Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603328 - <www-apps/rt-4.4.2: privilege escalation via USE=lighttpd init script
Summary: <www-apps/rt-4.4.2: privilege escalation via USE=lighttpd init script
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-21 12:57 UTC by Michael Orlitzky
Modified: 2020-05-21 22:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
rt.init.d-r3 (rt.init.d.2,1.53 KB, text/plain)
2018-01-26 14:31 UTC, Aaron W. Swenson
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-21 12:57:13 UTC
When using lighttpd, rt has an init script that takes ownership of /var/www/localhost/rt-*/var:

  start() {
      checkpath -d "${RTPATH}/var" -m 0755 -o "${RTUSER}:${RTGROUP}"

A little bit later, it calls chmod on "appSocket", contained in that path:

  FCGI_SOCKET_PATH=${RTPATH}/var/appSocket
  ...
  if [ -a ${FCGI_SOCKET_PATH} ]; then
      chmod g+rwx ${FCGI_SOCKET_PATH}
      eend 0
  else

Since ${FCGI_SOCKET_PATH} lives in a directory owned by ${RTUSER}, he can replace "appSocket" with a symlink to any path on the system. When the "chmod" above is reached, it will affect the target of the symlink, and make it group-readable/writable. (To overwrite the "real" socket, you can ln -sf in a loop.)

That can be used to grant root privileges to other groups on the system. For example, my /etc/portage is owned by root:portage, and making it group-writable gives the portage group root on the system.
Comment 1 Aaron W. Swenson gentoo-dev 2018-01-26 14:31:43 UTC
Created attachment 516788 [details]
rt.init.d-r3

Sorry for the huge delay on this.

I'm pretty sure just changing the test from "if it exists" to "if it's a socket" will do the trick.

The initscript also needed some additional cleanups.
Comment 2 Aaron W. Swenson gentoo-dev 2018-01-26 15:33:08 UTC
Actually, this whole thing doesn't work, and upstream's recommendation is to let the web server handle it.
Comment 3 Aaron W. Swenson gentoo-dev 2018-01-26 17:04:18 UTC
Initscript removed with:

commit 935b1fda4c552a223ea23a8bc405571c0743c375
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Fri Jan 26 12:02:47 2018 -0500

    www-apps/rt: Cleanup old and insecure

    Bug: https://bugs.gentoo.org/603328
    Bug: https://bugs.gentoo.org/626196
    Package-Manager: Portage-2.3.19, Repoman-2.3.6
Comment 4 Aaron W. Swenson gentoo-dev 2019-08-02 10:14:07 UTC
@security-audit: Ping.

Can we close this now? The initscript is no longer installed. It's been resolved for 18 months.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:43 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:15 UTC
unrestricting per bug 705894
Comment 7 Sam James archtester gentoo-dev Security 2020-05-21 22:48:50 UTC
(In reply to Aaron W. Swenson from comment #4)
> @security-audit: Ping.
> 
> Can we close this now? The initscript is no longer installed. It's been
> resolved for 18 months.

Yep.