Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC
Bug 631878 - net-misc/apt-cacher-ng: privilege escalation via PID file manipulation
Summary: net-misc/apt-cacher-ng: privilege escalation via PID file manipulation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Deadline: 2020-06-30
Assignee: Gentoo Security
Whiteboard: ~3 [ebuild]
Depends on:
Reported: 2017-09-23 22:12 UTC by Michael Orlitzky
Modified: 2020-06-12 03:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

initd-r2 (apt-cacher-ng,599 bytes, text/plain)
2017-09-23 22:12 UTC, Michael Orlitzky
no flags Details
confd-r1 (apt-cacher-ng,452 bytes, text/plain)
2017-09-23 22:12 UTC, Michael Orlitzky
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-23 22:12:06 UTC
Created attachment 496192 [details]

The apt-cacher-ng init script gives ownership of its PID file directory to its runtime user:


  start() {
      ebegin "Starting ${RC_SVCNAME}"
      checkpath -d -m 0755 -o ${RC_SVCNAME}:${RC_SVCNAME} "${RUNDIR}"

That can be exploited by the apt-cacher-ng user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the "apt-cacher-ng" user).

I've rewritten the init script to work around the issue, by letting OpenRC create the PID file as root, and by storing it directly in /run. I've also updated some other stuff:

  1. Don't use RC_SVCNAME for the $command, since the $command doesn't change
     if you run multiple instances of apt-cacher-ng.

  2. Run apt-cacher-ng in the foreground, and don't have it write a PID file.
     This was needed to allow OpenRC to manage the PID file securely.

  3. Used $retry to eliminate the stop() function.

  4. Dropped "use net" and added an rc_need=net.lo line to the conf.d file.
     This is more semantically correct, since the daemon will start just
     in its default configuration once net.lo is up. And more importantly,
     it allows us to place a comment right there, explaining what to do if
     the user wants to bind to a *particular* interface.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-23 22:12:53 UTC
Created attachment 496194 [details]
Comment 2 John Helmert III (ajak) 2020-06-12 02:41:33 UTC
Maintainer: Ping.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-06-12 03:29:53 UTC
(In reply to John Helmert III from comment #2)
> Maintainer: Ping.

I doubt the maintainer will even reply to this bug. If not, we will last-rite the package soon.