Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630906 - net-analyzer/munin: root privilege escalation via "chown -R" in pkg_config
Summary: net-analyzer/munin: root privilege escalation via "chown -R" in pkg_config
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-13 17:12 UTC by Michael Orlitzky
Modified: 2020-04-03 23:18 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-13 17:12:58 UTC
The pkg_config phase for munin calls "chown -R" on a directory:

  pkg_config() {
      ...
      chown -R munin:munin /var/lib/munin/.ssh || die

If this phase is run more than once (ever), the munin user can exploit this to gain root. If he places a hard link to a root-owned file under /var/lib/munin/.ssh, then the next call to "chown -R" will give ownership of root's file to the "munin" user. For example,

  1. emerge --config munin
  2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/munin/.ssh/x' munin
  3. emerge --config munin
  4. /etc/passwd is owned by "munin"
Comment 1 Hans de Graaff gentoo-dev 2017-09-16 06:36:35 UTC
This bug shows that it is under embargo, but there is no deadline. Please advice on how or when to proceed.


We know the specific files we create here, so we can use this instead:

  chown munin:munin /var/lib/munin/.ssh/id_{rsa,ecdsa}{,.pub}
Comment 2 Michael Orlitzky gentoo-dev 2017-09-16 14:42:37 UTC
(In reply to Hans de Graaff from comment #1)
> This bug shows that it is under embargo, but there is no deadline. Please
> advice on how or when to proceed.
> 
> 
> We know the specific files we create here, so we can use this instead:
> 
>   chown munin:munin /var/lib/munin/.ssh/id_{rsa,ecdsa}{,.pub}

That "chown" will still follow a symlink, so it's important that every directory involved be owned (and writable only) by root. Is that the case even though /var/lib/munin is the "munin" user's home directory (I haven't checked)?

  enewuser munin 177 -1 /var/lib/munin munin

If it will work, I would suggest instead using "su -s /bin/sh -c ... munin" to perform the key generation *as the munin user* so that you don't have to try to fix things afterwards.
Comment 3 Michael Orlitzky gentoo-dev 2017-09-16 14:43:18 UTC
(In reply to Hans de Graaff from comment #1)
> This bug shows that it is under embargo, but there is no deadline. Please
> advice on how or when to proceed.

Oh, and there's nothing special about the "embargo" status, I was just asked to keep these sorts of issues private until a fix is available.
Comment 4 Michael Orlitzky gentoo-dev 2017-09-16 17:18:33 UTC
Another thing to consider is that everyone who ran "emerge --config munin" up until now will still have "munin" owning /var/lib/munin and everything under it. Fixing that is itself a hairy proposition, so if you can use "su" to eliminate the chowns, that's one less thing to think about.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:45 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:14 UTC
unrestricting per bug 705894