug 629888).

3. I tried to update the advice about sharing a socket with your MTA. If you use a KeyTable and SigningTable, OpenDKIM will read them *after* it drops privileges. That complicates the instructions, because if you tried to add e.g. postfix to the old "milter" group, you would get a message like,

  Sep  3 23:50:50 mail2 opendkim[8345]: orlitzky.com-mail2: key data is not 
  secure: /var/lib/opendkim/orlitzky.com/mail2.key is in group 101 which has 
  multiple users (e.g., "postfix")

To work around that, you need yet another group, containing both the opendkim user and postfix.

4. Fixed detection of "Background no", when the user chooses some other word than "no". For example, "0" and "False" are also accepted.

5. The socket is now obtained from a conf.d file so we don't have to parse it with sed. Moreover, the init script now ensures that the directory containing the socket exists and is owned by the opendkim user. In the old init script, this just happened to work because the elog instructions told people to put the socket in the PID file directory. Now that the PID directory isn't writable by the opendkim user, we needed another plan.

6. I eliminated the start() and stop() functions from the init script. The defaults work fine.

7. Set safer permissions in the ebuild. The /var/lib/opendkim directory can be owned by root, and read-only to whatever group that opendkim runs as.

8. Throw an error if we can't remove a stale socket.


And here's what I didn't do: much at all with systemd. I did update the service file to run as opendkim:opendkim, and I added a conf file to pass the OPENDKIM_SOCKET to the daemon on the command-like (for consistency). However, that isn't tested, and I don't know how the socket creation is supposed to work with systemd.

Comment 1 Michael Orlitzky gentoo-dev

2017-09-04 20:47:21 UTC

Created attachment 492372 [details]
opendkim.confd

Comment 2 Michael Orlitzky gentoo-dev

2017-09-04 20:47:43 UTC

Created attachment 492374 [details]
opendkim.init.r4

Comment 3 Michael Orlitzky gentoo-dev

2017-09-04 20:48:04 UTC

Created attachment 492376 [details]
opendkim.service.conf

Comment 4 Michael Orlitzky gentoo-dev

2017-09-04 20:48:45 UTC

Created attachment 492378 [details]
opendkim-r2.service

Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-05 20:02:48 UTC

@Maintainers please call for stabilization when ready.

Gentoo Security Padawan
ChrisADR

Comment 6 Larry the Git Cow gentoo-dev

2019-03-27 17:18:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28706fe998d7ea18549d78aa1bfee4da6bb18ffa

commit 28706fe998d7ea18549d78aa1bfee4da6bb18ffa
Author: Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2019-03-27 15:48:17 +0000
Commit: Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2019-03-27 17:18:07 +0000

mail-filter/opendkim: new revision to overhaul service scripts.

The OpenRC service script has been largely rewritten in this revision,
to solve a number of problems:

* The PID file is now stored securely (bug 629914).

* Different PID files are used for multiple instances (bug 536162).

* The detection of boolean options in the config file is more robust,
allowing "1", "0", "yes", "false", et cetera.

* The socket is now located in a conf.d file, rather than parsed from
the config file. The service script ensures that the directory
containing the socket has the correct permissions, and the conf.d
file comes with a big warning to that effect. Note that the (commented-
out) example directory IS NOT shared with the PID file.

* An error is thrown if we can't remove a stale socket.

* Modern OpenRC service script standards have been adopted.

Some minor changes have been made to the systemd service for
consistency, but none of them have been tested. More work needs to be
done here anyway; for example, we most likely want a tmpfiles.d entry
for the local socket directory if the user configures one. This should
be documented in opendkim.service.conf, and tested by someone who uses
systemd.

Closes: https://bugs.gentoo.org/536162
Bug: https://bugs.gentoo.org/629914
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Package-Manager: Portage-2.3.62, Repoman-2.3.11

.../{opendkim-r2.service => opendkim-r3.service} | 2 +-
mail-filter/opendkim/files/opendkim.confd | 18 ++++++
mail-filter/opendkim/files/opendkim.init.r4 | 55 ----------------
mail-filter/opendkim/files/opendkim.init.r5 | 73 ++++++++++++++++++++++
mail-filter/opendkim/files/opendkim.service.conf | 2 +
...-2.10.3-r6.ebuild => opendkim-2.10.3-r7.ebuild} | 26 ++++----
6 files changed, 109 insertions(+), 67 deletions(-)

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2019-03-27 20:30:48 UTC

@Michael, thank you for the thorough commit log and work on all the various PID file issues in the tree!

@arches, please stabilize.

Comment 8 Agostino Sarubbo gentoo-dev

2019-03-30 10:46:47 UTC

amd64 stable

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2019-04-02 01:39:28 UTC

x86 stable

Comment 10 Yury German Gentoo Infrastructure

2019-04-02 07:15:22 UTC

Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 11 Larry the Git Cow gentoo-dev

2019-04-06 11:32:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d424c81f020cada007c5ca23be5acc73f4cf6600

commit d424c81f020cada007c5ca23be5acc73f4cf6600
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2019-04-06 11:31:17 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2019-04-06 11:31:38 +0000

    mail-filter/opendkim: remove old vulnerable revision.
    
    Bug: https://bugs.gentoo.org/629914
    Bug: https://bugs.gentoo.org/629888
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 mail-filter/opendkim/opendkim-2.10.3-r3.ebuild | 204 -------------------------
 1 file changed, 204 deletions(-)

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2019-04-22 23:35:15 UTC

This issue was resolved and addressed in
 GLSA 201904-22 at https://security.gentoo.org/glsa/201904-22
by GLSA coordinator Aaron Bauman (b-man).