[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: start-stop-daemon pidfile permissions check

On Fri, 28 Jun 2019 02:46:57 +0200
Guillem Jover <guillem@debian.org> wrote:

> > it should be more backward-compatible, as it does not require adding
> > --user or --exec to fix the init.d scripts, but on the other hand it
> > needs to fail if the pidfile is group-writable (hoping it is
> > uncommon)  
> Right, this last bit is the main reason I didn't do this from the
> start, and after some pondering, I decided to skip this patch for
> 1.19.7, because it looked like the breakage due to the group-writable
> pidfiles is a new unknown, and it might be harder (more involved) to
> fix as it might require changes to the daemon code itself, instead of
> just few lines in the init script.

based on the actual data (bug reports), none of these would be affected
by a group-writable pidfile and all are affected by the need to add
--user/exec options, but I understand it may be too late in the release
cycle for such changes

> I guess I might be open to apply them in the future, but it might not
> make much of a difference in case most of the reported problems have
> been fixed already, or we might trade them for new problems, so there
> would need to be a very compelling reason.

I think you should consider it for buster+1 at least, as the actual fix
for the CVE is incomplete and not all the regressions has been fixed
(920466 924311 924640) but at least they all have patches included

> Thanks for the patches though!

thank you for the review!

Reply to: