Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630752 - app-admin/logcheck: root privilege escalation via "chown -R" in pkg_postinst
Summary: app-admin/logcheck: root privilege escalation via "chown -R" in pkg_postinst
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-11 22:45 UTC by Michael Orlitzky
Modified: 2020-05-21 22:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-11 22:45:48 UTC
The logcheck ebuilds all call "chown -R" on the root filesystem during pkg_postinst:

  pkg_postinst() {
      chown -R logcheck:logcheck /etc/logcheck /var/lib/logcheck || die

This is exploitable in the same way that the init scripts were: the first install is safe, but then the logcheck user can place a hard link in either of those directories pointing to e.g. /root/.bashrc. The next time logcheck is installed, the ebuild will call chown on the hardlink, and give ownership of /root/.bashrc to the "logcheck" user.

I'm marking this private, but the package is maintainer-needed, so it's up to @security who to CC. If someone wants to take a shot at it, my first attempt would be to use "fowners root:logcheck ..." and to do it on $D in src_install. Another call to fperms could then make those directories group-rwx. Neither call should operate recursively.
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2017-09-12 08:58:55 UTC
@mrueg: Hi Manuel, I see you're the last dev to touch this package with a version bump earlier this year. Maybe you want to take a crack at fixing this issue and taking over maintainership of the package?
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2017-09-12 12:41:59 UTC
I'm not interested in maintaining it.


the cronjob is probably similarly vulnerable in /etc/cron.hourly/logcheck.cron
> chown -R logcheck:logcheck /var/lock/logcheck
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:18 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:29 UTC
unrestricting per bug 705894