Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 796815

Summary: app-admin/github-backup-utils[test]: leaks systemd service stop requests to system
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: William Hubbs <williamh>
Status: CONFIRMED ---    
Severity: major CC: qa, systemd
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-20 07:40:51 UTC 
While running the test suite, I repeatedly get a GUI window asking me for root password in order to 'stop consul.service'.  Sounds like a major command leak. 
 Not that I'm running such a service.
Comment 1 Mike Gilbert gentoo-dev 2021-06-20 15:40:22 UTC 
Several tests call "ghe-restore", which calls "ssh ... sudo systemctl stop consul".

https://github.com/github/backup-utils/blob/v3.0.0/bin/ghe-restore#L301

As well, the tests use a wrapper script for ssh that removes any "sudo" calls and runs the commands locally.

https://github.com/github/backup-utils/blob/v3.0.0/test/bin/ssh#L37

The end result is that "systemctl stop consul" gets executed directly as the portage user, which triggers a polkit prompt if portage is not running as root.
Comment 2 Mike Gilbert gentoo-dev 2021-06-20 15:46:05 UTC 
ghe-restore attempts to perform many privileged operations, and it doesn't look like it was really designed for use in an isolated test environment.

I would recommend masking the test USE flag until/unless the tests can be made more safe for general use.