sys-cluster/swift installs its config files as root:root, but places them in a directory owned by the "swift" user: $ ls -al /etc/swift/ total 132K drwxr-xr-x 2 swift swift 4.0K 2017-08-31 08:58 . drwxr-xr-x 97 root root 12K 2017-08-31 09:02 .. -rw-r--r-- 1 root root 9.3K 2017-08-31 08:58 account-server.conf ... So while the "swift" user can't write directly to those files, he can simply replace them. This can be most likely be exploited to gain root (I'm not 100% sure, because I have no idea what swift does). For example, the "swift" user can put bind_port = 80 user = root in account-server.conf and, at the very least, cause a weird denial of service. If an attacker gains control of the "swift" user via a remote exploit, then that same trick can be used to start the daemons as root next time, making it a remote root exploit. In other words, the benefits of running as an unprivileged user are negated.
fixed in 2017.2.9999 and 2.15.1-r1 (which is set to go stable with the rest of pike in about a month). so... let me know next steps
fixed by changing the owner to root:swift and fperms 0750 on /etc/swift
2.15.1-r1 is now stable
(In reply to Matthew Thode ( prometheanfire ) from comment #3) > 2.15.1-r1 is now stable Thanks Matthew, could you please verify if the tree is clean of vulnerable versions? @Security please add to an existing glsa or file a new one. Gentoo Security Padawan ChrisADR
yep, cleaned up and stable
(In reply to Matthew Thode ( prometheanfire ) from comment #5) > yep, cleaned up and stable Thank you
Maintainer(s), please drop the vulnerable version(s). | | u | | a a p s a n r | n | | l m h i p p r m m i i s | e u s | r | p d a p a p c a x m i 6 o s 3 | a s l | e | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o ---------------+---------------------------------+-------+------- 2.10.2-r1 | o + o o o o o o + ~ o o o o o o | 5 # 0 | gentoo 2.13.1-r1 | o + o o o o o o + ~ o o o o o o | 6 # | gentoo 2.15.1-r1 | o + o o o o o o + ~ o o o o o o | 6 o | gento
the r1's are not vulnerable, the same fix was made to all released versions.
GLSA Vote: No