Bug#921558: lsb-base: killproc does not pass name parameter to start-stop-daemon

[Laurent Bigonville <bigon@debian.org>]

On Wed, 6 Feb 2019 20:20:54 +0100 Andreas Metzler <ametzler@bebt.de> 
wrote:> Hello,

Hello,

> there is a logic error in /lib/lsb/init-functions's killproc:
>
> base=${1##*/}
> if [ ! $pidfile ]; then
> name_param="--name $base --pidfile /var/run/$base.pid"
> else
> name_param="--pidfile $pidfile"
> fi
>
> The if clause checks for nonempty $pidfile instead of nonempty $base to
> decide whether --name is used.
>
> Also --pidfile $pidfile is always used, even when $pidfile is empty.
>
> I am reportig this as serious since sid's start-stop-daemon requires a
> name parameter in addition to --pidfile when the pidfile is not owned by
> root, therefore this bug causes init script failures. (#921205)

FTR, this is a change that has been implemented in start-stop-daemon 
included in dpkg version >= 1.19.3, IMVHO a proper breaks might be 
needed there as well

              Warning:  using this match option with a world-writable 
pidfile or using it alone with a daemon that writes the pidfile as an 
unprivileged (non-root) user will be refused with an error (since
              version 1.19.3) as this is a security risk, because 
either any user can write to it, or if the daemon gets compromised, the 
contents of the pidfile cannot be trusted, and then  a  privileged
              runner (such as an init script executed as root) would 
end up acting on any system process.  Using /dev/null is excempt from 
these checks.