The foldingathome ebuild calls "chown -R" on the live root filesystem in pkg_postinst: I="opt/foldingathome" ... pkg_postinst() { chown -R foldingathome:nogroup "${EROOT}"${I} That can be exploited by the "foldingathome" user to gain root. If he places a hard link under "${EROOT}"${I} (which he owns) pointing to a root-owned file, then the next time the foldingathome package is upgraded or reinstalled, the same "chown -R" call will affect the target of the hard link and give root's file to the "foldingathome" user.
Hm, the pkg_config phase has the same vulnerability: pkg_config() { "${EROOT}"${I}/initfolding } The contents of that file are, #!/bin/sh cd /opt/foldingathome /opt/foldingathome/FAHClient --configure /bin/chown -R foldingathome:nogroup /opt/foldingathome so if pkg_config gets run twice, the same vulnerability exists.
Please review the newly committed -r2 , I've dropped initfolding and moved the chown -R to occur within src_install, directly on ${ED} Once confirmed acceptable, I'll drop previous versions. commit e4b6baa58325c29e186f6843c365bd5f168b7969 (HEAD -> master, origin/master, origin/HEAD) Author: Ian Stakenvicius <axs@gentoo.org> Date: Wed Sep 20 14:33:07 2017 -0400 sci-biology/foldingathome: misc ebuild impovements - Added a systemd unit - Removed usage of 'chown -R' on live filesystems - Dropped the custom and vulnerable 'initfolding' helper script - Improved the init script to use standard openrc-run behaviour via variables - Dropped "unitinfo" extra command on /etc/init.d/foldingathome as it rarely works Package-Manager: Portage-2.3.6, Repoman-2.3.1
(In reply to Ian Stakenvicius from comment #2) > Please review the newly committed -r2 , I've dropped initfolding and moved > the chown -R to occur within src_install, directly on ${ED} > Thanks, I think this one's safe but I have two minor suggestions. First, in src_install, we're supposed to use "fowners" instead of "chown" (don't ask me what the difference is). And second, I think this comment was left-over from an earlier experiment: # the bash shell is important for "su -c" in init script enewuser foldingathome -1 -1 "${EPREFIX}"/opt/foldingathome since you're specifying bash with "su -s" rather than relying on the user's default shell. (Would "su -s /bin/sh" work?)
Sorted on both counts. I'll drop the -r1 version to get rid of the vulnerabilities.
This was fixed two years ago. Since these private bugs don't appear to be a part of anyone's workflow, I'm just gonna mark it "fixed." (Thanks Ian.) commit e4b6baa58325c29e186f6843c365bd5f168b7969 Author: Ian Stakenvicius <axs@gentoo.org> Date: Wed Sep 20 14:33:07 2017 -0400 sci-biology/foldingathome: misc ebuild impovements - Added a systemd unit - Removed usage of 'chown -R' on live filesystems - Dropped the custom and vulnerable 'initfolding' helper script - Improved the init script to use standard openrc-run behaviour via variabl$ - Dropped "unitinfo" extra command on /etc/init.d/foldingathome as it rarel$ Package-Manager: Portage-2.3.6, Repoman-2.3.1
unrestricting and re-assigning per bug 705894