posted 2023-02-10
Before version 0.4.6-r1 and upon installation, the Gentoo app-misc/uptimed package would recursively chown the /var/spool/uptimed directory to uptimed:uptimed. When the package is reinstalled or upgraded, this allows the uptimed user to gain root privileges through a hardlink attack, as described in the article End root chowning now (make pkg_postinst great again).
Before version 0.4.6-r1, the pkg_postinst
phase of the
app-misc/uptimed package would run,
pkg_postinst() { einfo "Fixing permissions in /var/spool/${PN}" chown -R uptimed:uptimed /var/spool/${PN} ...
If that code is re-run (say, upon an upgrade), it can call chown on files that the uptimed user controls. And that can be exploited with hardlinks, for example:
sudo su -s /bin/sh -c 'ln /etc/passwd
/var/spool/uptimed/x' uptimed
This is one instance of the general problem described in the article End root chowning now (make pkg_postinst great again).
The dangerous pkg_postinst
phase was removed in
app-misc/uptimed-0.4.6-r1, and the older vulnerable versions have
been removed. There was no ostensible need to “fix” the
permissions in the first place.