Hi, in start-stop-daemon the chroot handling has a litlle bug (can't stop process). You check executable file and pid file in main filesystem not under jail: execve("/sbin/start-stop-daemon", ["start-stop-daemon", "--chroot","/usr/local/ldap_jail", "--start", "-v", +"--pidfile", "/var/run/slapd.pid", "--exec", "/usr/sbin/slapd"], [/* 31 vars */]) = 0 ... >>>>we are in main filesystem not in jail! stat64("/usr/sbin/slapd", {st_mode=S_IFREG|0755, st_size=400216, ...}) = 0 ... >>>>we are in main filesystem not in jail! open("/var/run/slapd.pid", O_RDONLY) = -1 ENOENT (No such file or directory) ... chroot("/usr/local/ldap_jail") = 0 >>>>we are now in jail! ... In attachment there is a little patch to solve this problem (src debian package: dpkg-1.9.20). Fari
--- ./start-stop-daemon.c.Orig Mon May 14 00:01:28 2001 +++ ./start-stop-daemon.c Wed Apr 24 00:50:27 2002 @@ -101,7 +101,7 @@ static const char *cmdname = NULL; static char *execname = NULL; static char *startas = NULL; -static const char *pidfile = NULL; +static char *pidfile = NULL; static char what_stop[1024]; static const char *schedule_str = NULL; static const char *progname = ""; @@ -1039,12 +1039,30 @@ int main(int argc, char **argv) { + char *orig_execname; + char *orig_pidfile; + progname = argv[0]; parse_options(argc, argv); argc -= optind; argv += optind; + orig_execname = execname; + orig_pidfile = pidfile; + if (changeroot != NULL) { + if (execname != NULL) { + execname = xmalloc(strlen(changeroot)+strlen(execname)+1); + strcat(execname, changeroot); + strcat(execname, orig_execname); + } + if (pidfile != NULL) { + pidfile = xmalloc(strlen(changeroot)+strlen(pidfile)+1); + strcat(pidfile, changeroot); + strcat(pidfile, orig_pidfile); + } + } + if (execname && stat(execname, &exec_stat)) fatal("stat %s: %s", execname, strerror(errno)); @@ -1114,6 +1132,16 @@ if (chroot(changeroot) < 0) fatal("Unable to chroot() to %s", changeroot); } + + if (pidfile != orig_pidfile) { + free(pidfile); + pidfile = orig_pidfile; + } + if (execname != orig_execname) { + free(execname); + execname = orig_execname; + } + if (changeuser != NULL) { if (setgid(runas_gid)) fatal("Unable to set gid to %d", runas_gid);
Attachment:
pgppqeaiaD1WE.pgp
Description: PGP signature