| Summary: | sys-apps/man: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | cardoe, chainsaw, chutzpah, hwoarang, polynomial-c, robbat2, security-audit, vapier, whissi, williamh |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B1 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Unrestricting and reassigning to security@ per bug #705894 unrestricting per bug 705894 Treecleaned a while ago. Very old bug so will go to noglsa. commit ce370f012e25ad2eb756cbcaf768bf053161d067 Author: Mike Gilbert <floppym@gentoo.org> Date: Sat Mar 7 16:54:44 2020 -0500 sys-apps/man: remove package Closes: https://bugs.gentoo.org/468428 Closes: https://bugs.gentoo.org/515534 Closes: https://bugs.gentoo.org/524588 Closes: https://bugs.gentoo.org/589738 Closes: https://bugs.gentoo.org/605352 Closes: https://bugs.gentoo.org/651038 Closes: https://bugs.gentoo.org/683494 Signed-off-by: Mike Gilbert <floppym@gentoo.org> |
The sys-apps/man ebuilds call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { einfo "Forcing sane permissions onto ${ROOT}var/cache/man (Bug #40322)" chown -R root:man "${ROOT}"/var/cache/man chmod -R g+w "${ROOT}"/var/cache/man This can be exploited by anyone in the "man" group to gain root privileges. If a hard link is placed in /var/cache/man, then the next time sys-apps/man is upgraded or reinstalled, the "chown -R" will affect the target of the symlink, potentially making root-owned files writable by the "man" group. For example, 1. emerge sys-apps/man 2. su -s /bin/sh -c 'ln /etc/passwd /var/cache/man/x' man 3. emerge sys-apps/man 4. /etc/passwd is group-writable and root:man