Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630986 - mail-filter/spamass-milter: privilege escalation via PID file manipulation
Summary: mail-filter/spamass-milter: privilege escalation via PID file manipulation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Deadline: 2019-05-24
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Keywords: PMASKED
Depends on:
Reported: 2017-09-14 16:22 UTC by Michael Orlitzky
Modified: 2020-07-27 23:26 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

spamass-milter.rc5 (spamass-milter,684 bytes, text/plain)
2017-09-14 16:22 UTC, Michael Orlitzky
no flags Details
spamass-milter.conf4 (spamass-milter,684 bytes, text/plain)
2017-09-14 16:22 UTC, Michael Orlitzky
no flags Details
spamass-milter.rc5 (spamass-milter,674 bytes, text/plain)
2017-09-14 16:23 UTC, Michael Orlitzky
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-14 16:22:00 UTC
Created attachment 494526 [details]

The init script for spamass-milter gives ownership of its PID file directory to the daemon's runtime user:

  checkconfig() {
      if [ ! -d ${piddir:=/var/run/milter} ]; then
          checkpath -q -d -o milter:milter -m 0755 ${piddir} || return 1

This can be exploited by the "milter" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of that file.

I've rewritten the init script to work around this. The spamass-milter can't drop privileges on its own, so instead of using the daemon-created PID file, I had the daemon run in the foreground and let OpenRC manage the PID file at /run/

I also cleaned up the socket code and the retry/wait stuff during start/stop. I've restarted the daemon a bunch of times with no problem.

If it's all the same, I would also suggest that we make the $SOCKET path something like /run/milter/${RC_SVCNAME}.sock (which happens to be the default, anyway). The fact that we change ownership of the directory containing that variable is a little sneaky, and could mess up users' systems if they put e.g. SOCKET=/run/foo.sock. If the value was fixed at SOCKET=/run/milter/${RC_SVCNAME}.sock, then we could hard code the "checkpath" call to affect /run/milter.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-14 16:22:34 UTC
Created attachment 494528 [details]
Comment 2 Michael Orlitzky gentoo-dev 2017-09-14 16:23:16 UTC
Created attachment 494530 [details]
Comment 3 Larry the Git Cow gentoo-dev 2019-04-24 12:50:29 UTC
The bug has been referenced in the following commit(s):

commit 8c3b2530968d44c5e46fad371b300bd643e1e934
Author:     Michał Górny <>
AuthorDate: 2019-04-24 12:49:05 +0000
Commit:     Michał Górny <>
CommitDate: 2019-04-24 12:50:13 +0000

    package.mask: Last rite mail-filter/spamass-milter
    Signed-off-by: Michał Górny <>

 profiles/package.mask | 7 +++++++
 1 file changed, 7 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2019-05-28 13:33:08 UTC
The bug has been referenced in the following commit(s):

commit 30a7ed2d867921b830e8f2329519fdb34ab9cb5f
Author:     Michał Górny <>
AuthorDate: 2019-05-28 13:32:15 +0000
Commit:     Michał Górny <>
CommitDate: 2019-05-28 13:32:41 +0000

    mail-filter/spamass-milter: Remove last-rited pkg
    Signed-off-by: Michał Górny <>

 mail-filter/spamass-milter/Manifest                |  1 -
 mail-filter/spamass-milter/files/README.gentoo     | 52 ------------
 .../files/spamass-milter-auth_users.patch          | 92 ----------------------
 .../spamass-milter/files/spamass-milter.conf3      | 29 -------
 .../spamass-milter/files/spamass-milter.rc4        | 54 -------------
 mail-filter/spamass-milter/metadata.xml            |  5 --
 .../spamass-milter/spamass-milter-0.3.2.ebuild     | 41 ----------
 profiles/package.mask                              |  7 --
 8 files changed, 281 deletions(-)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 23:26:45 UTC
Removed over a year ago so no GLSA, tree is clean, closing.