Bug 1500083 - apt-cacher-ng: Privilege escalation via PID file manipulation
Summary: apt-cacher-ng: Privilege escalation via PID file manipulation
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1500084 1500085
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-09 20:23 UTC by Pedro Sampaio
Modified: 2019-09-29 14:23 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-12-04 04:17:25 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2017-10-09 20:23:40 UTC 
The apt-cacher-ng init script gives ownership of its PID file directory to its runtime user. That can be exploited by the apt-cacher-ng user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the "apt-cacher-ng" user).

References:

https://bugs.gentoo.org/631878
Comment 1 Pedro Sampaio 2017-10-09 20:24:05 UTC 
Created apt-cacher-ng tracking bugs for this issue:

Affects: epel-7 [bug 1500085]
Affects: fedora-all [bug 1500084]
Comment 2 Kenjiro Nakayama 2017-12-04 04:17:25 UTC 
Upstream's debian/apt-cacher-ng.init has the issued script. Fedora RPM does not use it as using systemd service rather than init.d script. Actually the script does not even include the RPM package. 

From this, I am closing this bug ticket.
Comment 3 dac.override 2019-02-03 15:02:39 UTC 
I was perusing this and i noticed a commit referencing this bz here: 

https://src.fedoraproject.org/rpms/apt-cacher-ng/c/ad4e4a0613c9f314e214afabb4c52c70e5863976?branch=master

You might want to add a /usr/lib/tmpfiles.d/apt-cacher-ng.conf snippet for /run/apt-cacher-ng as /run is on  a tmpfs and user apt-cacher-ng will not be able to create /run/apt-cacher-ng.
Note You need to log in before you can comment on or make changes to this bug.