630904 – media-gfx/replicatorg: root privilege escalation via "chown -R" in pkg_postinst

Bug 630904 - media-gfx/replicatorg: root privilege escalation via "chown -R" in pkg_postinst

Summary: media-gfx/replicatorg: root privilege escalation via "chown -R" in pkg_postinst

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security Audit Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-13 16:43 UTC by Michael Orlitzky
Modified:	2020-05-21 22:51 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-09-13 16:43:13 UTC

The replicatorg ebuilds call "chown -R" in pkg_postinst:

  pkg_postinst() {
      ...
      chmod -R g+w "${ROOT}"/opt/replicatorg
      chown -R root:replicator "${ROOT}"/opt/replicatorg

This can be exploited by anyone in the "replicator" group to gain root. A member of that group can place a hard link to a root-owned file under /opt/replicatorg, and the next time the package is upgraded or reinstalled, the "chown -R" will give ownership of root's stuff to the member of the "replicator" group. For example,

  1. emerge replicatorg
  2. add yourself to the "replicator" group
  3. ln /etc/passwd /opt/replicatorg/lib/x
  4. emerge replicatorg
  5. /etc/passwd is group-writable by the "replicator" group

I've marked this private but the package is maintainer-needed, so security@ will need to pick someone to CC.

Comment 1 Michał Górny archtester

2018-12-04 16:57:35 UTC

The package has been removed now.

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2019-02-24 21:48:15 UTC

Removing group restriction