Security team NAK on golang-github-kardianos-service at this time. Here's the notes I've collected while reading the source code. I didn't inspect the packaging in any depth, I understand that we may be changing the packaging, so I've ignored for that now.
I filed two bug reports for the issues that worried me the most. Some of what I found appears to be for non-Linux systems, I'm reporting it in the hopes that it is useful. Some portions of the code don't make sense to me, I don't understand the goals of the isInteractive() or isInContainer() checks: service_systemd_linux.go configPath() creates important directories mode 777: https://github.com/kardianos/service/issues/237 ./service_upstart_linux.go Install() creates an upstart configuration file with permissions 666: https://github.com/kardianos/service/issues/238 example/runner/runner.go run() creates files mode 777. I know it says example/ in the filename but people copy-paste example code. service_systemd_linux.go Install() creates a config file before deciding if it should be populated, and does not clean up after the config file if an error occurs while rendering the text. service_linux.go isInteractive() doesn't make sense to me, what's the purpose? service_linux.go isInContainer() may suffer from false positives and perhaps false negatives, is this okay? What's the purpose? service_systemd_linux.go isSystemd() doesn't handle read errors on /proc/1/comm (unlikely if the open succeeded) ./service_aix.go getPidOfSvcMaster() could be extremely expensive to execute; I suggest rewriting isInteractive() to look for information on the specific process, either via ps(1)'s -p flag or a programmatic API if one exists. Also consider re-writing the ps -ef regex to use ps -o, and select only the two fields that appear to matter: uid and comm (or exe?) Thanks ** Bug watch added: github.com/kardianos/service/issues #237 https://github.com/kardianos/service/issues/237 ** Bug watch added: github.com/kardianos/service/issues #238 https://github.com/kardianos/service/issues/238 ** Changed in: golang-github-kardianos-service (Ubuntu) Status: New => Won't Fix ** Changed in: golang-github-kardianos-service (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1894731 Title: [MIR] golang-*, Go build dependencies of google-guest-agent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-github-gcp-guest-logging-go/+bug/1894731/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
