| View previous topic :: View next topic |
| Author |
Message |
Sfynx
n00b
Joined: 01 Jun 2002
Posts: 50
|
 Posted: Sun Nov 02, 2003 4:30 pm Post subject: [security] commands running when doing emerge -S |
 |
|
When you run a emerge --searchdesc, all commands in all ebuilds before the functions src_unpack and so on get executed (thos environment variable assignments). So when I put a
echo foo>/bar
between those commands in a random ebuild, the file is there after the search.
Isn't this a big security risk when you get a faulty portage tree in some way? These commands are ran as root... I alread had an issue where a .keep file was placed in my apache documentroot after doing only a search.
edit: emerge --searchdesc, not emerge search
_________________
I'm the great Cornholio!
Are you threatening me?
Last edited by Sfynx on Mon Nov 03, 2003 6:15 pm; edited 2 times in total |
|
| Back to top |
|
 |
Zoltan
Guru
Joined: 27 Aug 2003
Posts: 394
Location: Moscow, Russia
|
| Posted: Sun Nov 02, 2003 6:59 pm Post subject: |
|
|
You don't have to search as root, this is allowed to be done as ordinary users, but I think this is still a security hole...
_________________
Light travels faster than sound. That's why some people appear bright before you hear them speak. |
|
| Back to top |
|
|
slartibartfasz
Veteran
Joined: 29 Oct 2002
Posts: 1462
Location: Vienna, Austria
|
| Posted: Mon Nov 03, 2003 6:47 am Post subject: |
|
|
i think you are right - emerge should not execute statements without any security check or escaping - i'll verify this and report it at bugs.gentoo.org
[EDIT] i could not verify this with -s, there is however a possibility to do what u describe when installing a ebuild which was modified in this way. this even works when the ebuild belongs to another user than root.
[EDIT] submitted a bug report:
https://bugs.gentoo.org/show_bug.cgi?id=32603
_________________
To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be. |
|
| Back to top |
|
|
Sfynx
n00b
Joined: 01 Jun 2002
Posts: 50
|
| Posted: Mon Nov 03, 2003 6:12 pm Post subject: |
|
|
Sorry, my fault. It does happen when doing a deep search (-S), not a normal search (-s). Verified that. When I first verified this issue, I did a -S also, but I usually do -s searches... had to be more awake I guess 
so... can we be sure that the ebuilds we get from a rsync are always clean of malicious stuff? what if a rsync box gets compromised? also noted that in the bug report.
_________________
I'm the great Cornholio!
Are you threatening me? |
|
| Back to top |
|
|
slartibartfasz
Veteran
Joined: 29 Oct 2002
Posts: 1462
Location: Vienna, Austria
|
| Posted: Mon Nov 03, 2003 7:04 pm Post subject: |
|
|
i tried the deep search also - didnt work for me - can u post a sample please?
i am not very concerned about the packages from server, they are quite safe, i think the local handling should be improved, that would catch the eventuall bad ebuild from the server as well as exploitation attempts from local users.
_________________
To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be. |
|
| Back to top |
|
|
Sfynx
n00b
Joined: 01 Jun 2002
Posts: 50
|
| Posted: Mon Nov 03, 2003 7:28 pm Post subject: |
|
|
did this:
inserted into /usr/portage/net-www/kita/kita-0.6.1.ebuild (some ebuild I even not have installed, not having KDE ):
| Code: |
IUSE=""
echo fooo>/bar
PVMAJOR="`echo ${PV} | cut -d'.' -f1`"
PVMINOR="`echo ${PV} | cut -d'.' -f2`"
|
and did this:
| Code: |
root@sfynx / # emerge -S fjhjfhjfh
Searching...
[ Results for search key : fjhjfhjfh ]
[ Applications found : 0 ]
root@sfynx / # ls
bar bin boot chroot dev etc home lib mnt opt proc root sbin service tmp usr var
root@sfynx / # cat bar
fooo
root@sfynx / #
|
_________________
I'm the great Cornholio!
Are you threatening me? |
|
| Back to top |
|
|
|
Networking & Security
