Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631548 - sys-cluster/cluster-glue: root privilege escalation via "chown -R" in pkg_postinst
Summary: sys-cluster/cluster-glue: root privilege escalation via "chown -R" in pkg_pos...
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-20 17:13 UTC by Michael Orlitzky
Modified: 2020-05-21 22:49 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-20 17:13:31 UTC
The ebuilds for cluster-glue call "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      chown -R hacluster:haclient /var/lib/heartbeat/cores
      chown -R hacluster:haclient /var/lib/heartbeat/lrm
  }

That can be exploited by the "hacluster" user (and probably anyone in the "haclient" group) to gain root. If a hard link is placed in one of those directories and it points to a root-owned file, then the next time the cluster-glue package is upgraded or reinstalled, the "chown -R" will affect the target of the link and give the file to hacluster:haclient.

For example,

  1. emerge cluster-glue
  2. su -s /bin/sh -c 'ln /etc/passwd /var/lib/heartbeat/lrm/x' hacluster
  3. emerge cluster-glue
  4. /etc/passwd is owned by hacluster:haclient
Comment 1 Jeroen Roovers gentoo-dev 2019-09-17 13:43:32 UTC
Note that the ebuilds also set /dev/null as login shell.

pkg_setup() {
    enewgroup haclient
    enewuser  hacluster -1 /dev/null /var/lib/heartbeat haclient
}

I expect no security implications there but that probably ought to be fixed in this same effort:

    enewuser  hacluster -1 -1 /var/lib/heartbeat haclient
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:20 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:08 UTC
unrestricting per bug 705894