Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629914 - <mail-filter/opendkim-2.10.3-r8: privilege escalation via PID file manipulation
Summary: <mail-filter/opendkim-2.10.3-r8: privilege escalation via PID file manipulation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-04 20:46 UTC by Michael Orlitzky
Modified: 2019-04-22 23:35 UTC (History)
4 users (show)

See Also:
Package list:
=mail-filter/opendkim-2.10.3-r8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
opendkim-2.10.3-r4.ebuild (opendkim-2.10.3-r4.ebuild,6.16 KB, text/plain)
2017-09-04 20:46 UTC, Michael Orlitzky
no flags Details
opendkim.confd (opendkim.confd,742 bytes, text/plain)
2017-09-04 20:47 UTC, Michael Orlitzky
no flags Details
opendkim.init.r4 (opendkim.init.r4,2.15 KB, text/plain)
2017-09-04 20:47 UTC, Michael Orlitzky
no flags Details
opendkim.service.conf (opendkim.service.conf,60 bytes, text/plain)
2017-09-04 20:48 UTC, Michael Orlitzky
no flags Details
opendkim-r2.service (opendkim-r2.service,540 bytes, text/plain)
2017-09-04 20:48 UTC, Michael Orlitzky
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-04 20:46:50 UTC
Created attachment 492370 [details]
opendkim-2.10.3-r4.ebuild

The opendkim init script gives ownership of its PID file directory to the "milter" user:

  if [ ! -d  "${PIDDIR}" ] ; then
      checkpath -q -d -o milter:milter -m 0755 "${PIDDIR}" || return 1
  fi

This can be exploited by the "milter" user to kill root processes, because when you try to stop the service, root will send a SIGTERM to the contents of that PID file (which are under the control of the "milter" user).

I actually use OpenDKIM, so I tried to fix some other issues at the same time. The PID file was actually the easy part: OpenDKIM already creates its PID file as root, so all I had to do there was leave PidFile commented-out in opendkim.conf and force pidfile=/run/${RC_SVCNAME}.pid on the command-line.

Some other things...

1. I fixed bug 425960 by adding "GPL-2" to LICENSE.

2. I changed everything from "milter" to "opendkim" (fixes bug 629888).

3. I tried to update the advice about sharing a socket with your MTA. If you use a KeyTable and SigningTable, OpenDKIM will read them *after* it drops privileges. That complicates the instructions, because if you tried to add e.g. postfix to the old "milter" group, you would get a message like,

  Sep  3 23:50:50 mail2 opendkim[8345]: orlitzky.com-mail2: key data is not 
  secure: /var/lib/opendkim/orlitzky.com/mail2.key is in group 101 which has 
  multiple users (e.g., "postfix")

To work around that, you need yet another group, containing both the opendkim user and postfix.

4. Fixed detection of "Background no", when the user chooses some other word than "no". For example, "0" and "False" are also accepted.

5. The socket is now obtained from a conf.d file so we don't have to parse it with sed. Moreover, the init script now ensures that the directory containing the socket exists and is owned by the opendkim user. In the old init script, this just happened to work because the elog instructions told people to put the socket in the PID file directory. Now that the PID directory isn't writable by the opendkim user, we needed another plan.

6. I eliminated the start() and stop() functions from the init script. The defaults work fine.

7. Set safer permissions in the ebuild. The /var/lib/opendkim directory can be owned by root, and read-only to whatever group that opendkim runs as.

8. Throw an error if we can't remove a stale socket.


And here's what I didn't do: much at all with systemd. I did update the service file to run as opendkim:opendkim, and I added a conf file to pass the OPENDKIM_SOCKET to the daemon on the command-like (for consistency). However, that isn't tested, and I don't know how the socket creation is supposed to work with systemd.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-04 20:47:21 UTC
Created attachment 492372 [details]
opendkim.confd
Comment 2 Michael Orlitzky gentoo-dev 2017-09-04 20:47:43 UTC
Created attachment 492374 [details]
opendkim.init.r4
Comment 3 Michael Orlitzky gentoo-dev 2017-09-04 20:48:04 UTC
Created attachment 492376 [details]
opendkim.service.conf
Comment 4 Michael Orlitzky gentoo-dev 2017-09-04 20:48:45 UTC
Created attachment 492378 [details]
opendkim-r2.service
Comment 5 Christopher Díaz Riveros gentoo-dev Security 2017-10-05 20:02:48 UTC
@Maintainers please call for stabilization when ready.

Gentoo Security Padawan
ChrisADR
Comment 6 Larry the Git Cow gentoo-dev 2019-03-27 17:18:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28706fe998d7ea18549d78aa1bfee4da6bb18ffa

commit 28706fe998d7ea18549d78aa1bfee4da6bb18ffa
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2019-03-27 15:48:17 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2019-03-27 17:18:07 +0000

    mail-filter/opendkim: new revision to overhaul service scripts.
    
    The OpenRC service script has been largely rewritten in this revision,
    to solve a number of problems:
    
      * The PID file is now stored securely (bug 629914).
    
      * Different PID files are used for multiple instances (bug 536162).
    
      * The detection of boolean options in the config file is more robust,
        allowing "1", "0", "yes", "false", et cetera.
    
      * The socket is now located in a conf.d file, rather than parsed from
        the config file. The service script ensures that the directory
        containing the socket has the correct permissions, and the conf.d
        file comes with a big warning to that effect. Note that the (commented-
        out) example directory IS NOT shared with the PID file.
    
      * An error is thrown if we can't remove a stale socket.
    
      * Modern OpenRC service script standards have been adopted.
    
    Some minor changes have been made to the systemd service for
    consistency, but none of them have been tested. More work needs to be
    done here anyway; for example, we most likely want a tmpfiles.d entry
    for the local socket directory if the user configures one. This should
    be documented in opendkim.service.conf, and tested by someone who uses
    systemd.
    
    Closes: https://bugs.gentoo.org/536162
    Bug: https://bugs.gentoo.org/629914
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 .../{opendkim-r2.service => opendkim-r3.service}   |  2 +-
 mail-filter/opendkim/files/opendkim.confd          | 18 ++++++
 mail-filter/opendkim/files/opendkim.init.r4        | 55 ----------------
 mail-filter/opendkim/files/opendkim.init.r5        | 73 ++++++++++++++++++++++
 mail-filter/opendkim/files/opendkim.service.conf   |  2 +
 ...-2.10.3-r6.ebuild => opendkim-2.10.3-r7.ebuild} | 26 ++++----
 6 files changed, 109 insertions(+), 67 deletions(-)
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-27 20:30:48 UTC
@Michael, thank you for the thorough commit log and work on all the various PID file issues in the tree!

@arches, please stabilize.
Comment 8 Agostino Sarubbo gentoo-dev 2019-03-30 10:46:47 UTC
amd64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2019-04-02 01:39:28 UTC
x86 stable
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-02 07:15:22 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 11 Larry the Git Cow gentoo-dev 2019-04-06 11:32:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d424c81f020cada007c5ca23be5acc73f4cf6600

commit d424c81f020cada007c5ca23be5acc73f4cf6600
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2019-04-06 11:31:17 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2019-04-06 11:31:38 +0000

    mail-filter/opendkim: remove old vulnerable revision.
    
    Bug: https://bugs.gentoo.org/629914
    Bug: https://bugs.gentoo.org/629888
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 mail-filter/opendkim/opendkim-2.10.3-r3.ebuild | 204 -------------------------
 1 file changed, 204 deletions(-)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-04-22 23:35:15 UTC
This issue was resolved and addressed in
 GLSA 201904-22 at https://security.gentoo.org/glsa/201904-22
by GLSA coordinator Aaron Bauman (b-man).