michael orlitzky

CVE-2020-36657: app-misc/uptimed root privilege escalation via recursive chown

posted 2023-02-10

Gentoo Linux app-misc/uptimed package
Versions affected
0.4.6 and earlier
Published on
Fixed in
commits 106d5ab4 and 5865dc98
Bug report
John Helmert III (ajak) for the fix and for requesting the CVE.


Before version 0.4.6-r1 and upon installation, the Gentoo app-misc/uptimed package would recursively chown the /var/spool/uptimed directory to uptimed:uptimed. When the package is reinstalled or upgraded, this allows the uptimed user to gain root privileges through a hardlink attack, as described in the article End root chowning now (make pkg_postinst great again).


Before version 0.4.6-r1, the pkg_postinst phase of the app-misc/uptimed package would run,

pkg_postinst() {
  einfo "Fixing permissions in /var/spool/${PN}"
  chown -R uptimed:uptimed /var/spool/${PN}

If that code is re-run (say, upon an upgrade), it can call chown on files that the uptimed user controls. And that can be exploited with hardlinks, for example:

  1. Install app-misc/uptimed
  2. Run sudo su -s /bin/sh -c 'ln /etc/passwd /var/spool/uptimed/x' uptimed
  3. Reinstall app-misc/uptimed
  4. The file /etc/passwd is owned by uptimed:uptimed

This is one instance of the general problem described in the article End root chowning now (make pkg_postinst great again).


The dangerous pkg_postinst phase was removed in app-misc/uptimed-0.4.6-r1, and the older vulnerable versions have been removed. There was no ostensible need to “fix” the permissions in the first place.