Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631878

Summary: net-misc/apt-cacher-ng: privilege escalation via PID file manipulation
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: trivial CC: deb-tools, jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [ebuild]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
initd-r2
none
confd-r1 none

Description Michael Orlitzky gentoo-dev 2017-09-23 22:12:06 UTC
Created attachment 496192 [details]
initd-r2

The apt-cacher-ng init script gives ownership of its PID file directory to its runtime user:

  RUNDIR="/var/run/${RC_SVCNAME}"
  PIDFILE="${RUNDIR}/${RC_SVCNAME}.pid"

  start() {
      ebegin "Starting ${RC_SVCNAME}"
      checkpath -d -m 0755 -o ${RC_SVCNAME}:${RC_SVCNAME} "${RUNDIR}"
      ...

That can be exploited by the apt-cacher-ng user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the "apt-cacher-ng" user).

I've rewritten the init script to work around the issue, by letting OpenRC create the PID file as root, and by storing it directly in /run. I've also updated some other stuff:

  1. Don't use RC_SVCNAME for the $command, since the $command doesn't change
     if you run multiple instances of apt-cacher-ng.

  2. Run apt-cacher-ng in the foreground, and don't have it write a PID file.
     This was needed to allow OpenRC to manage the PID file securely.

  3. Used $retry to eliminate the stop() function.

  4. Dropped "use net" and added an rc_need=net.lo line to the conf.d file.
     This is more semantically correct, since the daemon will start just
     in its default configuration once net.lo is up. And more importantly,
     it allows us to place a comment right there, explaining what to do if
     the user wants to bind to a *particular* interface.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-23 22:12:53 UTC
Created attachment 496194 [details]
confd-r1