Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630808

Summary: app-misc/dnetc: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security Audit Team <security-audit>
Status: RESOLVED OBSOLETE    
Severity: normal CC: ahippo, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 691252    

Description Michael Orlitzky gentoo-dev 2017-09-12 14:44:41 UTC
The dnetc ebuilds call chown recursively on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      chown -Rf dnetc:dnetc /opt/distributed.net
      ...

The dnetc user can place a hard link in /opt/distributed.net pointing to a sensitive root-owned file, and the next time that dnetc is emerged, that file will be given to the dnetc user. For example,

  1. emerge dnetc
  2. sudo su -s /bin/sh -c 'ln /etc/passwd /opt/distributed.net/foo' dnetc
  3. emerge dnetc
  4. the file /etc/passwd is owned by dnetc:dnetc
Comment 1 Michael Orlitzky gentoo-dev 2017-12-17 23:35:46 UTC
Robin recently announced that this package was up for grabs. Unmaintained and vulnerable are a bad combination -- can we please make this bug public, so that I can reference it in package.mask?
Comment 2 Michael Orlitzky gentoo-dev 2019-08-18 22:56:27 UTC
Here's the mailing list thread, if anyone is curious:

https://archives.gentoo.org/gentoo-dev/message/c43a368ff49d3e8f8c28937db9a700e1

package.mask incoming.
Comment 3 Larry the Git Cow gentoo-dev 2019-08-18 23:05:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44a0da0e02e234f1d43b1801fe2b6de12b2c6885

commit 44a0da0e02e234f1d43b1801fe2b6de12b2c6885
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2019-08-18 22:59:47 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2019-08-18 23:04:01 +0000

    profiles: mask app-misc/dnetc for eventual removal.
    
    Bug: https://bugs.gentoo.org/630808
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Andrey Hippo 2019-08-27 03:40:38 UTC
I can perhaps step up as a proxy maintainer for dnetc.

It's actually has the latest release in-tree already,
so just the chown needs to be fixed, I suppose.
Comment 5 Larry the Git Cow gentoo-dev 2019-09-14 23:30:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=446f997c23defe312ab8e5b386dcef06e01a29f1

commit 446f997c23defe312ab8e5b386dcef06e01a29f1
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-09-14 23:28:34 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-09-14 23:29:59 +0000

    app-misc/dnetc: Remove last-rited package
    
    Closes: https://bugs.gentoo.org/405521
    Closes: https://bugs.gentoo.org/691946
    Bug: https://bugs.gentoo.org/630808
    Closes: https://bugs.gentoo.org/691252
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-misc/dnetc/Manifest                |   6 --
 app-misc/dnetc/dnetc-2.9108.517.ebuild |  93 ------------------------------
 app-misc/dnetc/dnetc-2.9112.521.ebuild | 100 ---------------------------------
 app-misc/dnetc/files/dnetc.confd       |  18 ------
 app-misc/dnetc/files/dnetc.initd       |  88 -----------------------------
 app-misc/dnetc/metadata.xml            |  11 ----
 6 files changed, 316 deletions(-)