The ebuilds for cluster-glue call "chown -R" on the live root filesystem in pkg_postinst:
chown -R hacluster:haclient /var/lib/heartbeat/cores
chown -R hacluster:haclient /var/lib/heartbeat/lrm
That can be exploited by the "hacluster" user (and probably anyone in the "haclient" group) to gain root. If a hard link is placed in one of those directories and it points to a root-owned file, then the next time the cluster-glue package is upgraded or reinstalled, the "chown -R" will affect the target of the link and give the file to hacluster:haclient.
1. emerge cluster-glue
2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/heartbeat/lrm/x' hacluster
3. emerge cluster-glue
4. /etc/passwd is owned by hacluster:haclient
Note that the ebuilds also set /dev/null as login shell.
enewuser hacluster -1 /dev/null /var/lib/heartbeat haclient
I expect no security implications there but that probably ought to be fixed in this same effort:
enewuser hacluster -1 -1 /var/lib/heartbeat haclient
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894