michael orlitzky

CVE-2020-36770: sys-cluster/slurm root privilege escalation via recursive chown

posted 2024-02-20

Product
Gentoo Linux sys-cluster/slurm package
Versions affected
22.05.3 and earlier (all)
Published on
2024-02-20
Fixed in
commit 878ee041
Bug report
https://bugs.gentoo.org/631552
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36770
Acknowledgements
John Helmert III (ajak) for following up on the bug after so many years, for requesting the CVE, and for finally removing the package.

Summary

Before it was removed, the Gentoo sys-cluster/slurm package would recursively chown several directories to slurm:slurm. When the package was reinstalled or upgraded, that allowed the slurm user to gain root privileges through a hardlink attack, as described in the article End root chowning now (make pkg_postinst great again).

Details

The pkg_postinst phase of the sys-cluster/slurm package would attempt to “fix” some existing permissions upon (re)installation,

create_folders_and_fix_permissions() {
  einfo "Fixing permissions in ${@}"
  mkdir -p ${@}
  chown -R ${PN}:${PN} ${@}
}

pkg_postinst() {
  paths=(
    "${EROOT}"var/${PN}/checkpoint
    "${EROOT}"var/${PN}
    ...
  )
  for folder_path in ${paths[@]}; do
    create_folders_and_fix_permissions $folder_path
  done
  ...
}

If that code is re-run (say, upon an upgrade), it can call chown on files that the slurm user controls. And that can be exploited with hardlinks, for example:

  1. Install sys-cluster/slurm
  2. Run sudo su -s /bin/sh -c 'ln /etc/passwd /var/slurm/x' slurm
  3. Reinstall sys-cluster/slurm
  4. The file /etc/passwd is owned by slurm:slurm

This is one instance of the general problem described in the article End root chowning now (make pkg_postinst great again).

Resolution

The sys-cluster/slurm package was removed in commit 878ee041.