Package: openrc Version: 0.42-2.1 Severity: grave Tags: newcomer security Justification: user security hole
Dear Maintainer, I am coming from Devuan and was advised to submit a bug report here as the package is identical. I hope this will not be a problem. In any case, openrc-run's command_user flag does not function properly. If both a user and group are specified, an error is returned: "start-stop-daemon: user '$user:$group' not found", even if that user and group exist. If only the user is specified, the script will run, but as root, rather than as the user specified (which is the intended behavior); the username specified is then passed to the command run as an argument (not intended behavior). I was able to make this option work as intended by editing /lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to --chuid. I have not submitted a PR because in upstream, --chuid is being deprecated in favor of --user, which does the same thing and therefore there is no issue. On Debian, however, these flags apparently do different things, which causes this problem. I don't understand very well Debian's package's differences from upstream or why this difference exists, but I assume it may be desirable to increase compatibility with upstream (though again, I don't know what the rationale for the current state of things is). That being said, simply changing --user to --chuid would be a fairly simple fix, and since I understand openrc is no longer maintained, this may be the best option. In case it's helpful, one of the Devuan maintainers found this issue on OpenRC's github, reporting the same issue: https://github.com/OpenRC/openrc/issues/383. I assume this was never reported. Best, Adam
