Re: start-stop-daemon pidfile permissions check
Hi!
On Sat, 2019-05-18 at 07:15:55 +0200, Trek wrote:
> commit bc9736f6 fixed a security hole in start-stop-daemon, but it is
> not always backward-compatible and it affected at least 9 packages: see
> bugs 920466 921016 921326 922395 923421 924312 924311 924640 927058
>
> considering the sysvinit user-base is 1,5% of all popcon users and
> codesearch shows 763 packages calling "start-stop-daemon --stop", there
> is the probability other packages are broken
>
>
> instead of checking if the process referenced by non-root pidfile is
> matching a particular user and/or executable, I think the vulnerability
> could be fixed simply checking if the owner of the pidfile matches the
> user running the process to be killed
>
> in fact, if start-stop-daemon is called as root and pidfile is owned by
> non-root user, there is no security risk killing a process owned by the
> same user that owns pidfile, because user can kill the process itself
>
> it is more secure, as with the actual code, using only --user it allows
> to kill any process of specified user and using only --exec it allows
> to kill processes of any user running the specified executable
>
> it should be more backward-compatible, as it does not require adding
> --user or --exec to fix the init.d scripts, but on the other hand it
> needs to fail if the pidfile is group-writable (hoping it is uncommon)
Right, this last bit is the main reason I didn't do this from the start,
and after some pondering, I decided to skip this patch for 1.19.7,
because it looked like the breakage due to the group-writable pidfiles
is a new unknown, and it might be harder (more involved) to fix as it
might require changes to the daemon code itself, instead of just few
lines in the init script.
I guess I might be open to apply them in the future, but it might not
make much of a difference in case most of the reported problems have
been fixed already, or we might trade them for new problems, so there
would need to be a very compelling reason.
Thanks for the patches though!
Regards,
Guillem
Reply to: