posted 2024-02-20
Before it was removed, the Gentoo sys-cluster/slurm package would recursively chown several directories to slurm:slurm. When the package was reinstalled or upgraded, that allowed the slurm user to gain root privileges through a hardlink attack, as described in the article End root chowning now (make pkg_postinst great again).
The pkg_postinst
phase of the sys-cluster/slurm package
would attempt to “fix” some existing permissions upon
(re)installation,
create_folders_and_fix_permissions() {
einfo "Fixing permissions in ${@}"
mkdir -p ${@}
chown -R ${PN}:${PN} ${@}
}
pkg_postinst() {
paths=(
"${EROOT}"var/${PN}/checkpoint
"${EROOT}"var/${PN}
...
)
for folder_path in ${paths[@]}; do
create_folders_and_fix_permissions $folder_path
done
...
}
If that code is re-run (say, upon an upgrade), it can call chown on files that the slurm user controls. And that can be exploited with hardlinks, for example:
sudo su -s /bin/sh -c 'ln /etc/passwd
/var/slurm/x' slurm
This is one instance of the general problem described in the article End root chowning now (make pkg_postinst great again).
The sys-cluster/slurm package was removed in commit 878ee041.