posted 2022-09-21
The service script for the Gentoo net-analyzer/smokeping package has
a “restore” function that runs chown
smokeping:smokeping, as root, on paths that are controlled by
the smokeping user. If the smokeping user can alter the target path
quickly enough, he can exploit the chown
to take ownership of any file on the system.
The OpenRC service script for smokeping at /etc/init.d/smokeping has a “restore” function,
restore() {
ebegin "Restoring smokeping rrd files from XML dump files"
if service_started "${myservice}" ; then
eerror "You need to stop smokeping before restoring files!"
return 1
fi
for f in $(find /var/lib/smokeping -name '*.xml' -print) ; do
f_rrd=$(dirname $f)/$(basename $f .xml).rrd
mv -f "${f_rrd}" "${f_rrd}.bak"
chown root:0 "${f_rrd}.bak"
rrdtool restore "$f" "${f_rrd}"
chown smokeping:smokeping "${f_rrd}"
done
eend $?
}
that executes as root. Between the lines rrdtool restore "$f"
"${f_rrd}" and chown smokeping:smokeping
"${f_rrd}", the smokeping user has a window of opportunity to
replace "${f_rrd}" with a symlink to a path of his
choosing. This is made possible by the smokeping ebuild, which gives
him control of /var/lib/smokeping:
src_install() {
...
# Create the files in /var for rrd file storage
keepdir /var/lib/${PN}/.simg
fowners smokeping:smokeping /var/lib/${PN}
...
}
If he is successful, the final call to chown
smokeping:smokeping "${f_rrd}" will follow the symlink,
giving the smokeping user ownership of the target. This is an
instance of the problem described in the article End
root chowning now (make /etc/init.d great again).
The net-analyzer/smokeping package has been removed from Gentoo along with its vulnerable OpenRC service script.