[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: World writable pid and lock files.

On Wed, 11 May 2011, Mike Mestnik wrote:
> On 05/11/11 01:37, helpermn wrote:
> > On Tue, 10 May 2011, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> >> On Tue, 10 May 2011, helpermn wrote:
> >>> I imagine why files listed below have 666 file mode bits set:
> >>> /var/run/checkers.pid
> >>> /var/run/vrrp.pid
> >>> /var/run/keepalived.pid
> >>> /var/run/starter.pid
> >>> /var/lock/subsys/ipsec
> >>> ....
> >>
> >> You could get the initscripts to send signals to any PID you want, so
> >> yes, it is a nasty security issue.
> >>
> >
> It should be mandatory for initscripts to verify the pid is indeed an
> instance of there daemon.
> ...as well as correcting the world writable bit.

These things are to be fixed properly.  You need to actually create the
pidfile securely in the first place.  Which means using O_CREAT|O_EXCL,
often together with O_CLOEXEC, etc.

Most initscripts will make sure they only signal processes that match the
inode in the path they expect the process to be.  Refer to the --exec option
of start-stop-daemon(8).  However, this cannot be done in any of the more
important daemons where you do not stop-before-upgrading, but rather

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: