Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630758

Summary: app-text/groonga: privilege escalation via PID file manipulation
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: trivial CC: ajak, kfm, maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [ebuild]
Package list:
Runtime testing required: ---
Description Flags
groonga.confd-r1 none

Description Michael Orlitzky gentoo-dev 2017-09-12 00:54:56 UTC
Created attachment 494076 [details]

The init script for groonga gives ownership of the PID file directory to $GROONGA_USER:

  start_pre() {
      checkpath -d /run/groonga -o ${GROONGA_USER:-groonga}...

This can be exploited by the $GROONGA_USER to kill root processes, because when you stop the service, root sends a SIGTERM to the contents of that PID file. Since the groonga daemon is not able to drop privileges itself, there is no safe way to use its PID file while running as a non-root user. I'm attaching another version of the init script that takes care of the problem by running groonga in the foreground and letting OpenRC background it (and manage the PID file).

I've removed the GROONGA_PID setting from the conf.d file entirely:

  1. Nobody cares where it goes,
  2. Changing it didn't work anyway (a path is hard-coded in that line above).

You might also consider doing the database creation in pkg_config() in the ebuild rather than in start_pre(), but that's unrelated and up to you.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-12 00:56:09 UTC
Created attachment 494078 [details]
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-12 02:21:37 UTC
@mjo thank you for all your work hunting PID files.

@Maintainer please let us know when tree is clean from vulnerable versions

Gentoo Security Padawan
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-11 05:48:55 UTC
Maintainer: Ping.