Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603522 - sci-misc/boinc: root privilege escalation via init script
Summary: sci-misc/boinc: root privilege escalation via init script
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2016-12-22 23:04 UTC by Michael Orlitzky
Modified: 2020-04-03 23:25 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-22 23:04:39 UTC
The init script for boinc calls "chown -R" on a directory:

  chown -R "${USER}:${GROUP}" "${RUNTIMEDIR}"

After doing that once, it's no longer safe to trust the contents of that directory. For example, the "boinc" user can create a hardlink within ${RUNTIMEDIR} pointing to a file that he does not own:

  $ sudo su boinc -c 'ln /var/lib/portage/world /var/lib/boinc/world'

The next time the daemon is started, the init script (as root) will give ownership of the *target* of the hardlink to the boinc user:

  $ sudo /etc/init.d/boinc start
   * Starting boinc ...
  $ ls /var/lib/portage/world
  -rw-rw-r-- 3 boinc boinc 3.7K 2016-12-22 16:46 /var/lib/portage/world

and of course he can use that to gain root.

Users of gentoo-sources and hardened-sources are not vulnerable to that hard-link attack (thanks to one of our patches), but may be to others.

In this case, I would guess the solution is to use "checkpath" to create $RUNTIMEDIR, and then to not mess with the ownership/permissions after that. Each file in $RUNTIMEDIR will be created by either boinc itself, in which case its permissions will be correct, or by root, and in that case you should leave them alone.
Comment 1 Sven Eden 2016-12-23 08:28:37 UTC
I have updated my latest PR at to deal with the issue.

- start_pre() no longer uses "chown -R" on the runtime directory.
- create_work_directory() now changes the ownership on the runtime directory only, and only if it was just created.

Thank you for pointing that issue out!
Comment 2 Michael Orlitzky gentoo-dev 2016-12-23 13:29:16 UTC
I think this is now safe:

  if [[ ! -d "${RUNTIMEDIR}" ]]; then
      einfo "Directory ${RUNTIMEDIR} does not exist, creating now."
      mkdir -p "${RUNTIMEDIR}"
      if [[ ! -d "${RUNTIMEDIR}" ]]; then
          eeror "Directory ${RUNTIMEDIR} could not be created!"
          return 1

      # ensure proper ownership
      chown "${USER}:${GROUP}" "${RUNTIMEDIR}"

However (and I should have mentioned this...), that entire stanza can now be accomplished with one line =)

  checkpath -d -o "${USER}:${GROUP}" "${RUNTIMEDIR}"

The "checkpath" command is part of OpenRC (see `man openrc-run`), so it's actually more portable than using mkdir and chown, which may have different implementations on weird systems. Checkpath is also slightly more secure, since it won't follow symlinks/hardlinks (bug #540006).

Thanks for the fast response!
Comment 3 Sven Eden 2016-12-23 14:09:13 UTC
(In reply to Michael Orlitzky from comment #2)
> However (and I should have mentioned this...), that entire stanza can now be
> accomplished with one line =)
>   checkpath -d -o "${USER}:${GROUP}" "${RUNTIMEDIR}"

Wow! I never knew about that one! The "stanza" is a relic from the ancieant depths of the boinc package.
...aaaand I just updated my PR again.

I have tested the new init script using checkpath with a fake RUNTIMEDIR and had some fun messing around with the ownership and permissions.
It works like a charm!

Thank you very much again!
Comment 4 Sven Eden 2017-12-18 07:43:40 UTC
This issue had been fixed with the mentioned PR, but I forgot to close the bug.
Comment 5 Michael Orlitzky gentoo-dev 2017-12-20 01:18:03 UTC
(In reply to Sven Eden from comment #4)
> but I forgot to close the bug.

Actually, you didn't =)

The security team prefers to close these bugs themselves, usually after the fixed version has been stabilized and after somebody mentions the word GLEP.

@security: it should be safe to make this public and do what you gotta do.
Comment 6 Michael Orlitzky gentoo-dev 2017-12-20 01:19:01 UTC
(In reply to Michael Orlitzky from comment #5)
> the word GLEP.

GLSA, GLEP, I'm very tired.
Comment 7 Michael Orlitzky gentoo-dev 2019-09-14 16:34:58 UTC
Or I can do it, whatever =)
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:25:27 UTC
unrestricting and re-assigning per bug 705894