The init script for boinc calls "chown -R" on a directory: chown -R "${USER}:${GROUP}" "${RUNTIMEDIR}" After doing that once, it's no longer safe to trust the contents of that directory. For example, the "boinc" user can create a hardlink within ${RUNTIMEDIR} pointing to a file that he does not own: $ sudo su boinc -c 'ln /var/lib/portage/world /var/lib/boinc/world' The next time the daemon is started, the init script (as root) will give ownership of the *target* of the hardlink to the boinc user: $ sudo /etc/init.d/boinc start * Starting boinc ... $ ls /var/lib/portage/world -rw-rw-r-- 3 boinc boinc 3.7K 2016-12-22 16:46 /var/lib/portage/world and of course he can use that to gain root. Users of gentoo-sources and hardened-sources are not vulnerable to that hard-link attack (thanks to one of our patches), but may be to others. In this case, I would guess the solution is to use "checkpath" to create $RUNTIMEDIR, and then to not mess with the ownership/permissions after that. Each file in $RUNTIMEDIR will be created by either boinc itself, in which case its permissions will be correct, or by root, and in that case you should leave them alone.
I have updated my latest PR at https://github.com/gentoo/gentoo/pull/3056 to deal with the issue. - start_pre() no longer uses "chown -R" on the runtime directory. - create_work_directory() now changes the ownership on the runtime directory only, and only if it was just created. Thank you for pointing that issue out!
I think this is now safe: if [[ ! -d "${RUNTIMEDIR}" ]]; then einfo "Directory ${RUNTIMEDIR} does not exist, creating now." mkdir -p "${RUNTIMEDIR}" if [[ ! -d "${RUNTIMEDIR}" ]]; then eeror "Directory ${RUNTIMEDIR} could not be created!" return 1 fi # ensure proper ownership chown "${USER}:${GROUP}" "${RUNTIMEDIR}" fi However (and I should have mentioned this...), that entire stanza can now be accomplished with one line =) checkpath -d -o "${USER}:${GROUP}" "${RUNTIMEDIR}" The "checkpath" command is part of OpenRC (see `man openrc-run`), so it's actually more portable than using mkdir and chown, which may have different implementations on weird systems. Checkpath is also slightly more secure, since it won't follow symlinks/hardlinks (bug #540006). Thanks for the fast response!
(In reply to Michael Orlitzky from comment #2) > However (and I should have mentioned this...), that entire stanza can now be > accomplished with one line =) > > checkpath -d -o "${USER}:${GROUP}" "${RUNTIMEDIR}" Wow! I never knew about that one! The "stanza" is a relic from the ancieant depths of the boinc package. ...aaaand I just updated my PR again. I have tested the new init script using checkpath with a fake RUNTIMEDIR and had some fun messing around with the ownership and permissions. It works like a charm! Thank you very much again!
This issue had been fixed with the mentioned PR, but I forgot to close the bug.
(In reply to Sven Eden from comment #4) > but I forgot to close the bug. Actually, you didn't =) The security team prefers to close these bugs themselves, usually after the fixed version has been stabilized and after somebody mentions the word GLEP. @security: it should be safe to make this public and do what you gotta do.
(In reply to Michael Orlitzky from comment #5) > the word GLEP. GLSA, GLEP, I'm very tired.
Or I can do it, whatever =)
unrestricting and re-assigning per bug 705894
