Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630836 - mail-filter/amavisd-new: root privilege escalation via "chown -R" in pkg_postinst
Summary: mail-filter/amavisd-new: root privilege escalation via "chown -R" in pkg_post...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2017-09-12 18:02 UTC by Michael Orlitzky
Modified: 2020-04-03 23:25 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-12 18:02:20 UTC
The amavisd-new ebuilds call "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      chown root:amavis "${ROOT}/etc/amavisd.conf"
      chown -R amavis:amavis "${ROOT}/${AMAVIS_ROOT}"

This can be exploited by the "amavis" user to gain root. After the package is installed, he is free to create whatever files he wants under /var/amavis. In particular, he can create hard links to root-owned files. The next time amavisd-new is installed, the "chown -R" call will give "amavis" ownership of root's stuff. The following works:

  1. emerge amavisd-new
  2. sudo su -s /bin/sh -c 'ln /etc/passwd /var/amavis/x' amavis
  3. emerge amavisd-new
  4. now "amavis:amavis" owns /etc/passwd.
Comment 1 Michael Orlitzky gentoo-dev 2018-11-18 23:57:48 UTC
I just fixed this myself in amavisd-new-2.11.1.ebuild.
Comment 2 Michael Orlitzky gentoo-dev 2019-09-14 16:14:19 UTC
These private bugs don't show up in anyone's usual workflow, so I'm just going to mark this one fixed. Nobody needs a GLSA about it a year later =P
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:25:30 UTC
unrestricting and re-assigning per bug 705894