The ebuilds for slurm call "chown -R" on the live root filesystem in pkg_postinst: create_folders_and_fix_permissions() { einfo "Fixing permissions in ${@}" mkdir -p ${@} chown -R ${PN}:${PN} ${@} } pkg_postinst() { paths=( "${EROOT}"var/${PN}/checkpoint ... ) for folder_path in ${paths[@]}; do create_folders_and_fix_permissions $folder_path done ... That can be exploited by the "slurm" user to gain root. If a hard link pointing to a root-owned file is placed in one of those $paths, then the next time slurm is reinstalled or upgraded, the "chown -R" will affect the target of the link and give ownership of the file to slurm:slurm. For example, 1. emerge slurm 2. su -s /bin/sh -c 'ln /etc/passwd /var/slurm' slurm 3. emerge slurm 4. /etc/passwd is owned by slurm:slurm
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
Ping. Seems like zlogene was primarily bumping this, but he's not a maintainer anymore.
