Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630814 - app-portage/getdelta: root privilege escalation via "chown -R" in pkg_postinst
Summary: app-portage/getdelta: root privilege escalation via "chown -R" in pkg_postinst
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-12 15:10 UTC by Michael Orlitzky
Modified: 2021-08-24 14:59 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-12 15:10:08 UTC
The getdelta ebuilds calls chown recursively on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      ...
      chown -R portage:portage "${ROOT}"/{var/log/getdelta.log,etc/deltup}

The "portage" user can place a hard link in /etc/deltup pointing to a sensitive root-owned file, and the next time that getdelta is emerged, that file will be given to the "portage" user. For example,

  1. emerge getdelta
  2. create a hard link from /etc/passwd to /etc/deltup/x
  3. emerge getdelta
  4. the file /etc/passwd is owned by portage:portage
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:22 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:37 UTC
unrestricting per bug 705894
Comment 3 John Helmert III gentoo-dev Security 2021-01-06 06:54:44 UTC
CCing proxied maintainer.
Comment 4 John Helmert III gentoo-dev Security 2021-01-25 21:16:04 UTC
Never touched by a maintainer since the git transition and no real changes in the same time. EAPI 5. CCing treecleaner.
Comment 5 Larry the Git Cow gentoo-dev 2021-08-24 12:39:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b965153d7733fe0a58bdd54a378cd337e76a420c

commit b965153d7733fe0a58bdd54a378cd337e76a420c
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-08-24 12:38:35 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-08-24 12:38:35 +0000

    app-portage/getdelta: Remove last-rited package
    
    Closes: https://bugs.gentoo.org/371635
    Bug: https://bugs.gentoo.org/630814
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: David Seifert <soap@gentoo.org>

 app-portage/getdelta/Manifest                   |   1 -
 app-portage/getdelta/files/getdelta-0.7.9.patch | 252 ------------------------
 app-portage/getdelta/getdelta-0.7.9-r2.ebuild   |  46 -----
 app-portage/getdelta/metadata.xml               |   8 -
 profiles/package.mask                           |   5 -
 5 files changed, 312 deletions(-)
Comment 6 John Helmert III gentoo-dev Security 2021-08-24 14:59:14 UTC
All done!