Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603414 - <net-irc/quassel-0.12.4-r1: root privilege escalation via init script
Summary: <net-irc/quassel-0.12.4-r1: root privilege escalation via init script
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-22 02:28 UTC by Michael Orlitzky
Modified: 2018-05-08 15:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-22 02:28:14 UTC
This init script for quassel calls "chown -R" on a directory which (thereafter, at least) is owned by the "quassel" user:

  chown -R "${QUASSEL_USER}":"${QUASSEL_USER}" "${CONFIGDIR}" || return 1

Once that directory is not root-controlled, the call to chown is not safe: the quassel user can place hard links in $CONFIGDIR, and root will chown the targets of those links (to quassel).

For example,

  $ sudo su quassel -c 'ln /var/lib/portage/world /var/lib/quassel/world'
  $ sudo /etc/init.d/quasselcore start
   * Starting Quassel Core ...
  $ ls /var/lib/portage/world
  -rw-r--r-- 2 quassel quassel 3.7K 2016-12-21 20:33 /var/lib/portage/world

Our gentoo-sources has a patch that prevents this, but vanilla-sources does not.
Comment 1 Johannes Huber gentoo-dev 2016-12-22 17:09:58 UTC
(In reply to Michael Orlitzky from comment #0) 
> Our gentoo-sources has a patch that prevents this, but vanilla-sources does
> not.

So the gentoo-sources patch should be send to kernel upstream?
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2016-12-22 17:23:21 UTC
(In reply to Johannes Huber from comment #1)
> (In reply to Michael Orlitzky from comment #0) 
> > Our gentoo-sources has a patch that prevents this, but vanilla-sources does
> > not.
> 
> So the gentoo-sources patch should be send to kernel upstream?

The patch is from upstream, it was reverted due to breaking backwards compatibility in a very specific subset of packages. See bug 540006 comment 24 for some details.
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2016-12-22 17:25:42 UTC
(In reply to Kristian Fiskerstrand from comment #2)
> (In reply to Johannes Huber from comment #1)
> > (In reply to Michael Orlitzky from comment #0) 
> > > Our gentoo-sources has a patch that prevents this, but vanilla-sources does
> > > not.
> > 
> > So the gentoo-sources patch should be send to kernel upstream?
> 
> The patch is from upstream, it was reverted due to breaking backwards
> compatibility in a very specific subset of packages. See bug 540006 comment
> 24 for some details.

Just to add that checkpath has been fixed to mitigate this attack and as such constitute security hardening vs the current chown
Comment 4 Michael Orlitzky gentoo-dev 2016-12-22 18:48:36 UTC
You can protect yourself from a subset of these vulnerabilities by setting the fs.protected_hardlinks=1 and fs.protected_symlinks=1 sysctl variables, but most are easily fixed by making the init script more polite.

It's basically never safe to call chown or chmod on an unknown set of files (which is what happens with the "-R" flag), and you usually don't need to. In this case, you want $CONFIGDIR to have the correct ownership, and that can be accomplished with checkpath. Then the files in $CONFIGDIR are either,

  a) Created by quassel, and already have the correct ownership
  b) Created by root, and you shouldn't mess with them

Most of the cases I've found are like that, and the "-R" is usually a substitute for telling users something like "make sure the quassel user can read any files that you create in $CONFIGDIR", or for setting the correct ownership post-install in the ebuild.
Comment 5 Johannes Huber gentoo-dev 2017-06-05 11:30:48 UTC
(In reply to Michael Orlitzky from comment #4)
> You can protect yourself from a subset of these vulnerabilities by setting
> the fs.protected_hardlinks=1 and fs.protected_symlinks=1 sysctl variables,
> but most are easily fixed by making the init script more polite.
> 
> It's basically never safe to call chown or chmod on an unknown set of files
> (which is what happens with the "-R" flag), and you usually don't need to.
> In this case, you want $CONFIGDIR to have the correct ownership, and that
> can be accomplished with checkpath. Then the files in $CONFIGDIR are either,
> 
>   a) Created by quassel, and already have the correct ownership
>   b) Created by root, and you shouldn't mess with them
> 
> Most of the cases I've found are like that, and the "-R" is usually a
> substitute for telling users something like "make sure the quassel user can
> read any files that you create in $CONFIGDIR", or for setting the correct
> ownership post-install in the ebuild.

Feel free to do any changes in the init scripts as I don't use legacy sysvinit.
Comment 6 Michael Orlitzky gentoo-dev 2017-07-18 23:12:51 UTC
(In reply to Johannes Huber from comment #5)
> 
> Feel free to do any changes in the init scripts as I don't use legacy
> sysvinit.

I've committed new revisions of the conf and init files:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcb995f7f08b66528487fe4e0a16a16bda502572

When you get a chance, please make a new revision of quassel to use them. To avoid permissions issues with the log file, I opted to log to syslog by default which may partially or entirely address bug 423145.
Comment 7 Thomas Deutschmann gentoo-dev Security 2017-12-05 21:43:59 UTC
Commit is public, no need to restrict any further.
Comment 8 Larry the Git Cow gentoo-dev 2018-03-22 19:58:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4e4a52dfd5dcc298eea1881cdb66562295586d5

commit b4e4a52dfd5dcc298eea1881cdb66562295586d5
Author:     Johannes Huber <johu@gentoo.org>
AuthorDate: 2018-03-22 19:48:25 +0000
Commit:     Johannes Huber <johu@gentoo.org>
CommitDate: 2018-03-22 19:56:54 +0000

    net-irc/quassel: Install newer {init,conf} file
    
    Closes: https://bugs.gentoo.org/639480
    Closes: https://bugs.gentoo.org/423145
    Bug: https://bugs.gentoo.org/603414
    Reported-by: Michael Mair-Keimberger (iamnr3) <bu9zilla@gmail.com>
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 net-irc/quassel/quassel-0.12.4-r1.ebuild | 4 ++--
 net-irc/quassel/quassel-9999.ebuild      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)}
Comment 9 Larry the Git Cow gentoo-dev 2018-04-25 05:09:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e59eb971d6c83343ba5c3173ae48bb11acc5aa3

commit 7e59eb971d6c83343ba5c3173ae48bb11acc5aa3
Author:     Johannes Huber <johu@gentoo.org>
AuthorDate: 2018-04-25 05:07:29 +0000
Commit:     Johannes Huber <johu@gentoo.org>
CommitDate: 2018-04-25 05:07:29 +0000

    net-irc/quassel: Remove 0.12.4 (r0)
    
    Bug: https://bugs.gentoo.org/603414
    Bug: https://bugs.gentoo.org/653834
    Package-Manager: Portage-2.3.31, Repoman-2.3.9

 net-irc/quassel/files/quasselcore.conf |  21 ----
 net-irc/quassel/files/quasselcore.init |  62 ------------
 net-irc/quassel/quassel-0.12.4.ebuild  | 173 ---------------------------------
 3 files changed, 256 deletions(-)}
Comment 10 Johannes Huber gentoo-dev 2018-04-25 05:10:43 UTC
Cleanup done.
Comment 11 D'juan McDonald (domhnall) 2018-05-08 01:10:58 UTC
@Security, this bug is ready for stabilization. @Maintainer(s), add package target when ready and cc @arches, please.
Comment 12 Johannes Huber gentoo-dev 2018-05-08 05:08:28 UTC
(In reply to D'juan McDonald from comment #11)
> @Security, this bug is ready for stabilization. @Maintainer(s), add package
> target when ready and cc @arches, please.

Please read the old comments. The old version is already tree cleaned.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-05-08 15:26:51 UTC
As usual, Gentoo sources has the appropriate controls in place to prevent this.  vanilla-sources is *not* security supported.