Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629414 - dev-db/aerospike-server-community: system executable owned by non-root user
Summary: dev-db/aerospike-server-community: system executable owned by non-root user
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-31 01:48 UTC by Michael Orlitzky
Modified: 2020-06-20 02:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-08-31 01:48:00 UTC
The /usr/bin/asd program installed by dev-db/aerospike-server-community is owned by the "aerospike" user:

  -rwxr-xr-x 1 aerospike aerospike 2.8M 2017-08-30 21:33 /usr/bin/asd

That's in root's PATH, and it could conceivably be run as root during testing or debugging. If that ever happens, it's trivial for the "aerospike" user to gain root. Instead, that executable should probably be root:root.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 20:28:36 UTC
Is this a Gentoo specific issue? it may be good to report upstream about this.

Gentoo Security Padawan
ChrisADR
Comment 2 Michael Orlitzky gentoo-dev 2017-10-06 02:04:46 UTC
The ebuild does,

  fowners aerospike:aerospike /usr/bin/asd

so it's probably not upstream. If /usr/bin/asd is still owned by a non-root user after deleting that line, then we can blame upstream.
Comment 3 Michael Orlitzky gentoo-dev 2019-09-14 16:25:47 UTC
This should be a pretty easy issue to fix within two years =P
Comment 4 Sam James archtester gentoo-dev Security 2020-06-20 02:03:25 UTC
ping...