| Summary: | mail-filter/amavisd-new: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | eras, hattya, mschiff, radhermit, robbat2, security-audit |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
I just fixed this myself in amavisd-new-2.11.1.ebuild. These private bugs don't show up in anyone's usual workflow, so I'm just going to mark this one fixed. Nobody needs a GLSA about it a year later =P unrestricting and re-assigning per bug 705894 |
The amavisd-new ebuilds call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { chown root:amavis "${ROOT}/etc/amavisd.conf" chown -R amavis:amavis "${ROOT}/${AMAVIS_ROOT}" } This can be exploited by the "amavis" user to gain root. After the package is installed, he is free to create whatever files he wants under /var/amavis. In particular, he can create hard links to root-owned files. The next time amavisd-new is installed, the "chown -R" call will give "amavis" ownership of root's stuff. The following works: 1. emerge amavisd-new 2. sudo su -s /bin/sh -c 'ln /etc/passwd /var/amavis/x' amavis 3. emerge amavisd-new 4. now "amavis:amavis" owns /etc/passwd.