System executables that are writable by a non-root user pose a security risk. Anyone who can write to an executable can change its behavior. If that executable is later run with elevated privileges (say, by root, when the machine starts), then the non-root user can escalate his own privileges to those of the person running the modified executable.
The 90bad-bin-owner check already addresses one cause for a non-root user to be able to modify an executable: because he owns it. This commit adds another check, to ensure that no non-root *groups* have write access to any system executables. On a "normal" system, all system executables should belong to the super-user's group. To avoid false-positives, non-"normal" systems (like prefix) are skipped. Closes: https://bugs.gentoo.org/629398 --- bin/install-qa-check.d/90bad-bin-group-write | 40 ++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 bin/install-qa-check.d/90bad-bin-group-write diff --git a/bin/install-qa-check.d/90bad-bin-group-write b/bin/install-qa-check.d/90bad-bin-group-write new file mode 100644 index 000000000..f8a0259e5 --- /dev/null +++ b/bin/install-qa-check.d/90bad-bin-group-write @@ -0,0 +1,40 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +bad_bin_group_write_check() { + # Warn about globally-installed executables (in /bin, /usr/bin, /sbin, + # or /usr/sbin) that are group-writable by a nonzero GID. + + # This check doesn't work on non-root prefix installations at + # the moment, because every executable therein is owned by a + # nonzero GID. + [[ "${EUID}" -ne "0" || "${PORTAGE_INST_UID}" -ne "0" ]] && return + + local d f found=() + + for d in "${ED%/}/bin" "${ED%/}/usr/bin" "${ED%/}/sbin" "${ED%/}/usr/sbin"; do + test -d "${d}" || continue + + # Read the results of the "find" command into the "found" bash + # array. Use -L to catch symlinks whose targets are vulnerable, + # even though it won't catch ABSOLUTE symlinks until the package + # is RE-installed (the first time around, the target won't exist). + # We match the GID and not the name "root" here because (for + # example) on FreeBSD, the superuser group is "wheel". + while read -r -d '' f; do + found+=( "${f}" ) + done < <(find -L "${d}" -maxdepth 1 -type f -perm /g+w ! -gid 0 -print0) + + if [[ ${found[@]} ]]; then + eqawarn "system executables group-writable by nonzero gid:" + for f in "${found[@]}"; do + # Strip off the leading destdir before outputting the path, + # but leave the prefix if there is one. + eqawarn " ${f#${D%/}/}" + done + fi + done +} + +bad_bin_group_write_check +: -- 2.16.4