Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603258 - mail-filter/postgrey: root privilege escalation via init script race condition
Summary: mail-filter/postgrey: root privilege escalation via init script race condition
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-20 22:10 UTC by Michael Orlitzky
Modified: 2021-01-05 21:43 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-20 22:10:34 UTC
If you set POSTGREY_TYPE="unix" in the conf.d file for postgrey, then the socket it uses is located at,

  POSTGREY_SOCKET="/var/spool/postfix/private/postgrey"

However, that directory will be owned by the "postfix" user, and not by root. The init script for postgrey trusts the contents of that directory:

  # HACK -- start a subshell and corrects perms on the socket...
  if [ "x${POSTGREY_TYPE}" = "xunix" ]; then
      rm -f ${POSTGREY_SOCKET}
      ( while ! test -S ${POSTGREY_SOCKET}; \
          do sleep 1; \
        done; \
        chmod a+rw,a-x ${POSTGREY_SOCKET} ) &
  fi

It's not a big window, but there is one, between the "-S" test and the call to chmod that creates a race condition. The "postfix" user can replace the "postgrey" socket with a symlink to any file on the system, and the call to chmod will make the target of the symlink world-writable. I was able to exploit that by brute force (a while-loop that overwrites the postgrey socket with a symlink) but not reliably.

A more reliable attack is to create a symlink that points to another socket, so that the "-S" test succeeds and you don't need to time it just right. For example, as the postfix user in /var/spool/postfix/private,

  rm -f postgrey; \
  while [ ! -S postgrey ]; do : ; done; \
  ln -sf /var/run/ntpd.sock ./postgrey;

will (reliably) cause the init script to make your ntpd socket world-writable.
Comment 1 Michael Orlitzky gentoo-dev 2019-09-14 16:10:05 UTC
Coming up on a third birthday... is anyone still maintaining postgrey?
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:24 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:40 UTC
unrestricting per bug 705894
Comment 4 Sam James archtester gentoo-dev Security 2020-05-21 22:43:37 UTC
@stefan, are you there? Any thoughts on this?
Comment 5 John Helmert III gentoo-dev Security 2021-01-05 21:43:12 UTC
Ping