Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631548

Summary: sys-cluster/cluster-glue: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: alexxy, bircoph, cluster, jer, jsbronder, mschiff, pchrist, prometheanfire, security-audit, treecleaner, ultrabug
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Deadline: 2020-12-07   

Description Michael Orlitzky gentoo-dev 2017-09-20 17:13:31 UTC
The ebuilds for cluster-glue call "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      chown -R hacluster:haclient /var/lib/heartbeat/cores
      chown -R hacluster:haclient /var/lib/heartbeat/lrm
  }

That can be exploited by the "hacluster" user (and probably anyone in the "haclient" group) to gain root. If a hard link is placed in one of those directories and it points to a root-owned file, then the next time the cluster-glue package is upgraded or reinstalled, the "chown -R" will affect the target of the link and give the file to hacluster:haclient.

For example,

  1. emerge cluster-glue
  2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/heartbeat/lrm/x' hacluster
  3. emerge cluster-glue
  4. /etc/passwd is owned by hacluster:haclient
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2019-09-17 13:43:32 UTC
Note that the ebuilds also set /dev/null as login shell.

pkg_setup() {
    enewgroup haclient
    enewuser  hacluster -1 /dev/null /var/lib/heartbeat haclient
}

I expect no security implications there but that probably ought to be fixed in this same effort:

    enewuser  hacluster -1 -1 /var/lib/heartbeat haclient
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:20 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:08 UTC
unrestricting per bug 705894