On Tue, May 4, 2010 at 9:43 AM, Joey Hess <[email protected]> wrote:
>
> /var/run/prosody/prosody.pid is in a directory writable by the prosody
> user, as well as itself being writable by that user. Suppose this
> user is compromised. If the pid is overwritten with a different process
> id, such as 1, /etc/init.d/prosody stop will kill it.
>
> start-stop-daemon avoids this kind of security flaw by checking
> /proc/pid/exe (when run with -exec), or at least the process name (when
> run with -name). But you have to include those switches when
> stopping the daemon, which you do not. Also, --name lua is
> only going to limit it to killing lua processes, which is hardly ideal.

I think that it would be sufficient to match --name lua and --user prosody
in addition to --pidfile. It would be great if prosody could set its executable
name /proc/<pid>/exec, or name in /proc/<pid>/stat, but it doesn't (and I
don't know if it's possible with Lua scripts) so the best we could check is
name lua and user prosody. In this case one can't kill a process executed
by another user.

Cheers!
-- 
Sergei Golovan



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to