| Summary: | sys-cluster/cluster-glue: root privilege escalation via "chown -R" in pkg_postinst | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | alexxy, bircoph, cluster, jer, jsbronder, kfm, mschiff, pchrist, prometheanfire, treecleaner, ultrabug |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B1 [ebuild] | ||
| Package list: | Runtime testing required: | --- | |
| Deadline: | 2020-12-07 | ||
Note that the ebuilds also set /dev/null as login shell.
pkg_setup() {
enewgroup haclient
enewuser hacluster -1 /dev/null /var/lib/heartbeat haclient
}
I expect no security implications there but that probably ought to be fixed in this same effort:
enewuser hacluster -1 -1 /var/lib/heartbeat haclient
Unrestricting and reassigning to security@ per bug #705894 unrestricting per bug 705894 |
The ebuilds for cluster-glue call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { chown -R hacluster:haclient /var/lib/heartbeat/cores chown -R hacluster:haclient /var/lib/heartbeat/lrm } That can be exploited by the "hacluster" user (and probably anyone in the "haclient" group) to gain root. If a hard link is placed in one of those directories and it points to a root-owned file, then the next time the cluster-glue package is upgraded or reinstalled, the "chown -R" will affect the target of the link and give the file to hacluster:haclient. For example, 1. emerge cluster-glue 2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/heartbeat/lrm/x' hacluster 3. emerge cluster-glue 4. /etc/passwd is owned by hacluster:haclient