The /usr/bin/mu-conference executable is owned by the "jabber" user: -rwxr-x--- 1 jabber jabber 191K 2017-08-30 21:48 /usr/bin/mu-conference That's in root's PATH, and could conceivably be run as root during testing or debugging. If that ever happens, it's trivial for the "jabber" user to gain root. Instead, that executable should probably be root:root or root:jabber (the latter if you want to leave it mode 750).
Is this a Gentoo specific issue? it may be good to report upstream about this. Gentoo Security Padawan ChrisADR
The ebuild does, fowners jabber:jabber /usr/bin/mu-conference so it's probably not an upstream issue. If the maintainer deletes that line and if /usr/bin/mu-conference is still owned by an unprivileged user, then we can blame upstream.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=078f330fe5a44d365eccd9da4d83b90378921da7 commit 078f330fe5a44d365eccd9da4d83b90378921da7 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-03-03 17:10:33 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-03-03 17:10:33 +0000 net-im/mu-conference: Removed from repository Bug: https://bugs.gentoo.org/629416 net-im/mu-conference/Manifest | 1 - net-im/mu-conference/files/mu-conference-0.7.init | 25 ------ .../files/mu-conference-0.8.81-sha1_64bit.patch | 31 ------- net-im/mu-conference/metadata.xml | 6 -- .../mu-conference/mu-conference-0.8.81-r2.ebuild | 94 ---------------------- 5 files changed, 157 deletions(-)}
Package was removed from repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=078f330fe5a44d365eccd9da4d83b90378921da7. Package wasn't marked stable, therefore no removal GLSA is required. Repository is clean, all done.