CVE-2020-24331
Description
TrouSerS tcsd daemon, when started as root, retains group privileges and allows the tss user to read/write /etc/tcsd.conf, enabling privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TrouSerS tcsd daemon, when started as root, retains group privileges and allows the tss user to read/write /etc/tcsd.conf, enabling privilege escalation.
Vulnerability
In TrouSerS through 0.3.14, the tcsd daemon, when started with root privileges, fails to properly drop group privileges after startup. The daemon continues to run with the root group GID, and the tss user has read and write access to the configuration file /etc/tcsd.conf due to unsafe file permissions set during installation [1][2].
Exploitation
An attacker who controls the unprivileged tss user account can modify /etc/tcsd.conf to alter daemon settings. Since tcsd retains root group privileges, a compromised tss user or a process running under the tss account can leverage the root group access to gain further privileges on the system [1][2][3]. The attack does not require any special user interaction beyond achieving control of the tss user.
Impact
Successful exploitation allows an attacker with tss user access to escalate privileges. The root group membership retained by tcsd can be used to extend privileges beyond what the daemon requires, potentially leading to full local privilege escalation [1][2].
Mitigation
As of the available references, no official patch has been released for TrouSerS to address this issue. Users are advised to run the tcsd daemon as the unprivileged tss user directly (e.g., via systemd) rather than starting it as root, which avoids the privilege escalation vector entirely [1][2][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- TrouSerS/TrouSerSdescription
- osv-coords3 versions
< 0.3.15-1.el8+ 2 more
- (no CPE)range: < 0.3.15-1.el8
- (no CPE)range: < 0.3.15-1.el8
- (no CPE)range: < 0.3.15-1.el8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The tcsd daemon requires /etc/tcsd.conf to be owned by the unprivileged tss user with mode 0600, giving that user write access to all daemon settings including the system_ps_file path."
Attack vector
An attacker with access to the local tss user account can modify `/etc/tcsd.conf` because the daemon enforces ownership `tss:tss` mode `0600` for that file [ref_id=1]. By changing the `system_ps_file` path in the config, the attacker can redirect the `mkdir()` and `chmod()` calls performed in `ps_dirs_init()` to an arbitrary filesystem location, and can also set up symlink attacks for arbitrary paths [ref_id=1]. This allows the tss user to influence privileged operations that the root-started daemon performs during initialization, before privileges are dropped.
Affected code
The vulnerability concerns the configuration file `/etc/tcsd.conf`. The tcsd daemon requires this file to be owned by `tss:tss` with mode `0600` (checked in function `conf_file_init()`), which gives the unprivileged tss user full read and write access to all daemon settings [ref_id=1].
What the fix does
The advisory recommends modifying the ownership check of `/etc/tcsd.conf` to require `root:tss` with mode `0640` instead of `tss:tss` mode `0600`, so the tss user can read but not write the configuration [ref_id=1]. The broader recommended fix is to run the tcsd daemon as the `tss:tss` user and group from the start, avoiding the root-privilege-drop initialization sequence entirely [ref_id=1]. No official upstream patch is confirmed in the bundle.
Preconditions
- configThe tcsd daemon must be started with root privileges (e.g., via systemd on SUSE or Fedora)
- authThe attacker must have access to the local tss user account
- configThe /etc/tcsd.conf file must be owned by tss:tss with mode 0600 (as enforced by the daemon)
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SSDL7COIFCZQMUBNAASNMKMX7W5JUHRD/mitrevendor-advisoryx_refsource_FEDORA
- www.openwall.com/lists/oss-security/2020/08/14/1mitremailing-listx_refsource_MLIST
- bugzilla.suse.com/show_bug.cgimitrex_refsource_MISC
- seclists.org/oss-sec/2020/q2/att-135/tcsd_fixes.patchmitrex_refsource_MISC
- sourceforge.net/p/trousers/mailman/message/37015817/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.