Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630914

Summary: net-im/openfire: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: normal CC: maintainer-needed, security-audit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-13 18:05:47 UTC
The openfire ebulds call "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      ...
      chown -R jabber:jabber "${ROOT}"/opt/openfire
  }

This can be exploited by the "jabber" user to gain root, if he places a hard link to a root-owned file in /opt/openfire. The next time the package is upgraded or reinstalled, the "chown -R" will give root's file to the "jabber" user. For example,

  1. emerge openfire
  2. su -s /bin/sh -c 'ln /etc/passwd /opt/openfire/x' jabber
  3. emerge openfire
  4. /etc/passwd is owned by jabber:jabber
Comment 1 Sergei Trofimovich gentoo-dev 2017-09-15 21:04:13 UTC
The ".*confidential.*" red text does not actually say on the next step for this issue.

Should I attach ebuild fix once I get it ready here or someone else
already actively handling it?
Comment 2 Michael Orlitzky gentoo-dev 2017-09-15 22:40:41 UTC
(In reply to Sergei Trofimovich from comment #1)
> The ".*confidential.*" red text does not actually say on the next step for
> this issue.
> 
> Should I attach ebuild fix once I get it ready here or someone else
> already actively handling it?

Just fix it and post here when you're done =)

There's nothing special about the private bug, I was just asked to mark these sorts of issues private until they're fixed.
Comment 3 Michael Orlitzky gentoo-dev 2019-06-23 17:26:00 UTC
This issue should be fixed in the -r2. I just reordered things so that it's not necessary to call chown/chmod at any point.

@security, we should open up this bug and ask the arch teams to test it.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:43 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:34 UTC
unrestricting per bug 705894
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-05-04 00:40:56 UTC
pkg is no longer in tree.