630922 – net-voip/openmcu: root privilege escalation via "chown -R" in pkg_postinst

Bug 630922 - net-voip/openmcu: root privilege escalation via "chown -R" in pkg_postinst

Summary: net-voip/openmcu: root privilege escalation via "chown -R" in pkg_postinst

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security Audit Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-13 18:35 UTC by Michael Orlitzky
Modified:	2018-01-26 23:01 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-09-13 18:35:17 UTC

The openmcu ebuild calls "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      einfo "Setting permissions..."
      chown -R openmcu:openmcu "${ROOT}"etc/openmcu
      ...

This can be exploited by the "openmcu" user to gain root if he places a hard link to a root-owned file in one of those directories. The next time the package is upgraded or reinstalled, the "chown -R" will give root's file to the "openmcu" user. For example,

  1. emerge openmcu
  2. su -s /bin/sh -c 'ln /etc/passwd /etc/openmcu/x' openmcu
  3. emerge openmcu
  4. /etc/passwd is owned by openmcu:openmcu

I'm marking this private, but the package is maintainer-needed, to security@ will need to CC someone appropriate to fix it.

Comment 1 Mikle Kolyada (RETIRED) archtester

2018-01-26 23:01:42 UTC

The package has been removed.