Hi! On Sat, 2019-05-18 at 07:15:55 +0200, Trek wrote: > commit bc9736f6 fixed a security hole in start-stop-daemon, but it is > not always backward-compatible and it affected at least 9 packages: see > bugs 920466 921016 921326 922395 923421 924312 924311 924640 927058 > > considering the sysvinit user-base is 1,5% of all popcon users and > codesearch shows 763 packages calling "start-stop-daemon --stop", there > is the probability other packages are broken > > > instead of checking if the process referenced by non-root pidfile is > matching a particular user and/or executable, I think the vulnerability > could be fixed simply checking if the owner of the pidfile matches the > user running the process to be killed > > in fact, if start-stop-daemon is called as root and pidfile is owned by > non-root user, there is no security risk killing a process owned by the > same user that owns pidfile, because user can kill the process itself > > it is more secure, as with the actual code, using only --user it allows > to kill any process of specified user and using only --exec it allows > to kill processes of any user running the specified executable > > it should be more backward-compatible, as it does not require adding > --user or --exec to fix the init.d scripts, but on the other hand it > needs to fail if the pidfile is group-writable (hoping it is uncommon)
Right, this last bit is the main reason I didn't do this from the start, and after some pondering, I decided to skip this patch for 1.19.7, because it looked like the breakage due to the group-writable pidfiles is a new unknown, and it might be harder (more involved) to fix as it might require changes to the daemon code itself, instead of just few lines in the init script. I guess I might be open to apply them in the future, but it might not make much of a difference in case most of the reported problems have been fixed already, or we might trade them for new problems, so there would need to be a very compelling reason. Thanks for the patches though! Regards, Guillem
