| Summary: | media-gfx/replicatorg: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security Audit Team <security-audit> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | mgorny |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
The package has been removed now. Removing group restriction |
The replicatorg ebuilds call "chown -R" in pkg_postinst: pkg_postinst() { ... chmod -R g+w "${ROOT}"/opt/replicatorg chown -R root:replicator "${ROOT}"/opt/replicatorg This can be exploited by anyone in the "replicator" group to gain root. A member of that group can place a hard link to a root-owned file under /opt/replicatorg, and the next time the package is upgraded or reinstalled, the "chown -R" will give ownership of root's stuff to the member of the "replicator" group. For example, 1. emerge replicatorg 2. add yourself to the "replicator" group 3. ln /etc/passwd /opt/replicatorg/lib/x 4. emerge replicatorg 5. /etc/passwd is group-writable by the "replicator" group I've marked this private but the package is maintainer-needed, so security@ will need to pick someone to CC.