Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630808

Summary: app-misc/dnetc: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security Audit Team <security-audit>
Severity: normal CC: ahippo, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 691252    

Description Michael Orlitzky gentoo-dev 2017-09-12 14:44:41 UTC
The dnetc ebuilds call chown recursively on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      chown -Rf dnetc:dnetc /opt/

The dnetc user can place a hard link in /opt/ pointing to a sensitive root-owned file, and the next time that dnetc is emerged, that file will be given to the dnetc user. For example,

  1. emerge dnetc
  2. sudo su -s /bin/sh -c 'ln /etc/passwd /opt/' dnetc
  3. emerge dnetc
  4. the file /etc/passwd is owned by dnetc:dnetc
Comment 1 Michael Orlitzky gentoo-dev 2017-12-17 23:35:46 UTC
Robin recently announced that this package was up for grabs. Unmaintained and vulnerable are a bad combination -- can we please make this bug public, so that I can reference it in package.mask?
Comment 2 Michael Orlitzky gentoo-dev 2019-08-18 22:56:27 UTC
Here's the mailing list thread, if anyone is curious:

package.mask incoming.
Comment 3 Larry the Git Cow gentoo-dev 2019-08-18 23:05:01 UTC
The bug has been referenced in the following commit(s):

commit 44a0da0e02e234f1d43b1801fe2b6de12b2c6885
Author:     Michael Orlitzky <>
AuthorDate: 2019-08-18 22:59:47 +0000
Commit:     Michael Orlitzky <>
CommitDate: 2019-08-18 23:04:01 +0000

    profiles: mask app-misc/dnetc for eventual removal.
    Signed-off-by: Michael Orlitzky <>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Andrey Hippo 2019-08-27 03:40:38 UTC
I can perhaps step up as a proxy maintainer for dnetc.

It's actually has the latest release in-tree already,
so just the chown needs to be fixed, I suppose.
Comment 5 Larry the Git Cow gentoo-dev 2019-09-14 23:30:13 UTC
The bug has been referenced in the following commit(s):

commit 446f997c23defe312ab8e5b386dcef06e01a29f1
Author:     Andreas K. Hüttel <>
AuthorDate: 2019-09-14 23:28:34 +0000
Commit:     Andreas K. Hüttel <>
CommitDate: 2019-09-14 23:29:59 +0000

    app-misc/dnetc: Remove last-rited package
    Signed-off-by: Andreas K. Hüttel <>

 app-misc/dnetc/Manifest                |   6 --
 app-misc/dnetc/dnetc-2.9108.517.ebuild |  93 ------------------------------
 app-misc/dnetc/dnetc-2.9112.521.ebuild | 100 ---------------------------------
 app-misc/dnetc/files/dnetc.confd       |  18 ------
 app-misc/dnetc/files/dnetc.initd       |  88 -----------------------------
 app-misc/dnetc/metadata.xml            |  11 ----
 6 files changed, 316 deletions(-)