Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631140

Summary: net-analyzer/smokeping: privilege escalation via PID file manipulation
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 651212, 651646    
Bug Blocks:    
Attachments:
Description Flags
smokeping-2.6.11-r1.ebuild
none
smokeping.init.5 none

Description Michael Orlitzky gentoo-dev 2017-09-16 18:01:56 UTC
Created attachment 494768 [details]
smokeping-2.6.11-r1.ebuild

The init script for smokeping gives ownership of its PID file directory to the "smokeping" user:

  start() {
      checkconfig || return 1

      checkpath -d -m 0755 -o smokeping:smokeping /run/smokeping
      ...

This can be exploited by the "smokeping" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are under the control of the "smokeping" user).

Since smokeping cannot drop privileges itself, there is no way to safely use the PID file that it creates: to run as a restricted user, we need start-stop-daemon to execute smokeping as a restricted user, after which it's already to late.

I've rewritten the init script to work around this by passing "--nodaemon" to smokeping, and by letting OpenRC background it and manage its PID file. Since smokeping insists on writing a PID file (it won't start otherwise), I've modified the ebuild to stick the unsafe PID file in /var/lib/smokeping. Now that /run/smokeping is unused, the tmpfiles.d entry is no longer needed.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-16 18:02:21 UTC
Created attachment 494770 [details]
smokeping.init.5
Comment 2 Michael Orlitzky gentoo-dev 2017-09-16 18:05:07 UTC
One more thing: I dropped the line,

  checkpath -d -m 0755 -o smokeping:smokeping /var/cache/smokeping

because /var/cache/smokeping doesn't appear in the config anywhere (and apparently systemd doesn't need it). If I messed that up, just add it back.
Comment 3 D'juan McDonald (domhnall) 2017-10-03 06:58:57 UTC
@maintainer(s), ebuild provided, please call for stabilization when ready, thank you.

Gentoo Security Padawan
Daj Uan (jmbailey/mbailey_j)
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:43:11 UTC
(In reply to jmbailey from comment #3)
> @maintainer(s), ebuild provided, please call for stabilization when ready,
> thank you.
> 
> Gentoo Security Padawan
> Daj Uan (jmbailey/mbailey_j)

the ebuild would need to be in the tree first.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2018-02-06 06:38:55 UTC
(In reply to Michael Orlitzky from comment #1)
> Created attachment 494770 [details]
> smokeping.init.5

It looks like this new init.d script does not fix bug #602652.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2018-02-08 19:44:54 UTC
(In reply to Jeroen Roovers from comment #5)
> (In reply to Michael Orlitzky from comment #1)
> > Created attachment 494770 [details]
> > smokeping.init.5
> 
> It looks like this new init.d script does not fix bug #602652.

That said, I have added it in 2.7.1.
Comment 7 nic 2018-03-26 20:08:51 UTC
--nodaemon breaks event logging to syslog bug #651212
Comment 8 John Helmert III gentoo-dev Security 2020-06-18 00:55:56 UTC
Maintainer(s): Ping.