Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630752

Summary: app-admin/logcheck: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: gentoo_eshoes, mrueg, security-audit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-11 22:45:48 UTC
The logcheck ebuilds all call "chown -R" on the root filesystem during pkg_postinst:

  pkg_postinst() {
      chown -R logcheck:logcheck /etc/logcheck /var/lib/logcheck || die

This is exploitable in the same way that the init scripts were: the first install is safe, but then the logcheck user can place a hard link in either of those directories pointing to e.g. /root/.bashrc. The next time logcheck is installed, the ebuild will call chown on the hardlink, and give ownership of /root/.bashrc to the "logcheck" user.

I'm marking this private, but the package is maintainer-needed, so it's up to @security who to CC. If someone wants to take a shot at it, my first attempt would be to use "fowners root:logcheck ..." and to do it on $D in src_install. Another call to fperms could then make those directories group-rwx. Neither call should operate recursively.
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2017-09-12 08:58:55 UTC
@mrueg: Hi Manuel, I see you're the last dev to touch this package with a version bump earlier this year. Maybe you want to take a crack at fixing this issue and taking over maintainership of the package?
Comment 2 Manuel RĂ¼ger (RETIRED) gentoo-dev 2017-09-12 12:41:59 UTC
I'm not interested in maintaining it.

the cronjob is probably similarly vulnerable in /etc/cron.hourly/logcheck.cron
> chown -R logcheck:logcheck /var/lock/logcheck
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:18 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:29 UTC
unrestricting per bug 705894