Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631552 (CVE-2020-36770)

Summary: sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinst
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, alexxy, arthurzam, bircoph, cluster, foufou33, jlec, jsbronder, kfm, leonchik1976, mschiff, pacho, pchrist, prometheanfire, psal, treecleaner, ultrabug
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa?]
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-09-20 17:32:34 UTC 
The ebuilds for slurm call "chown -R" on the live root filesystem in pkg_postinst:

  create_folders_and_fix_permissions() {
      einfo "Fixing permissions in ${@}"
      mkdir -p ${@}
      chown -R ${PN}:${PN} ${@}
  }

  pkg_postinst() {
      paths=(
        "${EROOT}"var/${PN}/checkpoint
        ...
      )
      for folder_path in ${paths[@]}; do
        create_folders_and_fix_permissions $folder_path
      done
      ...

That can be exploited by the "slurm" user to gain root. If a hard link pointing to a root-owned file is placed in one of those $paths, then the next time slurm is reinstalled or upgraded, the "chown -R" will affect the target of the link and give ownership of the file to slurm:slurm.

For example,

  1. emerge slurm
  2. su -s /bin/sh -c 'ln /etc/passwd /var/slurm' slurm
  3. emerge slurm
  4. /etc/passwd is owned by slurm:slurm
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:21 UTC 
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:05 UTC 
unrestricting per bug 705894
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 22:27:51 UTC 
Ping.

Seems like zlogene was primarily bumping this, but he's not a maintainer anymore.
Comment 4 Larry the Git Cow gentoo-dev 2022-08-15 00:36:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=002aa381e511ead5a8b433a8b2ad5d5afd4d94fe

commit 002aa381e511ead5a8b433a8b2ad5d5afd4d94fe
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-15 00:16:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-15 00:35:55 +0000

    profiles: last rite sys-cluster/slurm
    
    Also remove the collectd unmasks in arch package.use.masks.
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/arch/amd64/package.use.mask | 4 ----
 profiles/arch/x86/package.use.mask   | 4 ----
 profiles/base/package.use.mask       | 3 +++
 profiles/package.mask                | 6 ++++++
 4 files changed, 9 insertions(+), 8 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-09-15 08:06:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0aea4dac7e2b6099fbe6d299ef0299e04c6832a6

commit 0aea4dac7e2b6099fbe6d299ef0299e04c6832a6
Author:     Alexey Shvetsov <alexxy@gentoo.org>
AuthorDate: 2022-09-15 08:05:51 +0000
Commit:     Alexey Shvetsov <alexxy@gentoo.org>
CommitDate: 2022-09-15 08:05:51 +0000

    sys-cluster/slurm: Should fix possible privilege escalation
    
    Bug: https://bugs.gentoo.org/631552
    Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>

 sys-cluster/slurm/slurm-22.05.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-09-15 08:08:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a34a195a9b018eecac186686a2f88d21daff2f04

commit a34a195a9b018eecac186686a2f88d21daff2f04
Author:     Alexey Shvetsov <alexxy@gentoo.org>
AuthorDate: 2022-09-15 08:07:56 +0000
Commit:     Alexey Shvetsov <alexxy@gentoo.org>
CommitDate: 2022-09-15 08:07:56 +0000

    profiles: Remove slurm p.mask since valnurable version no longer in tree
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>

 profiles/package.mask | 6 ------
 1 file changed, 6 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-15 20:09:24 UTC 
0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 is:

diff --git a/sys-cluster/slurm/slurm-22.05.3.ebuild b/sys-cluster/slurm/slurm-22.05.3.ebuild
index 607d3dc407bb..0b5e602258f3 100644
--- a/sys-cluster/slurm/slurm-22.05.3.ebuild
+++ b/sys-cluster/slurm/slurm-22.05.3.ebuild
@@ -243,7 +243,7 @@ pkg_preinst() {
 create_folders_and_fix_permissions() {
        einfo "Fixing permissions in ${@}"
        mkdir -p ${@} || die
-       chown -R ${PN}:${PN} ${@} || die
+       chown ${PN}:${PN} ${@} || die
 }

 pkg_postinst() {

mjo, what do you think?

alexxy, I think it would've been prudent to double check that the fix is correct before unmasking given how finicky these issues have been in the past to fix.
Comment 8 Michael Orlitzky gentoo-dev 2022-09-15 22:29:40 UTC 
(In reply to John Helmert III from comment #7)
> 
> mjo, what do you think?

I think it's still vulnerable if the package is reinstalled. The order of $paths,

    paths=(
        "${EROOT}"/var/${PN}/checkpoint
	"${EROOT}"/var/${PN}
        "${EROOT}"/var/spool/${PN}/slurmd
        "${EROOT}"/var/spool/${PN}
        "${EROOT}"/var/log/${PN}
        /var/tmp/${PN}/${PN}d
        /var/tmp/${PN}
	/run/${PN}
    )

is good because the first time pkg_postinst() is run, for example, /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user is given control of the parent directory /var/tmp/${PN}. But if pkg_postinst() is run again, the slurm user will already control /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point either a hardlink or a symlink can be used to fool it.

I think there is a more basic problem to be addressed here. Why is pkg_postinst() creating those directories with mkdir/chown, instead of letting the package manager handle them? Only /run/${PN} is temporary, and that should be handled with checkpath/tmpfiles.
Comment 9 foufou33 2023-02-05 04:13:35 UTC 
(In reply to Michael Orlitzky from comment #8)
> (In reply to John Helmert III from comment #7)
> > 
> > mjo, what do you think?
> 
> I think it's still vulnerable if the package is reinstalled. The order of
> $paths,
> 
>     paths=(
>         "${EROOT}"/var/${PN}/checkpoint
> 	"${EROOT}"/var/${PN}
>         "${EROOT}"/var/spool/${PN}/slurmd
>         "${EROOT}"/var/spool/${PN}
>         "${EROOT}"/var/log/${PN}
>         /var/tmp/${PN}/${PN}d
>         /var/tmp/${PN}
> 	/run/${PN}
>     )
> 
> is good because the first time pkg_postinst() is run, for example,
> /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user
> is given control of the parent directory /var/tmp/${PN}. But if
> pkg_postinst() is run again, the slurm user will already control
> /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point
> either a hardlink or a symlink can be used to fool it.
> 
> I think there is a more basic problem to be addressed here. Why is
> pkg_postinst() creating those directories with mkdir/chown, instead of
> letting the package manager handle them? Only /run/${PN} is temporary, and
> that should be handled with checkpath/tmpfiles.

you mean in src_install() using dodir/keepdir and fowner/fperms?
Comment 10 Michael Orlitzky gentoo-dev 2023-02-05 11:58:43 UTC 
(In reply to foufou33 from comment #9)
> 
> you mean in src_install() using dodir/keepdir and fowner/fperms?

Yes, exactly.
Comment 11 Larry the Git Cow gentoo-dev 2024-01-14 22:27:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=878ee04160ad05c9a40beeac3ba2c973dbf436d6

commit 878ee04160ad05c9a40beeac3ba2c973dbf436d6
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-01-14 22:20:09 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-01-14 22:20:19 +0000

    sys-cluster/slurm: treeclean
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask                              |   4 -
 sys-cluster/slurm/Manifest                         |   1 -
 sys-cluster/slurm/files/logrotate                  |  20 --
 .../slurm/files/slurm-22.05.3_autoconf-lua.patch   |  49 ----
 sys-cluster/slurm/files/slurm.confd                |   6 -
 sys-cluster/slurm/files/slurm.tmpfiles             |   1 -
 sys-cluster/slurm/files/slurmctld.initd            |  76 ------
 sys-cluster/slurm/files/slurmd.initd               |  79 ------
 sys-cluster/slurm/files/slurmdbd.initd             |  74 ------
 sys-cluster/slurm/metadata.xml                     |  28 --
 sys-cluster/slurm/slurm-22.05.3.ebuild             | 287 ---------------------
 11 files changed, 625 deletions(-)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 22:33:33 UTC 
CVE requested.
Comment 13 Larry the Git Cow gentoo-dev 2024-01-15 15:46:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=d6957c8ab178c1284b5407f185196f3aa146ffb4

commit d6957c8ab178c1284b5407f185196f3aa146ffb4
Author:     Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>
AuthorDate: 2024-01-15 03:29:52 +0000
Commit:     Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>
CommitDate: 2024-01-15 03:29:52 +0000

    profiles: mask a bunch of sys-cluster/* pkgs
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>

 profiles/package.mask | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)