Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630758 - app-text/groonga: privilege escalation via PID file manipulation
Summary: app-text/groonga: privilege escalation via PID file manipulation
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-12 00:54 UTC by Michael Orlitzky
Modified: 2020-06-11 13:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
groonga.initd-r1 (groonga,920 bytes, text/plain)
2017-09-12 00:54 UTC, Michael Orlitzky
no flags Details
groonga.confd-r1 (groonga,232 bytes, text/plain)
2017-09-12 00:56 UTC, Michael Orlitzky
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-12 00:54:56 UTC
Created attachment 494076 [details]
groonga.initd-r1

The init script for groonga gives ownership of the PID file directory to $GROONGA_USER:

  start_pre() {
      checkpath -d /run/groonga -o ${GROONGA_USER:-groonga}...

This can be exploited by the $GROONGA_USER to kill root processes, because when you stop the service, root sends a SIGTERM to the contents of that PID file. Since the groonga daemon is not able to drop privileges itself, there is no safe way to use its PID file while running as a non-root user. I'm attaching another version of the init script that takes care of the problem by running groonga in the foreground and letting OpenRC background it (and manage the PID file).

I've removed the GROONGA_PID setting from the conf.d file entirely:

  1. Nobody cares where it goes,
  2. Changing it didn't work anyway (a path is hard-coded in that line above).

You might also consider doing the database creation in pkg_config() in the ebuild rather than in start_pre(), but that's unrelated and up to you.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-12 00:56:09 UTC
Created attachment 494078 [details]
groonga.confd-r1
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-12 02:21:37 UTC
@mjo thank you for all your work hunting PID files.


@Maintainer please let us know when tree is clean from vulnerable versions


Gentoo Security Padawan
ChrisADR
Comment 3 John Helmert III (ajak) 2020-06-11 05:48:55 UTC
Maintainer: Ping.