Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630914 - net-im/openfire: root privilege escalation via "chown -R" in pkg_postinst
Summary: net-im/openfire: root privilege escalation via "chown -R" in pkg_postinst
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-13 18:05 UTC by Michael Orlitzky
Modified: 2020-05-04 00:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-13 18:05:47 UTC
The openfire ebulds call "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      ...
      chown -R jabber:jabber "${ROOT}"/opt/openfire
  }

This can be exploited by the "jabber" user to gain root, if he places a hard link to a root-owned file in /opt/openfire. The next time the package is upgraded or reinstalled, the "chown -R" will give root's file to the "jabber" user. For example,

  1. emerge openfire
  2. su -s /bin/sh -c 'ln /etc/passwd /opt/openfire/x' jabber
  3. emerge openfire
  4. /etc/passwd is owned by jabber:jabber
Comment 1 Sergei Trofimovich gentoo-dev 2017-09-15 21:04:13 UTC
The ".*confidential.*" red text does not actually say on the next step for this issue.

Should I attach ebuild fix once I get it ready here or someone else
already actively handling it?
Comment 2 Michael Orlitzky gentoo-dev 2017-09-15 22:40:41 UTC
(In reply to Sergei Trofimovich from comment #1)
> The ".*confidential.*" red text does not actually say on the next step for
> this issue.
> 
> Should I attach ebuild fix once I get it ready here or someone else
> already actively handling it?

Just fix it and post here when you're done =)

There's nothing special about the private bug, I was just asked to mark these sorts of issues private until they're fixed.
Comment 3 Michael Orlitzky gentoo-dev 2019-06-23 17:26:00 UTC
This issue should be fixed in the -r2. I just reordered things so that it's not necessary to call chown/chmod at any point.

@security, we should open up this bug and ask the arch teams to test it.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:43 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:34 UTC
unrestricting per bug 705894
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-05-04 00:40:56 UTC
pkg is no longer in tree.