Bug#222524: dpkg: start-stop-daemon should check uid & gid before calling setuid & initgroups

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#222524: dpkg: start-stop-daemon should check uid & gid before calling setuid & initgroups
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sun, 30 Nov 2003 15:23:24 +0100
Message-id: <[🔎] E1AQSTs-0001nN-00@bouh.residence.ens-lyon.fr>
Reply-to: Samuel Thibault <samuel.thibault@ens-lyon.org>, 222524@bugs.debian.org

Package: dpkg
Version: 1.10.18
Severity: wishlist

Hi,

We have a box on which we want some users to be able to start & stop
icecast. For this, we gave them an sudo -u icecast permission, but this
is not sufficient, because /etc/init.d/icecast-server contains:

start-stop-daemon --start --quiet --chuid $USERID:$USERID \
--exec $DAEMON $OPTIONS

so that when executed by root, it setuid(icecast)s and
initgroups(icecast)s. But when launched by the icecast user, this is
not necessary, and actually poses problem, since initgroups *requires*
root privilege for instance, and of course the icecast user doesn't
have the right to modify /etc/init.d/icecast-server to remove --chuid
$USERID:$USERID

So that it would be nice to have
	if (changeuser != NULL) {
 		if (setgid(runas_gid))
 			fatal("Unable to set gid to %d", runas_gid);
		if (initgroups(changeuser, runas_gid))
			fatal("Unable to set initgroups() with gid %d", runas_gid);
		if (setuid(runas_uid))
			fatal("Unable to set uid to %s", changeuser);
	}
(start-stop-daemon.c:1247)

be replaced by some
	if (changeuser != NULL && getuid() != runas_uid) {
		if (setuid(runas_uid))
			fatal("Unable to set uid to %s", changeuser);
	}
	if (changegroup != NULL && *changegroup != '\0' && getgid() != runas_gid) {
		if (getgid() not in getgroups())
			if (initgroups(changeuser, runas_gid))
				fatal("Unable to set initgroups() with gid %d", runas_gid);
		if (setgid(runas_gid))
			fatal("Unable to set gid to %d", runas_gid);
	}

so that normal users may call /etc/init.d scripts when they have the
corresponding sudo right for instance. (the *changegroup != '\0' is
necessary since setting --chuid would always at least set changegroup to
"")


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux bouh 2.6.0-test11 #1 Thu Nov 27 12:47:57 CET 2003 i686
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro

Versions of packages dpkg depends on:
ii  dselect                     1.10.18      a user tool to manage Debian packa
ii  libc6                       2.3.2.ds1-10 GNU C Library: Shared libraries an

-- no debconf information

Reply to:

Prev by Date: Bug#222760: dpkg-dev: Bogus warning about md5sum error
Next by Date: Bug#222641: dpkg: [CONFFILE] should inform user when a conffile is not being replaced due to local deletion
Previous by thread: Processed: Re: Bug#222760: dpkg-dev: Bogus warning about md5sum error
Next by thread: Bug#222251: /usr/sbin/dpkg-divert: refuses diverting of symlinks pointing on a directory
Index(es):
- Date
- Thread