The ebuilds for slurm call "chown -R" on the live root filesystem in pkg_postinst: create_folders_and_fix_permissions() { einfo "Fixing permissions in ${@}" mkdir -p ${@} chown -R ${PN}:${PN} ${@} } pkg_postinst() { paths=( "${EROOT}"var/${PN}/checkpoint ... ) for folder_path in ${paths[@]}; do create_folders_and_fix_permissions $folder_path done ... That can be exploited by the "slurm" user to gain root. If a hard link pointing to a root-owned file is placed in one of those $paths, then the next time slurm is reinstalled or upgraded, the "chown -R" will affect the target of the link and give ownership of the file to slurm:slurm. For example, 1. emerge slurm 2. su -s /bin/sh -c 'ln /etc/passwd /var/slurm' slurm 3. emerge slurm 4. /etc/passwd is owned by slurm:slurm
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
Ping. Seems like zlogene was primarily bumping this, but he's not a maintainer anymore.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=002aa381e511ead5a8b433a8b2ad5d5afd4d94fe commit 002aa381e511ead5a8b433a8b2ad5d5afd4d94fe Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-08-15 00:16:59 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-15 00:35:55 +0000 profiles: last rite sys-cluster/slurm Also remove the collectd unmasks in arch package.use.masks. Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/790296 Bug: https://bugs.gentoo.org/842789 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/arch/amd64/package.use.mask | 4 ---- profiles/arch/x86/package.use.mask | 4 ---- profiles/base/package.use.mask | 3 +++ profiles/package.mask | 6 ++++++ 4 files changed, 9 insertions(+), 8 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 commit 0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 Author: Alexey Shvetsov <alexxy@gentoo.org> AuthorDate: 2022-09-15 08:05:51 +0000 Commit: Alexey Shvetsov <alexxy@gentoo.org> CommitDate: 2022-09-15 08:05:51 +0000 sys-cluster/slurm: Should fix possible privilege escalation Bug: https://bugs.gentoo.org/631552 Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org> sys-cluster/slurm/slurm-22.05.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a34a195a9b018eecac186686a2f88d21daff2f04 commit a34a195a9b018eecac186686a2f88d21daff2f04 Author: Alexey Shvetsov <alexxy@gentoo.org> AuthorDate: 2022-09-15 08:07:56 +0000 Commit: Alexey Shvetsov <alexxy@gentoo.org> CommitDate: 2022-09-15 08:07:56 +0000 profiles: Remove slurm p.mask since valnurable version no longer in tree Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/790296 Bug: https://bugs.gentoo.org/842789 Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org> profiles/package.mask | 6 ------ 1 file changed, 6 deletions(-)
0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 is: diff --git a/sys-cluster/slurm/slurm-22.05.3.ebuild b/sys-cluster/slurm/slurm-22.05.3.ebuild index 607d3dc407bb..0b5e602258f3 100644 --- a/sys-cluster/slurm/slurm-22.05.3.ebuild +++ b/sys-cluster/slurm/slurm-22.05.3.ebuild @@ -243,7 +243,7 @@ pkg_preinst() { create_folders_and_fix_permissions() { einfo "Fixing permissions in ${@}" mkdir -p ${@} || die - chown -R ${PN}:${PN} ${@} || die + chown ${PN}:${PN} ${@} || die } pkg_postinst() { mjo, what do you think? alexxy, I think it would've been prudent to double check that the fix is correct before unmasking given how finicky these issues have been in the past to fix.
(In reply to John Helmert III from comment #7) > > mjo, what do you think? I think it's still vulnerable if the package is reinstalled. The order of $paths, paths=( "${EROOT}"/var/${PN}/checkpoint "${EROOT}"/var/${PN} "${EROOT}"/var/spool/${PN}/slurmd "${EROOT}"/var/spool/${PN} "${EROOT}"/var/log/${PN} /var/tmp/${PN}/${PN}d /var/tmp/${PN} /run/${PN} ) is good because the first time pkg_postinst() is run, for example, /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user is given control of the parent directory /var/tmp/${PN}. But if pkg_postinst() is run again, the slurm user will already control /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point either a hardlink or a symlink can be used to fool it. I think there is a more basic problem to be addressed here. Why is pkg_postinst() creating those directories with mkdir/chown, instead of letting the package manager handle them? Only /run/${PN} is temporary, and that should be handled with checkpath/tmpfiles.
(In reply to Michael Orlitzky from comment #8) > (In reply to John Helmert III from comment #7) > > > > mjo, what do you think? > > I think it's still vulnerable if the package is reinstalled. The order of > $paths, > > paths=( > "${EROOT}"/var/${PN}/checkpoint > "${EROOT}"/var/${PN} > "${EROOT}"/var/spool/${PN}/slurmd > "${EROOT}"/var/spool/${PN} > "${EROOT}"/var/log/${PN} > /var/tmp/${PN}/${PN}d > /var/tmp/${PN} > /run/${PN} > ) > > is good because the first time pkg_postinst() is run, for example, > /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user > is given control of the parent directory /var/tmp/${PN}. But if > pkg_postinst() is run again, the slurm user will already control > /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point > either a hardlink or a symlink can be used to fool it. > > I think there is a more basic problem to be addressed here. Why is > pkg_postinst() creating those directories with mkdir/chown, instead of > letting the package manager handle them? Only /run/${PN} is temporary, and > that should be handled with checkpath/tmpfiles. you mean in src_install() using dodir/keepdir and fowner/fperms?
(In reply to foufou33 from comment #9) > > you mean in src_install() using dodir/keepdir and fowner/fperms? Yes, exactly.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=878ee04160ad05c9a40beeac3ba2c973dbf436d6 commit 878ee04160ad05c9a40beeac3ba2c973dbf436d6 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-01-14 22:20:09 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-14 22:20:19 +0000 sys-cluster/slurm: treeclean Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 4 - sys-cluster/slurm/Manifest | 1 - sys-cluster/slurm/files/logrotate | 20 -- .../slurm/files/slurm-22.05.3_autoconf-lua.patch | 49 ---- sys-cluster/slurm/files/slurm.confd | 6 - sys-cluster/slurm/files/slurm.tmpfiles | 1 - sys-cluster/slurm/files/slurmctld.initd | 76 ------ sys-cluster/slurm/files/slurmd.initd | 79 ------ sys-cluster/slurm/files/slurmdbd.initd | 74 ------ sys-cluster/slurm/metadata.xml | 28 -- sys-cluster/slurm/slurm-22.05.3.ebuild | 287 --------------------- 11 files changed, 625 deletions(-)
CVE requested.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=d6957c8ab178c1284b5407f185196f3aa146ffb4 commit d6957c8ab178c1284b5407f185196f3aa146ffb4 Author: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> AuthorDate: 2024-01-15 03:29:52 +0000 Commit: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> CommitDate: 2024-01-15 03:29:52 +0000 profiles: mask a bunch of sys-cluster/* pkgs Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in> profiles/package.mask | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b2a8e7761946e4dd7bf5f993678482d2a80f8d73 commit b2a8e7761946e4dd7bf5f993678482d2a80f8d73 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-22 07:39:27 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-22 07:39:40 +0000 [ GLSA 202409-16 ] Slurm: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-16.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc471fd436829cd2029175e0e9cd4c61cf9d5e1d commit dc471fd436829cd2029175e0e9cd4c61cf9d5e1d Author: Benda Xu <heroxbd@gentoo.org> AuthorDate: 2024-08-31 14:08:51 +0000 Commit: Benda Xu <heroxbd@gentoo.org> CommitDate: 2024-10-18 13:37:05 +0000 sys-cluster/slurm: revive with version 24.05.3. Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/920104 Signed-off-by: Benda Xu <heroxbd@gentoo.org> sys-cluster/slurm/Manifest | 1 + sys-cluster/slurm/files/logrotate | 20 +++ sys-cluster/slurm/files/slurm.confd | 6 + sys-cluster/slurm/files/slurm.tmpfiles | 1 + sys-cluster/slurm/files/slurmctld.initd | 76 +++++++++ sys-cluster/slurm/files/slurmd.initd | 79 +++++++++ sys-cluster/slurm/files/slurmdbd.initd | 74 +++++++++ sys-cluster/slurm/metadata.xml | 27 ++++ sys-cluster/slurm/slurm-24.05.3.ebuild | 276 ++++++++++++++++++++++++++++++++ 9 files changed, 560 insertions(+)
