On 11/27/2017 10:34 PM, Colony.three wrote: >> ExecStartPre=/bin/chown -R spamd:spamd /run/spamassassin >> >> There's a root exploit for the "spamd" user in that last line. Assuming >> you got the tmpfiles.d thing working, you should delete those >> ExecStartPre commands. > > Can you explain further please? > > If this is true, someone should tell Red Hat that their > /usr/lib/systemd/system/spamass-milter-root.service has the same problem. >
The "chown" command follows both symlinks and hardlinks by default. When used with the "-R" flag, it only follows hardlinks, but that can still be abused by the "spamd" user. The first time "chown -R" gets executed, you give ownership of /run/spamassassin to the "spamd" user. The second (and third, ...) time that the service is started, the "spamd" user owns that directory and can place a hard link in it pointing to a root-owned file. The "chown" call will then give root's file to the "spamd" user. The exploit is trickier in this case because /run is on a tmpfs, and because hard links can't cross filesystem boundaries. But I would bet that you have something else sensitive in /run that can be used to gain root.
