Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629416 - net-im/mu-conference: system executable owned by non-root user
Summary: net-im/mu-conference: system executable owned by non-root user
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 [noglsa]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2017-08-31 01:52 UTC by Michael Orlitzky
Modified: 2018-03-03 17:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-08-31 01:52:05 UTC
The /usr/bin/mu-conference executable is owned by the "jabber" user:

  -rwxr-x--- 1 jabber jabber 191K 2017-08-30 21:48 /usr/bin/mu-conference

That's in root's PATH, and could conceivably be run as root during testing or debugging. If that ever happens, it's trivial for the "jabber" user to gain root. Instead, that executable should probably be root:root or root:jabber (the latter if you want to leave it mode 750).
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 20:19:55 UTC
Is this a Gentoo specific issue? it may be good to report upstream about this.

Gentoo Security Padawan
ChrisADR
Comment 2 Michael Orlitzky gentoo-dev 2017-10-06 02:00:39 UTC
The ebuild does,

  fowners jabber:jabber /usr/bin/mu-conference

so it's probably not an upstream issue. If the maintainer deletes that line and if /usr/bin/mu-conference is still owned by an unprivileged user, then we can blame upstream.
Comment 3 Larry the Git Cow gentoo-dev 2018-03-03 17:16:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=078f330fe5a44d365eccd9da4d83b90378921da7

commit 078f330fe5a44d365eccd9da4d83b90378921da7
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-03-03 17:10:33 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-03-03 17:10:33 +0000

    net-im/mu-conference: Removed from repository
    
    Bug: https://bugs.gentoo.org/629416

 net-im/mu-conference/Manifest                      |  1 -
 net-im/mu-conference/files/mu-conference-0.7.init  | 25 ------
 .../files/mu-conference-0.8.81-sha1_64bit.patch    | 31 -------
 net-im/mu-conference/metadata.xml                  |  6 --
 .../mu-conference/mu-conference-0.8.81-r2.ebuild   | 94 ----------------------
 5 files changed, 157 deletions(-)}
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-03-03 17:26:35 UTC
Package was removed from repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=078f330fe5a44d365eccd9da4d83b90378921da7.

Package wasn't marked stable, therefore no removal GLSA is required.

Repository is clean, all done.