| Summary: | net-analyzer/sguil-server: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | jer, mgorny, security-audit, treecleaner, vapier, zerochaos |
| Priority: | Normal | Keywords: | PMASKED |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Deadline: | 2020-10-26 | ||
Unrestricting and reassigning to security@ per bug #705894 unrestricting per bug 705894 Package removed. All unstable so no GLSA. |
The ebuilds for sguil-server call "chown -R" in pkg_postinst: pkg_postinst(){ ... chown -R sguil:sguil "${ROOT}"/etc/sguil/sguild.* chown -R sguil:sguil "${ROOT}"/usr/lib/sguild This can be exploited by the "sguil" user to gain root if he places a hard link to a root-owned file in one of those directories. For example, 1. emerge sguil-server 2. su -s /bin/sh -c 'ln /etc/passwd /usr/lib/sguild/x' sguil 3. emerge sguil-server 4. /etc/passwd is owned by the "sguil" user.