Package: courier-authdaemon Version: 0.63.0-2 Severity: normal Tags: security
/var/run/courier/authdaemon is writable by user daemon. So, if that user is compromised, root-owned /var/run/courier/authdaemon/pid can be deleted and replaced with a new file containing an arbitrary pid, such as 1. Then /etc/init.d/courier-authdaemon stop will proceed to kill an arbitrary process. start-stop-daemon avoids this kind of security flaw by checking /proc/pid/exe (when run with -exec), or at least the process name (when run with -name). authdaemon's init script does not use it. Besides the potential security hole, killing a process that is stored in a pid file without checking that the pid file is accurate is asking for trouble. Things go wrong, and pid files, stale. -- see shy jo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
