Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631552 - sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinst
Summary: sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinst
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [masked]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-20 17:32 UTC by Michael Orlitzky
Modified: 2023-02-07 05:03 UTC (History)
14 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-20 17:32:34 UTC
The ebuilds for slurm call "chown -R" on the live root filesystem in pkg_postinst:

  create_folders_and_fix_permissions() {
      einfo "Fixing permissions in ${@}"
      mkdir -p ${@}
      chown -R ${PN}:${PN} ${@}
  }

  pkg_postinst() {
      paths=(
        "${EROOT}"var/${PN}/checkpoint
        ...
      )
      for folder_path in ${paths[@]}; do
        create_folders_and_fix_permissions $folder_path
      done
      ...

That can be exploited by the "slurm" user to gain root. If a hard link pointing to a root-owned file is placed in one of those $paths, then the next time slurm is reinstalled or upgraded, the "chown -R" will affect the target of the link and give ownership of the file to slurm:slurm.

For example,

  1. emerge slurm
  2. su -s /bin/sh -c 'ln /etc/passwd /var/slurm' slurm
  3. emerge slurm
  4. /etc/passwd is owned by slurm:slurm
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:21 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:05 UTC
unrestricting per bug 705894
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 22:27:51 UTC
Ping.

Seems like zlogene was primarily bumping this, but he's not a maintainer anymore.
Comment 4 Larry the Git Cow gentoo-dev 2022-08-15 00:36:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=002aa381e511ead5a8b433a8b2ad5d5afd4d94fe

commit 002aa381e511ead5a8b433a8b2ad5d5afd4d94fe
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-15 00:16:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-15 00:35:55 +0000

    profiles: last rite sys-cluster/slurm
    
    Also remove the collectd unmasks in arch package.use.masks.
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/arch/amd64/package.use.mask | 4 ----
 profiles/arch/x86/package.use.mask   | 4 ----
 profiles/base/package.use.mask       | 3 +++
 profiles/package.mask                | 6 ++++++
 4 files changed, 9 insertions(+), 8 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-09-15 08:06:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0aea4dac7e2b6099fbe6d299ef0299e04c6832a6

commit 0aea4dac7e2b6099fbe6d299ef0299e04c6832a6
Author:     Alexey Shvetsov <alexxy@gentoo.org>
AuthorDate: 2022-09-15 08:05:51 +0000
Commit:     Alexey Shvetsov <alexxy@gentoo.org>
CommitDate: 2022-09-15 08:05:51 +0000

    sys-cluster/slurm: Should fix possible privilege escalation
    
    Bug: https://bugs.gentoo.org/631552
    Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>

 sys-cluster/slurm/slurm-22.05.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-09-15 08:08:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a34a195a9b018eecac186686a2f88d21daff2f04

commit a34a195a9b018eecac186686a2f88d21daff2f04
Author:     Alexey Shvetsov <alexxy@gentoo.org>
AuthorDate: 2022-09-15 08:07:56 +0000
Commit:     Alexey Shvetsov <alexxy@gentoo.org>
CommitDate: 2022-09-15 08:07:56 +0000

    profiles: Remove slurm p.mask since valnurable version no longer in tree
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>

 profiles/package.mask | 6 ------
 1 file changed, 6 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-15 20:09:24 UTC
0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 is:

diff --git a/sys-cluster/slurm/slurm-22.05.3.ebuild b/sys-cluster/slurm/slurm-22.05.3.ebuild
index 607d3dc407bb..0b5e602258f3 100644
--- a/sys-cluster/slurm/slurm-22.05.3.ebuild
+++ b/sys-cluster/slurm/slurm-22.05.3.ebuild
@@ -243,7 +243,7 @@ pkg_preinst() {
 create_folders_and_fix_permissions() {
        einfo "Fixing permissions in ${@}"
        mkdir -p ${@} || die
-       chown -R ${PN}:${PN} ${@} || die
+       chown ${PN}:${PN} ${@} || die
 }

 pkg_postinst() {

mjo, what do you think?

alexxy, I think it would've been prudent to double check that the fix is correct before unmasking given how finicky these issues have been in the past to fix.
Comment 8 Michael Orlitzky gentoo-dev 2022-09-15 22:29:40 UTC
(In reply to John Helmert III from comment #7)
> 
> mjo, what do you think?

I think it's still vulnerable if the package is reinstalled. The order of $paths,

    paths=(
        "${EROOT}"/var/${PN}/checkpoint
	"${EROOT}"/var/${PN}
        "${EROOT}"/var/spool/${PN}/slurmd
        "${EROOT}"/var/spool/${PN}
        "${EROOT}"/var/log/${PN}
        /var/tmp/${PN}/${PN}d
        /var/tmp/${PN}
	/run/${PN}
    )

is good because the first time pkg_postinst() is run, for example, /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user is given control of the parent directory /var/tmp/${PN}. But if pkg_postinst() is run again, the slurm user will already control /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point either a hardlink or a symlink can be used to fool it.

I think there is a more basic problem to be addressed here. Why is pkg_postinst() creating those directories with mkdir/chown, instead of letting the package manager handle them? Only /run/${PN} is temporary, and that should be handled with checkpath/tmpfiles.
Comment 9 foufou33 2023-02-05 04:13:35 UTC
(In reply to Michael Orlitzky from comment #8)
> (In reply to John Helmert III from comment #7)
> > 
> > mjo, what do you think?
> 
> I think it's still vulnerable if the package is reinstalled. The order of
> $paths,
> 
>     paths=(
>         "${EROOT}"/var/${PN}/checkpoint
> 	"${EROOT}"/var/${PN}
>         "${EROOT}"/var/spool/${PN}/slurmd
>         "${EROOT}"/var/spool/${PN}
>         "${EROOT}"/var/log/${PN}
>         /var/tmp/${PN}/${PN}d
>         /var/tmp/${PN}
> 	/run/${PN}
>     )
> 
> is good because the first time pkg_postinst() is run, for example,
> /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user
> is given control of the parent directory /var/tmp/${PN}. But if
> pkg_postinst() is run again, the slurm user will already control
> /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point
> either a hardlink or a symlink can be used to fool it.
> 
> I think there is a more basic problem to be addressed here. Why is
> pkg_postinst() creating those directories with mkdir/chown, instead of
> letting the package manager handle them? Only /run/${PN} is temporary, and
> that should be handled with checkpath/tmpfiles.

you mean in src_install() using dodir/keepdir and fowner/fperms?
Comment 10 Michael Orlitzky gentoo-dev 2023-02-05 11:58:43 UTC
(In reply to foufou33 from comment #9)
> 
> you mean in src_install() using dodir/keepdir and fowner/fperms?

Yes, exactly.