The ebuilds for slurm call "chown -R" on the live root filesystem in pkg_postinst: create_folders_and_fix_permissions() { einfo "Fixing permissions in ${@}" mkdir -p ${@} chown -R ${PN}:${PN} ${@} } pkg_postinst() { paths=( "${EROOT}"var/${PN}/checkpoint ... ) for folder_path in ${paths[@]}; do create_folders_and_fix_permissions $folder_path done ... That can be exploited by the "slurm" user to gain root. If a hard link pointing to a root-owned file is placed in one of those $paths, then the next time slurm is reinstalled or upgraded, the "chown -R" will affect the target of the link and give ownership of the file to slurm:slurm. For example, 1. emerge slurm 2. su -s /bin/sh -c 'ln /etc/passwd /var/slurm' slurm 3. emerge slurm 4. /etc/passwd is owned by slurm:slurm
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
Ping. Seems like zlogene was primarily bumping this, but he's not a maintainer anymore.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=002aa381e511ead5a8b433a8b2ad5d5afd4d94fe commit 002aa381e511ead5a8b433a8b2ad5d5afd4d94fe Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-08-15 00:16:59 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-15 00:35:55 +0000 profiles: last rite sys-cluster/slurm Also remove the collectd unmasks in arch package.use.masks. Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/790296 Bug: https://bugs.gentoo.org/842789 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/arch/amd64/package.use.mask | 4 ---- profiles/arch/x86/package.use.mask | 4 ---- profiles/base/package.use.mask | 3 +++ profiles/package.mask | 6 ++++++ 4 files changed, 9 insertions(+), 8 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 commit 0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 Author: Alexey Shvetsov <alexxy@gentoo.org> AuthorDate: 2022-09-15 08:05:51 +0000 Commit: Alexey Shvetsov <alexxy@gentoo.org> CommitDate: 2022-09-15 08:05:51 +0000 sys-cluster/slurm: Should fix possible privilege escalation Bug: https://bugs.gentoo.org/631552 Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org> sys-cluster/slurm/slurm-22.05.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a34a195a9b018eecac186686a2f88d21daff2f04 commit a34a195a9b018eecac186686a2f88d21daff2f04 Author: Alexey Shvetsov <alexxy@gentoo.org> AuthorDate: 2022-09-15 08:07:56 +0000 Commit: Alexey Shvetsov <alexxy@gentoo.org> CommitDate: 2022-09-15 08:07:56 +0000 profiles: Remove slurm p.mask since valnurable version no longer in tree Bug: https://bugs.gentoo.org/631552 Bug: https://bugs.gentoo.org/790296 Bug: https://bugs.gentoo.org/842789 Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org> profiles/package.mask | 6 ------ 1 file changed, 6 deletions(-)
0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 is: diff --git a/sys-cluster/slurm/slurm-22.05.3.ebuild b/sys-cluster/slurm/slurm-22.05.3.ebuild index 607d3dc407bb..0b5e602258f3 100644 --- a/sys-cluster/slurm/slurm-22.05.3.ebuild +++ b/sys-cluster/slurm/slurm-22.05.3.ebuild @@ -243,7 +243,7 @@ pkg_preinst() { create_folders_and_fix_permissions() { einfo "Fixing permissions in ${@}" mkdir -p ${@} || die - chown -R ${PN}:${PN} ${@} || die + chown ${PN}:${PN} ${@} || die } pkg_postinst() { mjo, what do you think? alexxy, I think it would've been prudent to double check that the fix is correct before unmasking given how finicky these issues have been in the past to fix.
(In reply to John Helmert III from comment #7) > > mjo, what do you think? I think it's still vulnerable if the package is reinstalled. The order of $paths, paths=( "${EROOT}"/var/${PN}/checkpoint "${EROOT}"/var/${PN} "${EROOT}"/var/spool/${PN}/slurmd "${EROOT}"/var/spool/${PN} "${EROOT}"/var/log/${PN} /var/tmp/${PN}/${PN}d /var/tmp/${PN} /run/${PN} ) is good because the first time pkg_postinst() is run, for example, /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user is given control of the parent directory /var/tmp/${PN}. But if pkg_postinst() is run again, the slurm user will already control /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point either a hardlink or a symlink can be used to fool it. I think there is a more basic problem to be addressed here. Why is pkg_postinst() creating those directories with mkdir/chown, instead of letting the package manager handle them? Only /run/${PN} is temporary, and that should be handled with checkpath/tmpfiles.
(In reply to Michael Orlitzky from comment #8) > (In reply to John Helmert III from comment #7) > > > > mjo, what do you think? > > I think it's still vulnerable if the package is reinstalled. The order of > $paths, > > paths=( > "${EROOT}"/var/${PN}/checkpoint > "${EROOT}"/var/${PN} > "${EROOT}"/var/spool/${PN}/slurmd > "${EROOT}"/var/spool/${PN} > "${EROOT}"/var/log/${PN} > /var/tmp/${PN}/${PN}d > /var/tmp/${PN} > /run/${PN} > ) > > is good because the first time pkg_postinst() is run, for example, > /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user > is given control of the parent directory /var/tmp/${PN}. But if > pkg_postinst() is run again, the slurm user will already control > /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point > either a hardlink or a symlink can be used to fool it. > > I think there is a more basic problem to be addressed here. Why is > pkg_postinst() creating those directories with mkdir/chown, instead of > letting the package manager handle them? Only /run/${PN} is temporary, and > that should be handled with checkpath/tmpfiles. you mean in src_install() using dodir/keepdir and fowner/fperms?
(In reply to foufou33 from comment #9) > > you mean in src_install() using dodir/keepdir and fowner/fperms? Yes, exactly.
