Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631878 - net-misc/apt-cacher-ng: privilege escalation via PID file manipulation
Summary: net-misc/apt-cacher-ng: privilege escalation via PID file manipulation
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-23 22:12 UTC by Michael Orlitzky
Modified: 2017-10-03 06:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
initd-r2 (apt-cacher-ng,599 bytes, text/plain)
2017-09-23 22:12 UTC, Michael Orlitzky
no flags Details
confd-r1 (apt-cacher-ng,452 bytes, text/plain)
2017-09-23 22:12 UTC, Michael Orlitzky
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-23 22:12:06 UTC
Created attachment 496192 [details]
initd-r2

The apt-cacher-ng init script gives ownership of its PID file directory to its runtime user:

  RUNDIR="/var/run/${RC_SVCNAME}"
  PIDFILE="${RUNDIR}/${RC_SVCNAME}.pid"

  start() {
      ebegin "Starting ${RC_SVCNAME}"
      checkpath -d -m 0755 -o ${RC_SVCNAME}:${RC_SVCNAME} "${RUNDIR}"
      ...

That can be exploited by the apt-cacher-ng user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the "apt-cacher-ng" user).

I've rewritten the init script to work around the issue, by letting OpenRC create the PID file as root, and by storing it directly in /run. I've also updated some other stuff:

  1. Don't use RC_SVCNAME for the $command, since the $command doesn't change
     if you run multiple instances of apt-cacher-ng.

  2. Run apt-cacher-ng in the foreground, and don't have it write a PID file.
     This was needed to allow OpenRC to manage the PID file securely.

  3. Used $retry to eliminate the stop() function.

  4. Dropped "use net" and added an rc_need=net.lo line to the conf.d file.
     This is more semantically correct, since the daemon will start just
     in its default configuration once net.lo is up. And more importantly,
     it allows us to place a comment right there, explaining what to do if
     the user wants to bind to a *particular* interface.
Comment 1 Michael Orlitzky gentoo-dev 2017-09-23 22:12:53 UTC
Created attachment 496194 [details]
confd-r1