Bug ID 1208056
Summary AUDIT-FIND: colord: LPE from colord to root (with fs.protected_hardlinks=0)
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Minor
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter wolfgang.frisch@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

There's a sub-optimal construct in the %post section of colord.spec:

192  # Fix ownership of /var/lib/colord from first packages (in 12.1)
193  test ! -d %{_localstatedir}/lib/colord || chown -R colord:colord
%{_localstatedir}/lib/colord

On systems with fs.protected_hardlinks=0, this allows the user `colord` to
escalate to root:

# id
uid=466(colord) gid=466(colord) groups=466(colord)
# cat /proc/sys/fs/protected_hardlinks 
0
# ls -l /test/shadow
-rw------- 1 root root 0 Feb  8 13:00 /test/shadow
# ln /test/shadow /var/lib/colord/

... then, after the colord package is updated ...

# ls -l /test/shadow
-rw------- 2 colord colord 0 Feb  8 13:00 /test/shadow

This is not a security vulnerability per se because all our distributions have
protected_hardlinks=1 by default, and we advice our customers not to disable it
[1]. Nevertheless it would be preferable to avoid such constructs.

In this case we simply delete the entire line, because the distros that require
it have long reached their end of life.

[1] https://www.suse.com/support/kb/doc/?id=000019565

You are receiving this mail because: