The asterisk ebuilds call "chown -R" on a few directories during the pkg_config phase: pkg_config() { ... for x in spool run lib log; do chown -R asterisk:asterisk "${ROOT}"var/${x}/asterisk chmod -R u=rwX,g=rwX,o= "${ROOT}"var/${x}/asterisk done chown -R root:asterisk "${ROOT}"etc/asterisk chmod -R u=rwX,g=rwX,o= "${ROOT}"etc/asterisk This can be exploited by the "asterisk" user to gain root. If he places a hard link to a root-owned file in any of those directories, then the next time pkg_config is run, it will give ownership of root's file to the "asterisk" user. For example, 1. emerge asterisk 2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/asterisk/x' asterisk 3. emerge --config asterisk 4. /etc/passwd is owned by asterisk:asterisk
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
I think this was resolved at the same time as bug 602722. @jaco, is that right?
(In reply to Sam James (sec padawan) from comment #3) > I think this was resolved at the same time as bug 602722. > > @jaco, is that right? Duplicate yes. *** This bug has been marked as a duplicate of bug 602722 ***