Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631552 (CVE-2020-36770) - sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinst
Summary: sys-cluster/slurm: root privilege escalation via "chown -R" in pkg_postinst
Status: RESOLVED FIXED
Alias: CVE-2020-36770
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-20 17:32 UTC by Michael Orlitzky
Modified: 2024-10-18 13:47 UTC (History)
17 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-20 17:32:34 UTC
The ebuilds for slurm call "chown -R" on the live root filesystem in pkg_postinst:

  create_folders_and_fix_permissions() {
      einfo "Fixing permissions in ${@}"
      mkdir -p ${@}
      chown -R ${PN}:${PN} ${@}
  }

  pkg_postinst() {
      paths=(
        "${EROOT}"var/${PN}/checkpoint
        ...
      )
      for folder_path in ${paths[@]}; do
        create_folders_and_fix_permissions $folder_path
      done
      ...

That can be exploited by the "slurm" user to gain root. If a hard link pointing to a root-owned file is placed in one of those $paths, then the next time slurm is reinstalled or upgraded, the "chown -R" will affect the target of the link and give ownership of the file to slurm:slurm.

For example,

  1. emerge slurm
  2. su -s /bin/sh -c 'ln /etc/passwd /var/slurm' slurm
  3. emerge slurm
  4. /etc/passwd is owned by slurm:slurm
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:21 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:05 UTC
unrestricting per bug 705894
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 22:27:51 UTC
Ping.

Seems like zlogene was primarily bumping this, but he's not a maintainer anymore.
Comment 4 Larry the Git Cow gentoo-dev 2022-08-15 00:36:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=002aa381e511ead5a8b433a8b2ad5d5afd4d94fe

commit 002aa381e511ead5a8b433a8b2ad5d5afd4d94fe
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-15 00:16:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-15 00:35:55 +0000

    profiles: last rite sys-cluster/slurm
    
    Also remove the collectd unmasks in arch package.use.masks.
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/arch/amd64/package.use.mask | 4 ----
 profiles/arch/x86/package.use.mask   | 4 ----
 profiles/base/package.use.mask       | 3 +++
 profiles/package.mask                | 6 ++++++
 4 files changed, 9 insertions(+), 8 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-09-15 08:06:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0aea4dac7e2b6099fbe6d299ef0299e04c6832a6

commit 0aea4dac7e2b6099fbe6d299ef0299e04c6832a6
Author:     Alexey Shvetsov <alexxy@gentoo.org>
AuthorDate: 2022-09-15 08:05:51 +0000
Commit:     Alexey Shvetsov <alexxy@gentoo.org>
CommitDate: 2022-09-15 08:05:51 +0000

    sys-cluster/slurm: Should fix possible privilege escalation
    
    Bug: https://bugs.gentoo.org/631552
    Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>

 sys-cluster/slurm/slurm-22.05.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Larry the Git Cow gentoo-dev 2022-09-15 08:08:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a34a195a9b018eecac186686a2f88d21daff2f04

commit a34a195a9b018eecac186686a2f88d21daff2f04
Author:     Alexey Shvetsov <alexxy@gentoo.org>
AuthorDate: 2022-09-15 08:07:56 +0000
Commit:     Alexey Shvetsov <alexxy@gentoo.org>
CommitDate: 2022-09-15 08:07:56 +0000

    profiles: Remove slurm p.mask since valnurable version no longer in tree
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>

 profiles/package.mask | 6 ------
 1 file changed, 6 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-15 20:09:24 UTC
0aea4dac7e2b6099fbe6d299ef0299e04c6832a6 is:

diff --git a/sys-cluster/slurm/slurm-22.05.3.ebuild b/sys-cluster/slurm/slurm-22.05.3.ebuild
index 607d3dc407bb..0b5e602258f3 100644
--- a/sys-cluster/slurm/slurm-22.05.3.ebuild
+++ b/sys-cluster/slurm/slurm-22.05.3.ebuild
@@ -243,7 +243,7 @@ pkg_preinst() {
 create_folders_and_fix_permissions() {
        einfo "Fixing permissions in ${@}"
        mkdir -p ${@} || die
-       chown -R ${PN}:${PN} ${@} || die
+       chown ${PN}:${PN} ${@} || die
 }

 pkg_postinst() {

mjo, what do you think?

alexxy, I think it would've been prudent to double check that the fix is correct before unmasking given how finicky these issues have been in the past to fix.
Comment 8 Michael Orlitzky gentoo-dev 2022-09-15 22:29:40 UTC
(In reply to John Helmert III from comment #7)
> 
> mjo, what do you think?

I think it's still vulnerable if the package is reinstalled. The order of $paths,

    paths=(
        "${EROOT}"/var/${PN}/checkpoint
	"${EROOT}"/var/${PN}
        "${EROOT}"/var/spool/${PN}/slurmd
        "${EROOT}"/var/spool/${PN}
        "${EROOT}"/var/log/${PN}
        /var/tmp/${PN}/${PN}d
        /var/tmp/${PN}
	/run/${PN}
    )

is good because the first time pkg_postinst() is run, for example, /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user is given control of the parent directory /var/tmp/${PN}. But if pkg_postinst() is run again, the slurm user will already control /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point either a hardlink or a symlink can be used to fool it.

I think there is a more basic problem to be addressed here. Why is pkg_postinst() creating those directories with mkdir/chown, instead of letting the package manager handle them? Only /run/${PN} is temporary, and that should be handled with checkpath/tmpfiles.
Comment 9 foufou33 2023-02-05 04:13:35 UTC
(In reply to Michael Orlitzky from comment #8)
> (In reply to John Helmert III from comment #7)
> > 
> > mjo, what do you think?
> 
> I think it's still vulnerable if the package is reinstalled. The order of
> $paths,
> 
>     paths=(
>         "${EROOT}"/var/${PN}/checkpoint
> 	"${EROOT}"/var/${PN}
>         "${EROOT}"/var/spool/${PN}/slurmd
>         "${EROOT}"/var/spool/${PN}
>         "${EROOT}"/var/log/${PN}
>         /var/tmp/${PN}/${PN}d
>         /var/tmp/${PN}
> 	/run/${PN}
>     )
> 
> is good because the first time pkg_postinst() is run, for example,
> /var/tmp/${PN}/${PN}d will be chown'ed to slurm:slurm before the slurm user
> is given control of the parent directory /var/tmp/${PN}. But if
> pkg_postinst() is run again, the slurm user will already control
> /var/tmp/${PN} when chown is used on /var/tmp/${PN}/${PN}d. At that point
> either a hardlink or a symlink can be used to fool it.
> 
> I think there is a more basic problem to be addressed here. Why is
> pkg_postinst() creating those directories with mkdir/chown, instead of
> letting the package manager handle them? Only /run/${PN} is temporary, and
> that should be handled with checkpath/tmpfiles.

you mean in src_install() using dodir/keepdir and fowner/fperms?
Comment 10 Michael Orlitzky gentoo-dev 2023-02-05 11:58:43 UTC
(In reply to foufou33 from comment #9)
> 
> you mean in src_install() using dodir/keepdir and fowner/fperms?

Yes, exactly.
Comment 11 Larry the Git Cow gentoo-dev 2024-01-14 22:27:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=878ee04160ad05c9a40beeac3ba2c973dbf436d6

commit 878ee04160ad05c9a40beeac3ba2c973dbf436d6
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-01-14 22:20:09 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-01-14 22:20:19 +0000

    sys-cluster/slurm: treeclean
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask                              |   4 -
 sys-cluster/slurm/Manifest                         |   1 -
 sys-cluster/slurm/files/logrotate                  |  20 --
 .../slurm/files/slurm-22.05.3_autoconf-lua.patch   |  49 ----
 sys-cluster/slurm/files/slurm.confd                |   6 -
 sys-cluster/slurm/files/slurm.tmpfiles             |   1 -
 sys-cluster/slurm/files/slurmctld.initd            |  76 ------
 sys-cluster/slurm/files/slurmd.initd               |  79 ------
 sys-cluster/slurm/files/slurmdbd.initd             |  74 ------
 sys-cluster/slurm/metadata.xml                     |  28 --
 sys-cluster/slurm/slurm-22.05.3.ebuild             | 287 ---------------------
 11 files changed, 625 deletions(-)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 22:33:33 UTC
CVE requested.
Comment 13 Larry the Git Cow gentoo-dev 2024-01-15 15:46:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=d6957c8ab178c1284b5407f185196f3aa146ffb4

commit d6957c8ab178c1284b5407f185196f3aa146ffb4
Author:     Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>
AuthorDate: 2024-01-15 03:29:52 +0000
Commit:     Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>
CommitDate: 2024-01-15 03:29:52 +0000

    profiles: mask a bunch of sys-cluster/* pkgs
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>

 profiles/package.mask | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
Comment 14 Larry the Git Cow gentoo-dev 2024-09-22 07:39:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b2a8e7761946e4dd7bf5f993678482d2a80f8d73

commit b2a8e7761946e4dd7bf5f993678482d2a80f8d73
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 07:39:27 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 07:39:40 +0000

    [ GLSA 202409-16 ] Slurm: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-16.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 15 Larry the Git Cow gentoo-dev 2024-10-18 13:47:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc471fd436829cd2029175e0e9cd4c61cf9d5e1d

commit dc471fd436829cd2029175e0e9cd4c61cf9d5e1d
Author:     Benda Xu <heroxbd@gentoo.org>
AuthorDate: 2024-08-31 14:08:51 +0000
Commit:     Benda Xu <heroxbd@gentoo.org>
CommitDate: 2024-10-18 13:37:05 +0000

    sys-cluster/slurm: revive with version 24.05.3.
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: Benda Xu <heroxbd@gentoo.org>

 sys-cluster/slurm/Manifest              |   1 +
 sys-cluster/slurm/files/logrotate       |  20 +++
 sys-cluster/slurm/files/slurm.confd     |   6 +
 sys-cluster/slurm/files/slurm.tmpfiles  |   1 +
 sys-cluster/slurm/files/slurmctld.initd |  76 +++++++++
 sys-cluster/slurm/files/slurmd.initd    |  79 +++++++++
 sys-cluster/slurm/files/slurmdbd.initd  |  74 +++++++++
 sys-cluster/slurm/metadata.xml          |  27 ++++
 sys-cluster/slurm/slurm-24.05.3.ebuild  | 276 ++++++++++++++++++++++++++++++++
 9 files changed, 560 insertions(+)