http://bugzilla.opensuse.org/show_bug.cgi?id=1208056 Bug ID: 1208056 Summary: AUDIT-FIND: colord: LPE from colord to root (with fs.protected_hardlinks=0) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: wolfgang.frisch@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- There's a sub-optimal construct in the %post section of colord.spec: 192 # Fix ownership of /var/lib/colord from first packages (in 12.1) 193 test ! -d %{_localstatedir}/lib/colord || chown -R colord:colord %{_localstatedir}/lib/colord On systems with fs.protected_hardlinks=0, this allows the user `colord` to escalate to root: # id uid=466(colord) gid=466(colord) groups=466(colord) # cat /proc/sys/fs/protected_hardlinks 0 # ls -l /test/shadow -rw------- 1 root root 0 Feb 8 13:00 /test/shadow # ln /test/shadow /var/lib/colord/ ... then, after the colord package is updated ... # ls -l /test/shadow -rw------- 2 colord colord 0 Feb 8 13:00 /test/shadow This is not a security vulnerability per se because all our distributions have protected_hardlinks=1 by default, and we advice our customers not to disable it [1]. Nevertheless it would be preferable to avoid such constructs. In this case we simply delete the entire line, because the distros that require it have long reached their end of life. [1] https://www.suse.com/support/kb/doc/?id=000019565 -- You are receiving this mail because: You are on the CC list for the bug.