| Summary: | sci-biology/foldingathome: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | axs, jlec, security-audit, soap |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Hm, the pkg_config phase has the same vulnerability:
pkg_config() {
"${EROOT}"${I}/initfolding
}
The contents of that file are,
#!/bin/sh
cd /opt/foldingathome
/opt/foldingathome/FAHClient --configure
/bin/chown -R foldingathome:nogroup /opt/foldingathome
so if pkg_config gets run twice, the same vulnerability exists.
Please review the newly committed -r2 , I've dropped initfolding and moved
the chown -R to occur within src_install, directly on ${ED}
Once confirmed acceptable, I'll drop previous versions.
commit e4b6baa58325c29e186f6843c365bd5f168b7969 (HEAD -> master, origin/master, origin/HEAD)
Author: Ian Stakenvicius <axs@gentoo.org>
Date: Wed Sep 20 14:33:07 2017 -0400
sci-biology/foldingathome: misc ebuild impovements
- Added a systemd unit
- Removed usage of 'chown -R' on live filesystems
- Dropped the custom and vulnerable 'initfolding' helper script
- Improved the init script to use standard openrc-run behaviour via variables
- Dropped "unitinfo" extra command on /etc/init.d/foldingathome as it rarely works
Package-Manager: Portage-2.3.6, Repoman-2.3.1
(In reply to Ian Stakenvicius from comment #2) > Please review the newly committed -r2 , I've dropped initfolding and moved > the chown -R to occur within src_install, directly on ${ED} > Thanks, I think this one's safe but I have two minor suggestions. First, in src_install, we're supposed to use "fowners" instead of "chown" (don't ask me what the difference is). And second, I think this comment was left-over from an earlier experiment: # the bash shell is important for "su -c" in init script enewuser foldingathome -1 -1 "${EPREFIX}"/opt/foldingathome since you're specifying bash with "su -s" rather than relying on the user's default shell. (Would "su -s /bin/sh" work?) Sorted on both counts. I'll drop the -r1 version to get rid of the vulnerabilities. This was fixed two years ago. Since these private bugs don't appear to be a part of anyone's workflow, I'm just gonna mark it "fixed." (Thanks Ian.) commit e4b6baa58325c29e186f6843c365bd5f168b7969 Author: Ian Stakenvicius <axs@gentoo.org> Date: Wed Sep 20 14:33:07 2017 -0400 sci-biology/foldingathome: misc ebuild impovements - Added a systemd unit - Removed usage of 'chown -R' on live filesystems - Dropped the custom and vulnerable 'initfolding' helper script - Improved the init script to use standard openrc-run behaviour via variabl$ - Dropped "unitinfo" extra command on /etc/init.d/foldingathome as it rarel$ Package-Manager: Portage-2.3.6, Repoman-2.3.1 unrestricting and re-assigning per bug 705894 |
The foldingathome ebuild calls "chown -R" on the live root filesystem in pkg_postinst: I="opt/foldingathome" ... pkg_postinst() { chown -R foldingathome:nogroup "${EROOT}"${I} That can be exploited by the "foldingathome" user to gain root. If he places a hard link under "${EROOT}"${I} (which he owns) pointing to a root-owned file, then the next time the foldingathome package is upgraded or reinstalled, the same "chown -R" call will affect the target of the hard link and give root's file to the "foldingathome" user.