PF26
Checks scriptlets for using chmod and chown commands which could be dangerous due to changing mode and owner by following symlinks.
%post
chmod 0755 %{_datadir}/%{name}
chown root:%{group} %{_datadir}/%{name}The following (more or less) appears in mail-filter/amavisd-new-2.11.0-r3.ebuild:
pkg_postinst() {
chown root:amavis "/etc/amavisd.conf"
chown -R amavis:amavis "/var/amavis"
}That code is calling chown on every path under (and including) /var/amavis whenever the amavisd-new package is upgraded or reinstalled. That can be exploited by the amavis user (or anyone in the amavis group) to gain root. After amavisd-new is installed, the amavis user owns /var/amavis, and he can create anything he likes in that directory. If he creates a hard link inside /var/amavis pointing to a root-owned file, then the next time that amavisd-new is (re)installed or upgraded, chown will give ownership of the hard link's target to the amavis user. From there it's easy to gain full root access.