This init script for quassel calls "chown -R" on a directory which (thereafter, at least) is owned by the "quassel" user: chown -R "${QUASSEL_USER}":"${QUASSEL_USER}" "${CONFIGDIR}" || return 1 Once that directory is not root-controlled, the call to chown is not safe: the quassel user can place hard links in $CONFIGDIR, and root will chown the targets of those links (to quassel). For example, $ sudo su quassel -c 'ln /var/lib/portage/world /var/lib/quassel/world' $ sudo /etc/init.d/quasselcore start * Starting Quassel Core ... $ ls /var/lib/portage/world -rw-r--r-- 2 quassel quassel 3.7K 2016-12-21 20:33 /var/lib/portage/world Our gentoo-sources has a patch that prevents this, but vanilla-sources does not.
(In reply to Michael Orlitzky from comment #0) > Our gentoo-sources has a patch that prevents this, but vanilla-sources does > not. So the gentoo-sources patch should be send to kernel upstream?
(In reply to Johannes Huber from comment #1) > (In reply to Michael Orlitzky from comment #0) > > Our gentoo-sources has a patch that prevents this, but vanilla-sources does > > not. > > So the gentoo-sources patch should be send to kernel upstream? The patch is from upstream, it was reverted due to breaking backwards compatibility in a very specific subset of packages. See bug 540006 comment 24 for some details.
(In reply to Kristian Fiskerstrand from comment #2) > (In reply to Johannes Huber from comment #1) > > (In reply to Michael Orlitzky from comment #0) > > > Our gentoo-sources has a patch that prevents this, but vanilla-sources does > > > not. > > > > So the gentoo-sources patch should be send to kernel upstream? > > The patch is from upstream, it was reverted due to breaking backwards > compatibility in a very specific subset of packages. See bug 540006 comment > 24 for some details. Just to add that checkpath has been fixed to mitigate this attack and as such constitute security hardening vs the current chown
You can protect yourself from a subset of these vulnerabilities by setting the fs.protected_hardlinks=1 and fs.protected_symlinks=1 sysctl variables, but most are easily fixed by making the init script more polite. It's basically never safe to call chown or chmod on an unknown set of files (which is what happens with the "-R" flag), and you usually don't need to. In this case, you want $CONFIGDIR to have the correct ownership, and that can be accomplished with checkpath. Then the files in $CONFIGDIR are either, a) Created by quassel, and already have the correct ownership b) Created by root, and you shouldn't mess with them Most of the cases I've found are like that, and the "-R" is usually a substitute for telling users something like "make sure the quassel user can read any files that you create in $CONFIGDIR", or for setting the correct ownership post-install in the ebuild.
(In reply to Michael Orlitzky from comment #4) > You can protect yourself from a subset of these vulnerabilities by setting > the fs.protected_hardlinks=1 and fs.protected_symlinks=1 sysctl variables, > but most are easily fixed by making the init script more polite. > > It's basically never safe to call chown or chmod on an unknown set of files > (which is what happens with the "-R" flag), and you usually don't need to. > In this case, you want $CONFIGDIR to have the correct ownership, and that > can be accomplished with checkpath. Then the files in $CONFIGDIR are either, > > a) Created by quassel, and already have the correct ownership > b) Created by root, and you shouldn't mess with them > > Most of the cases I've found are like that, and the "-R" is usually a > substitute for telling users something like "make sure the quassel user can > read any files that you create in $CONFIGDIR", or for setting the correct > ownership post-install in the ebuild. Feel free to do any changes in the init scripts as I don't use legacy sysvinit.
(In reply to Johannes Huber from comment #5) > > Feel free to do any changes in the init scripts as I don't use legacy > sysvinit. I've committed new revisions of the conf and init files: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcb995f7f08b66528487fe4e0a16a16bda502572 When you get a chance, please make a new revision of quassel to use them. To avoid permissions issues with the log file, I opted to log to syslog by default which may partially or entirely address bug 423145.
Commit is public, no need to restrict any further.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4e4a52dfd5dcc298eea1881cdb66562295586d5 commit b4e4a52dfd5dcc298eea1881cdb66562295586d5 Author: Johannes Huber <johu@gentoo.org> AuthorDate: 2018-03-22 19:48:25 +0000 Commit: Johannes Huber <johu@gentoo.org> CommitDate: 2018-03-22 19:56:54 +0000 net-irc/quassel: Install newer {init,conf} file Closes: https://bugs.gentoo.org/639480 Closes: https://bugs.gentoo.org/423145 Bug: https://bugs.gentoo.org/603414 Reported-by: Michael Mair-Keimberger (iamnr3) <bu9zilla@gmail.com> Package-Manager: Portage-2.3.24, Repoman-2.3.6 net-irc/quassel/quassel-0.12.4-r1.ebuild | 4 ++-- net-irc/quassel/quassel-9999.ebuild | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e59eb971d6c83343ba5c3173ae48bb11acc5aa3 commit 7e59eb971d6c83343ba5c3173ae48bb11acc5aa3 Author: Johannes Huber <johu@gentoo.org> AuthorDate: 2018-04-25 05:07:29 +0000 Commit: Johannes Huber <johu@gentoo.org> CommitDate: 2018-04-25 05:07:29 +0000 net-irc/quassel: Remove 0.12.4 (r0) Bug: https://bugs.gentoo.org/603414 Bug: https://bugs.gentoo.org/653834 Package-Manager: Portage-2.3.31, Repoman-2.3.9 net-irc/quassel/files/quasselcore.conf | 21 ---- net-irc/quassel/files/quasselcore.init | 62 ------------ net-irc/quassel/quassel-0.12.4.ebuild | 173 --------------------------------- 3 files changed, 256 deletions(-)}
Cleanup done.
@Security, this bug is ready for stabilization. @Maintainer(s), add package target when ready and cc @arches, please.
(In reply to D'juan McDonald from comment #11) > @Security, this bug is ready for stabilization. @Maintainer(s), add package > target when ready and cc @arches, please. Please read the old comments. The old version is already tree cleaned.
As usual, Gentoo sources has the appropriate controls in place to prevent this. vanilla-sources is *not* security supported.