Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630986

Summary: mail-filter/spamass-milter: privilege escalation via PID file manipulation
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-needed, net-mail+disabled, tb, treecleaner
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Deadline: 2019-05-24   
Attachments:
Description Flags
spamass-milter.rc5
none
spamass-milter.conf4
none
spamass-milter.rc5 none

Description Michael Orlitzky gentoo-dev 2017-09-14 16:22:00 UTC
Created attachment 494526 [details]
spamass-milter.rc5

The init script for spamass-milter gives ownership of its PID file directory to the daemon's runtime user:

  checkconfig() {
      if [ ! -d ${piddir:=/var/run/milter} ]; then
          checkpath -q -d -o milter:milter -m 0755 ${piddir} || return 1
      fi

This can be exploited by the "milter" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of that file.

I've rewritten the init script to work around this. The spamass-milter can't drop privileges on its own, so instead of using the daemon-created PID file, I had the daemon run in the foreground and let OpenRC manage the PID file at /run/spamass-milter.pid.

I also cleaned up the socket code and the retry/wait stuff during start/stop. I've restarted the daemon a bunch of times with no problem.

If it's all the same, I would also suggest that we make the $SOCKET path something like /run/milter/${RC_SVCNAME}.sock (which happens to be the default, anyway). The fact that we change ownership of the directory containing that variable is a little sneaky, and could mess up users' systems if they put e.g. SOCKET=/run/foo.sock. If the value was fixed at SOCKET=/run/milter/${RC_SVCNAME}.sock, then we could hard code the "checkpath" call to affect /run/milter.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-14 16:22:34 UTC
Created attachment 494528 [details]
spamass-milter.conf4
Comment 2 Michael Orlitzky gentoo-dev 2017-09-14 16:23:16 UTC
Created attachment 494530 [details]
spamass-milter.rc5
Comment 3 Larry the Git Cow gentoo-dev 2019-04-24 12:50:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c3b2530968d44c5e46fad371b300bd643e1e934

commit 8c3b2530968d44c5e46fad371b300bd643e1e934
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-04-24 12:49:05 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-04-24 12:50:13 +0000

    package.mask: Last rite mail-filter/spamass-milter
    
    Bug: https://bugs.gentoo.org/630986
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2019-05-28 13:33:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30a7ed2d867921b830e8f2329519fdb34ab9cb5f

commit 30a7ed2d867921b830e8f2329519fdb34ab9cb5f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-05-28 13:32:15 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-05-28 13:32:41 +0000

    mail-filter/spamass-milter: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/630986
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 mail-filter/spamass-milter/Manifest                |  1 -
 mail-filter/spamass-milter/files/README.gentoo     | 52 ------------
 .../files/spamass-milter-auth_users.patch          | 92 ----------------------
 .../spamass-milter/files/spamass-milter.conf3      | 29 -------
 .../spamass-milter/files/spamass-milter.rc4        | 54 -------------
 mail-filter/spamass-milter/metadata.xml            |  5 --
 .../spamass-milter/spamass-milter-0.3.2.ebuild     | 41 ----------
 profiles/package.mask                              |  7 --
 8 files changed, 281 deletions(-)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 23:26:45 UTC
Removed over a year ago so no GLSA, tree is clean, closing.