michael orlitzky

CVE-2020-36770: sys-cluster/slurm root privilege escalation via recursive chown

posted 2024-02-20

Product

Gentoo Linux sys-cluster/slurm package

Versions affected

22.05.3 and earlier (all)

Published on

2024-02-20

Fixed in

commit 878ee041

Bug report

https://bugs.gentoo.org/631552

MITRE

CVE-2020-36770

Acknowledgements

John Helmert III (ajak) for following up on the bug after so many years, for requesting the CVE, and for finally removing the package.

Summary

Before it was removed, the Gentoo sys-cluster/slurm package would recursively chown several directories to slurm:slurm. When the package was reinstalled or upgraded, that allowed the slurm user to gain root privileges through a hardlink attack, as described in the article End root chowning now (make pkg_postinst great again).

Details

The pkg_postinst phase of the sys-cluster/slurm package would attempt to “fix” some existing permissions upon (re)installation,

create_folders_and_fix_permissions() {
  einfo "Fixing permissions in ${@}"
  mkdir -p ${@}
  chown -R ${PN}:${PN} ${@}
}

pkg_postinst() {
  paths=(
    "${EROOT}"var/${PN}/checkpoint
    "${EROOT}"var/${PN}
    ...
  )
  for folder_path in ${paths[@]}; do
    create_folders_and_fix_permissions $folder_path
  done
  ...
}

If that code is re-run (say, upon an upgrade), it can call chown on files that the slurm user controls. And that can be exploited with hardlinks, for example:

1. Install sys-cluster/slurm
2. Run sudo su -s /bin/sh -c 'ln /etc/passwd /var/slurm/x' slurm
3. Reinstall sys-cluster/slurm
4. The file /etc/passwd is owned by slurm:slurm

This is one instance of the general problem described in the article End root chowning now (make pkg_postinst great again).

Resolution

The sys-cluster/slurm package was removed in commit 878ee041.