rsnapshot: Local privilege escalation — GLSA 200504-12

rsnapshot allows a local user to take ownership of local files, resulting in privilege escalation.

Affected Packages

app-backup/rsnapshot on all architectures
Affected versions < 1.2.1
Unaffected versions >= 1.2.1, revision >= 1.1.7

Background

rsnapshot is a filesystem snapshot utility based on rsync, allowing local and remote systems backups.

Description

The copy_symlink() subroutine in rsnapshot follows symlinks when changing file ownership, instead of changing the ownership of the symlink itself.

Impact

Under certain circumstances, local attackers can exploit this vulnerability to take ownership of arbitrary files, resulting in local privilege escalation.

Workaround

The copy_symlink() subroutine is not called if the cmd_cp parameter has been enabled.

Resolution

All rsnapshot users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose app-backup/rsnapshot

References

Release Date
April 13, 2005

Latest Revision
December 30, 2007: 05

Severity
high

Exploitable
local

Bugzilla entries