631552 – sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinst

Bug 631552 - sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinst

Summary: sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinst

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-20 17:32 UTC by Michael Orlitzky
Modified:	2020-05-21 22:50 UTC (History)
CC List:	10 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-09-20 17:32:34 UTC

The ebuilds for slurm call "chown -R" on the live root filesystem in pkg_postinst:

  create_folders_and_fix_permissions() {
      einfo "Fixing permissions in ${@}"
      mkdir -p ${@}
      chown -R ${PN}:${PN} ${@}
  }

  pkg_postinst() {
      paths=(
        "${EROOT}"var/${PN}/checkpoint
        ...
      )
      for folder_path in ${paths[@]}; do
        create_folders_and_fix_permissions $folder_path
      done
      ...

That can be exploited by the "slurm" user to gain root. If a hard link pointing to a root-owned file is placed in one of those $paths, then the next time slurm is reinstalled or upgraded, the "chown -R" will affect the target of the link and give ownership of the file to slurm:slurm.

For example,

  1. emerge slurm
  2. su -s /bin/sh -c 'ln /etc/passwd /var/slurm' slurm
  3. emerge slurm
  4. /etc/passwd is owned by slurm:slurm

Comment 1 Robin Johnson archtester

2020-04-03 23:16:21 UTC

Unrestricting and reassigning to security@ per bug #705894

Comment 2 Robin Johnson archtester

2020-04-03 23:18:05 UTC

unrestricting per bug 705894