Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630836

Summary: mail-filter/amavisd-new: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Severity: normal CC: eras, hattya, mschiff, radhermit, robbat2, security-audit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-12 18:02:20 UTC
The amavisd-new ebuilds call "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      chown root:amavis "${ROOT}/etc/amavisd.conf"
      chown -R amavis:amavis "${ROOT}/${AMAVIS_ROOT}"

This can be exploited by the "amavis" user to gain root. After the package is installed, he is free to create whatever files he wants under /var/amavis. In particular, he can create hard links to root-owned files. The next time amavisd-new is installed, the "chown -R" call will give "amavis" ownership of root's stuff. The following works:

  1. emerge amavisd-new
  2. sudo su -s /bin/sh -c 'ln /etc/passwd /var/amavis/x' amavis
  3. emerge amavisd-new
  4. now "amavis:amavis" owns /etc/passwd.
Comment 1 Michael Orlitzky gentoo-dev 2018-11-18 23:57:48 UTC
I just fixed this myself in amavisd-new-2.11.1.ebuild.
Comment 2 Michael Orlitzky gentoo-dev 2019-09-14 16:14:19 UTC
These private bugs don't show up in anyone's usual workflow, so I'm just going to mark this one fixed. Nobody needs a GLSA about it a year later =P
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:25:30 UTC
unrestricting and re-assigning per bug 705894