Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630814

Summary: app-portage/getdelta: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: nlissne, patrick, security-audit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-12 15:10:08 UTC
The getdelta ebuilds calls chown recursively on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      ...
      chown -R portage:portage "${ROOT}"/{var/log/getdelta.log,etc/deltup}

The "portage" user can place a hard link in /etc/deltup pointing to a sensitive root-owned file, and the next time that getdelta is emerged, that file will be given to the "portage" user. For example,

  1. emerge getdelta
  2. create a hard link from /etc/passwd to /etc/deltup/x
  3. emerge getdelta
  4. the file /etc/passwd is owned by portage:portage
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:22 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:37 UTC
unrestricting per bug 705894