Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630900 - mail-filter/anomy-sanitizer: root privilege escalation via "chown -R" in pkg_postinst
Summary: mail-filter/anomy-sanitizer: root privilege escalation via "chown -R" in pkg_...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security Audit Team
Depends on:
Reported: 2017-09-13 16:20 UTC by Michael Orlitzky
Modified: 2018-04-21 10:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-13 16:20:48 UTC
The anomy-sanitizer ebuild calls "chown -R" in pkg_postinst:

  pkg_postinst() {
      chown -R sanitizer:sanitizer "${ROOT}"/${SANI_WORKDIR}

The "sanitizer" user can exploit this to gain root by placing a link in SANI_WORKDIR. For example,

  1. emerge anomy-sanitizer
  2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/sanitizer/x' sanitizer
  3. emerge anomy-sanitizer
  4. /etc/passwd is owned by "sanitizer"

I'm marking this private but the package is maintainer-needed, so security@ please CC someone who might want to fix it.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-04-21 10:40:41 UTC
The package has been removed.