Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630796 - dev-db/couchdb: privilege escalation via PID file manipulation
Summary: dev-db/couchdb: privilege escalation via PID file manipulation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+]
Depends on:
Reported: 2017-09-12 12:16 UTC by Michael Orlitzky
Modified: 2018-12-15 20:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

couchdb.conf-3 (couchdb,298 bytes, text/plain)
2017-09-12 12:16 UTC, Michael Orlitzky
no flags Details
couchdb.init-5 (couchdb,1.18 KB, text/plain)
2017-09-12 12:17 UTC, Michael Orlitzky
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-12 12:16:52 UTC
Created attachment 494220 [details]

The couchdb init script gives ownership of its PID file directory to the $COUCHDB_USER:


  start_pre() {
      checkpath -q -d -m 0755 -o ${COUCHDB_USER} /var/run/couchdb

This can be exploited by the $COUCHDB_USER to kill root processes, since when you stop the service, root will send a SIGTERM to the contents of that PID file.

I've rewritten the init script to work around this issue by running the daemon in the foreground, and by having OpenRC manage the PID file (which now gets written, as root, to /run/

I made one other clean-up, and removed "need net" from the depend() function. The daemon listens on by default, and "need net" actually doesn't include the loopback interface. So "neet net" requires an interface you need -- but more importantly, would stop CouchDB when the interface you don't need goes down. (There's a bug with alias "need-net" about this.) Instead, I added


to the conf.d file, and left a comment that you should specify whatever interface matches your bind_address. That will ensure that you require (only) the interface that you need.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-12 12:17:26 UTC
Created attachment 494222 [details]
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-12-11 13:24:35 UTC
Package removed wrt #594624.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2018-12-15 20:09:12 UTC
This issue was resolved and addressed in
 GLSA 201812-06 at
by GLSA coordinator Aaron Bauman (b-man).