Security issues in pcp on Linux were found by Matthias Gerstner (SUSE Linux security team). The systemd services coming with pcp run with mixed privileges. Some use only limited pcp user/group privileges, like "pmie_check.service". Others like "pmcd.service" run with full root privileges. In both contexts shared directory structures are used, though, like: - /var/lib/pcp/tmp owned by pcp:pcp mode 775 - /var/log/pcp owned by pcp:pcp mode 775 When privileged root processes access files in directories or directory trees controlled by unprivileged users then easily security issues can result from this. For the directories listed above two exploitable issues were found that allow to break the pcp user isolation and allow local pcp to root exploits (via symlink attacks).
Created pcp tracking bugs for this issue: Affects: fedora-all [bug 2266585]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2213 https://access.redhat.com/errata/RHSA-2024:2213