Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629962

Summary: net-misc/gerbera: privilege escalation via PID file manipulation; unsafe config ownership
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: thev00d00
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments:
Description Flags
gerbera-1.0.0.initd-r2 none

Description Michael Orlitzky gentoo-dev 2017-09-05 14:04:07 UTC
Created attachment 492432 [details]
gerbera-1.0.0.initd-r2

First issue:

The init script for gerbera makes its PID file directory owned by the $GERBERA_USER:

  checkpath --directory --owner "${GERBERA_USER}:${GERBERA_GROUP}" \
            --mode 0755 /run/gerbera

  ...

  start-stop-daemon \
    ...
    --pidfile /run/gerbera/gerbera.pid

This can be exploited by the $GERBERA_USER to kill root processes. When you stop the daemon, root sends a SIGTERM to the contents of the PID file. Since $GERBERA_USER controls the contents of that file, he can trick root into killing off any process he wants.

I'm missing multicast on my machine so gerbera won't start, but I've tried to rewrite the init script to fix that (attached).

Second issue:

The "gerbera" user owns the configuration file:

  $ ls /etc/gerbera/config.xml 
  -rw------- 1 gerbera gerbera 6.1K 2017-09-05 09:46 /etc/gerbera/config.xml

In all likelihood, that should be root:gerbera and mode 640. The problem with it being owned by "gerbera" is that, if you ever accidentally type "gerbera" as root (or maybe you're debugging a startup crash), then the "gerbera" user can change the contents of the config file to trick you into doing stuff as root. I haven't looked very hard, but since gerbera accesses paths listed in the config, that trick can probably be used to read or modify root-owned files.


An unrelated aesthetic issue:

Since you're hard-coding the user/group "gerbera" in the ebuild, it doesn't make much sense to use variables $GERBERA_USER and $GERBERA_GROUP in the init script. If you change them, the daemon will stop working because the permissions will be all wrong =)

It's fine as-is, but you could simplify the init script a little by ditching the variables. You shouldn't try to fix the permissions in the init script -- it's impossible to do safely.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-05 14:17:15 UTC
One more thing... in the depend() function you have a comment,

  depend() {
      need net
      # In order to properly support this (need vs use), we would have to
      # parse ${GERBERA_CONFIG} and see if mysql is enabled and if it is
      # pointing to the local system.  #368409
  }

There's no need to parse a config for something like that. If the end user does something that makes gerbera require mysql, the official way to add mysql as a dependency is through the gerbera conf.d file. Here's an example for sshd, which may require a specific network interface depending on what's in sshd_config:

  https://wiki.gentoo.org/wiki/OpenRC#Dependency_behavior

And the following is all copy/pasted from the openrc-run man page:

     With the exception of /etc/rc.conf, the configuration files can also
     influence the dependencies of the service through variables. Simply pre‐
     fix the name of the dependency with rc_.  Examples:

           # Whilst most services don't bind to a specific interface, our
           # openvpn configuration requires a specific interface, namely bge0.
           rc_need="net.bge0"
           # To put it in /etc/rc.conf you would do it like this
           rc_openvpn_need="net.bge0"

           # Services should not depend on the tap1 interface for network,
           # but we need to add net.tap1 to the default runlevel to start it.
           rc_provide="!net"
           # To put it in /etc/conf.d/net you would do it like this
           rc_provide_tap1="!net"
           # To put in in /etc/rc.conf you would do it like this
           rc_net_tap1_provide="!net"

           # It's also possible to negate keywords. This is mainly useful for pref$
           # users testing OpenRC.
           rc_keyword="!-prefix"
           # This can also be used to block a script from runining in all
           # containers except one or two
           rc_keyword="!-containers !-docker"
Comment 2 Ian Whyman (thev00d00) (RETIRED) gentoo-dev 2017-09-05 14:21:03 UTC
Thanks.

I agree with all your points.

$GERBERA_USER etc was inherited from MediaTomb, I dont like those either so we can get rid of them.

Thanks for the info for MySQL also, I will be glad to tidy that up.
Comment 3 Michael Orlitzky gentoo-dev 2017-09-05 15:38:17 UTC
Cool, I guess most of the same issues apply to net-misc/mediatomb? Since that's abandoned upstream, should we just mask it and tell people to switch to gerbera?
Comment 4 Ian Whyman (thev00d00) (RETIRED) gentoo-dev 2017-09-05 18:56:53 UTC
Yeah I think we should probably mask MediaTomb at this point, its been on my ToDo for a while. I am planning on a 1.1 release soon, so will advise everyone to move after that.
Comment 5 Ian Whyman (thev00d00) (RETIRED) gentoo-dev 2017-09-05 19:18:04 UTC
Implemented your suggestions in the tree.

Thanks!