Re: start-stop-daemon pidfile permissions check

To: Trek <trek00@inbox.ru>
Cc: Dpkg Developers <debian-dpkg@lists.debian.org>
Subject: Re: start-stop-daemon pidfile permissions check
From: Guillem Jover <guillem@debian.org>
Date: Fri, 28 Jun 2019 02:46:57 +0200
Message-id: <[🔎] 20190628004657.GD17536@gaara.hadrons.org>
Mail-followup-to: Trek <trek00@inbox.ru>, Dpkg Developers <debian-dpkg@lists.debian.org>
In-reply-to: <20190518071555.6645d002@enterprise>
References: <20190518071555.6645d002@enterprise>

Hi!

On Sat, 2019-05-18 at 07:15:55 +0200, Trek wrote:
> commit bc9736f6 fixed a security hole in start-stop-daemon, but it is
> not always backward-compatible and it affected at least 9 packages: see
> bugs 920466 921016 921326 922395 923421 924312 924311 924640 927058
> 
> considering the sysvinit user-base is 1,5% of all popcon users and
> codesearch shows 763 packages calling "start-stop-daemon --stop", there
> is the probability other packages are broken
> 
> 
> instead of checking if the process referenced by non-root pidfile is
> matching a particular user and/or executable, I think the vulnerability
> could be fixed simply checking if the owner of the pidfile matches the
> user running the process to be killed
> 
> in fact, if start-stop-daemon is called as root and pidfile is owned by
> non-root user, there is no security risk killing a process owned by the
> same user that owns pidfile, because user can kill the process itself
> 
> it is more secure, as with the actual code, using only --user it allows
> to kill any process of specified user and using only --exec it allows
> to kill processes of any user running the specified executable
> 
> it should be more backward-compatible, as it does not require adding
> --user or --exec to fix the init.d scripts, but on the other hand it
> needs to fail if the pidfile is group-writable (hoping it is uncommon)

Right, this last bit is the main reason I didn't do this from the start,
and after some pondering, I decided to skip this patch for 1.19.7,
because it looked like the breakage due to the group-writable pidfiles
is a new unknown, and it might be harder (more involved) to fix as it
might require changes to the daemon code itself, instead of just few
lines in the init script.

I guess I might be open to apply them in the future, but it might not
make much of a difference in case most of the reported problems have
been fixed already, or we might trade them for new problems, so there
would need to be a very compelling reason.

Thanks for the patches though!

Regards,
Guillem

Reply to:

Follow-Ups:
- Re: start-stop-daemon pidfile permissions check
  - From: Trek <trek00@inbox.ru>

Prev by Date: dpkg-shlibdeps couldn't find library ... warning vs error
Next by Date: Re: dpkg-shlibdeps couldn't find library ... warning vs error
Previous by thread: Re: dpkg-shlibdeps couldn't find library ... warning vs error
Next by thread: Re: start-stop-daemon pidfile permissions check
Index(es):
- Date
- Thread