Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631538

Summary: sci-biology/foldingathome: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: axs, jlec, security-audit, soap
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-20 16:25:51 UTC
The foldingathome ebuild calls "chown -R" on the live root filesystem in pkg_postinst:

  I="opt/foldingathome"
  ...
  pkg_postinst() {
	chown -R foldingathome:nogroup "${EROOT}"${I}

That can be exploited by the "foldingathome" user to gain root. If he places a hard link under "${EROOT}"${I} (which he owns) pointing to a root-owned file, then the next time the foldingathome package is upgraded or reinstalled, the same "chown -R" call will affect the target of the hard link and give root's file to the "foldingathome" user.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-20 16:30:22 UTC
Hm, the pkg_config phase has the same vulnerability:

  pkg_config() {
      "${EROOT}"${I}/initfolding
  }

The contents of that file are,

  #!/bin/sh

  cd /opt/foldingathome
  /opt/foldingathome/FAHClient --configure
  /bin/chown -R foldingathome:nogroup /opt/foldingathome

so if pkg_config gets run twice, the same vulnerability exists.
Comment 2 Ian Stakenvicius gentoo-dev 2017-09-20 18:42:23 UTC
Please review the newly committed -r2 , I've dropped initfolding and moved
the chown -R to occur within src_install, directly on ${ED}

Once confirmed acceptable, I'll drop previous versions.

commit e4b6baa58325c29e186f6843c365bd5f168b7969 (HEAD -> master, origin/master, origin/HEAD)
Author: Ian Stakenvicius <axs@gentoo.org>
Date:   Wed Sep 20 14:33:07 2017 -0400

    sci-biology/foldingathome: misc ebuild impovements
    
    - Added a systemd unit
    - Removed usage of 'chown -R' on live filesystems
    - Dropped the custom and vulnerable 'initfolding' helper script
    - Improved the init script to use standard openrc-run behaviour via variables
    - Dropped "unitinfo" extra command on /etc/init.d/foldingathome as it rarely works
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.1
Comment 3 Michael Orlitzky gentoo-dev 2017-09-21 16:17:18 UTC
(In reply to Ian Stakenvicius from comment #2)
> Please review the newly committed -r2 , I've dropped initfolding and moved
> the chown -R to occur within src_install, directly on ${ED}
> 

Thanks, I think this one's safe but I have two minor suggestions. First, in src_install, we're supposed to use "fowners" instead of "chown" (don't ask me what the difference is).

And second, I think this comment was left-over from an earlier experiment:

  # the bash shell is important for "su -c" in init script
  enewuser foldingathome -1 -1 "${EPREFIX}"/opt/foldingathome

since you're specifying bash with "su -s" rather than relying on the user's default shell. (Would "su -s /bin/sh" work?)
Comment 4 Ian Stakenvicius gentoo-dev 2017-09-21 18:57:21 UTC
Sorted on both counts. I'll drop the -r1 version to get rid of the vulnerabilities.
Comment 5 Michael Orlitzky gentoo-dev 2019-09-14 16:29:26 UTC
This was fixed two years ago. Since these private bugs don't appear to be a part of anyone's workflow, I'm just gonna mark it "fixed." (Thanks Ian.)

commit e4b6baa58325c29e186f6843c365bd5f168b7969
Author: Ian Stakenvicius <axs@gentoo.org>
Date:   Wed Sep 20 14:33:07 2017 -0400

    sci-biology/foldingathome: misc ebuild impovements

    - Added a systemd unit
    - Removed usage of 'chown -R' on live filesystems
    - Dropped the custom and vulnerable 'initfolding' helper script
    - Improved the init script to use standard openrc-run behaviour via variabl$
    - Dropped "unitinfo" extra command on /etc/init.d/foldingathome as it rarel$

    Package-Manager: Portage-2.3.6, Repoman-2.3.1
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:25:32 UTC
unrestricting and re-assigning per bug 705894