Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603272 - net-analyzer/sguil-sensor: root privilege escalation via init script
Summary: net-analyzer/sguil-sensor: root privilege escalation via init script
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-21 01:46 UTC by Michael Orlitzky
Modified: 2020-05-21 22:47 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-21 01:46:00 UTC
The ebuild for sguil-sensor gives ownership of its log directories to the "sguil" user/group:

  diropts -g sguil -o sguil
  keepdir /var/lib/sguil /var/lib/sguil/archive \
      "/var/lib/sguil/${HOSTNAME}" \
      "/var/lib/sguil/${HOSTNAME}/portscans" \
      "/var/lib/sguil/${HOSTNAME}/ssn_logs" \
      "/var/lib/sguil/${HOSTNAME}/dailylogs" \
      "/var/lib/sguil/${HOSTNAME}/sancp"

The init script then sets $LOG_DIR to one of those directories,

  LOG_DIR="${LOGDIR}/${HOSTNAME}/dailylogs"

and trusts its contents:

  chmod 770 "${LOG_DIR}/${today}"
  chown root:sguil "${LOG_DIR}/${today}"

The "sguil" user can make ${today} a symlink to any path on the system; afterwards, the init script (as root) gives the sguil group write access to the target of the symlink. He can do that because he owns the containing directory, and doing so lets him gain root the next time log_packets is started.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:44 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:27 UTC
unrestricting per bug 705894
Comment 3 Sam James archtester gentoo-dev Security 2020-05-21 22:47:57 UTC
@maintainer(s): ping.