The amavisd-new ebuilds call "chown -R" on the live root filesystem in pkg_postinst: pkg_postinst() { chown root:amavis "${ROOT}/etc/amavisd.conf" chown -R amavis:amavis "${ROOT}/${AMAVIS_ROOT}" } This can be exploited by the "amavis" user to gain root. After the package is installed, he is free to create whatever files he wants under /var/amavis. In particular, he can create hard links to root-owned files. The next time amavisd-new is installed, the "chown -R" call will give "amavis" ownership of root's stuff. The following works: 1. emerge amavisd-new 2. sudo su -s /bin/sh -c 'ln /etc/passwd /var/amavis/x' amavis 3. emerge amavisd-new 4. now "amavis:amavis" owns /etc/passwd.
I just fixed this myself in amavisd-new-2.11.1.ebuild.
These private bugs don't show up in anyone's usual workflow, so I'm just going to mark this one fixed. Nobody needs a GLSA about it a year later =P
unrestricting and re-assigning per bug 705894
