On Tue, May 4, 2010 at 9:43 AM, Joey Hess <[email protected]> wrote: > > /var/run/prosody/prosody.pid is in a directory writable by the prosody > user, as well as itself being writable by that user. Suppose this > user is compromised. If the pid is overwritten with a different process > id, such as 1, /etc/init.d/prosody stop will kill it. > > start-stop-daemon avoids this kind of security flaw by checking > /proc/pid/exe (when run with -exec), or at least the process name (when > run with -name). But you have to include those switches when > stopping the daemon, which you do not. Also, --name lua is > only going to limit it to killing lua processes, which is hardly ideal.
I think that it would be sufficient to match --name lua and --user prosody in addition to --pidfile. It would be great if prosody could set its executable name /proc/<pid>/exec, or name in /proc/<pid>/stat, but it doesn't (and I don't know if it's possible with Lua scripts) so the best we could check is name lua and user prosody. In this case one can't kill a process executed by another user. Cheers! -- Sergei Golovan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

