Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629446 - <sys-cluster/swift-2.15.1-r1: possible root privilege escalation via config file replacement
Summary: <sys-cluster/swift-2.15.1-r1: possible root privilege escalation via config f...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-31 13:26 UTC by Michael Orlitzky
Modified: 2017-09-04 22:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-08-31 13:26:02 UTC
sys-cluster/swift installs its config files as root:root, but places them in a directory owned by the "swift" user:

  $ ls -al /etc/swift/
  total 132K
  drwxr-xr-x  2 swift swift 4.0K 2017-08-31 08:58 .
  drwxr-xr-x 97 root  root   12K 2017-08-31 09:02 ..
  -rw-r--r--  1 root  root  9.3K 2017-08-31 08:58 account-server.conf
  ...

So while the "swift" user can't write directly to those files, he can simply replace them. This can be most likely be exploited to gain root (I'm not 100% sure, because I have no idea what swift does). For example, the "swift" user
can put

  bind_port = 80
  user = root

in account-server.conf and, at the very least, cause a weird denial of service.

If an attacker gains control of the "swift" user via a remote exploit, then that same trick can be used to start the daemons as root next time, making it a remote root exploit. In other words, the benefits of running as an unprivileged user are negated.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-08-31 16:54:36 UTC
fixed in 2017.2.9999 and 2.15.1-r1 (which is set to go stable with the rest of pike in about a month).

so... let me know next steps
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-08-31 16:55:01 UTC
fixed by changing the owner to root:swift and fperms 0750 on /etc/swift
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-09-03 21:55:58 UTC
2.15.1-r1 is now stable
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-03 23:28:38 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> 2.15.1-r1 is now stable

Thanks Matthew, could you please verify if the tree is clean of vulnerable versions? 

@Security please add to an existing glsa or file a new one.

Gentoo Security Padawan
ChrisADR
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-09-03 23:50:04 UTC
yep, cleaned up and stable
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-04 00:02:39 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #5)
> yep, cleaned up and stable

Thank you
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-04 05:27:16 UTC
Maintainer(s), please drop the vulnerable version(s).
                |                                 |   u   |
               | a a         p s   a     n r     |   n   |
               | l m   h i   p p   r m m i i s   | e u s | r
               | p d a p a p c a x m i 6 o s 3   | a s l | e
               | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p
               | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o
---------------+---------------------------------+-------+-------
     2.10.2-r1 | o + o o o o o o + ~ o o o o o o | 5 # 0 | gentoo
     2.13.1-r1 | o + o o o o o o + ~ o o o o o o | 6 #   | gentoo
     2.15.1-r1 | o + o o o o o o + ~ o o o o o o | 6 o   | gento
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-09-04 21:09:35 UTC
the r1's are not vulnerable, the same fix was made to all released versions.
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-04 22:27:23 UTC
GLSA Vote: No