Bug#921557: start-stop-daemon: behavior change on "matching only on non-root pidfile /run/exim4/exim.pid is insecure" not fully documented

[Andreas Metzler]

Package: dpkg
Version: 1.19.3
Severity: important

With 1.19.3 the following command stopped working:
/sbin/start-stop-daemon --stop --retry 5 --quiet --pidfile /run/exim4/exim.pid
/sbin/start-stop-daemon: matching only on non-root pidfile /run/exim4/exim.pid is insecure

Afaict this broke exim #921326, amavisd-new #921016 and mldonkey-server
#920466.

dpkg's changelog.Debian says:
 * start-stop-daemon: Check whether standalone --pidfile use is secure.
    Prompted by Michael Orlitzky <michael at orlitzky.com>.

the regular changelog is more verbose:
------------------------
commit bc9736f6feae7625cc5ec063ea1b27d51a5f9317
Author: Guillem Jover <guillem at debian.org>
Date:   Sat Sep 22 12:12:05 2018 +0200

    s-s-d: Check whether standalone --pidfile use is secure

    If we are only matching on the pidfile, which is owned by a non-root
    user, and we are running as a root user then this is a security risk,
    and the contents cannot be trusted, because the daemon might have been
    compromised which would allow modifying the pid within.

    If we are then calling start-stop-daemon as a privileged user, that
    would allow acting on any PID in the system.

    Prompted-by: Michael Orlitzky <michael at orlitzky.com>
    Ref: https://redmine.kannel.org/issues/771
------------------------

However the manpage was not updated. Could you please describe which
restrictions were added, what behavior I can rely on to work?

For further entertainment exim does not use start-stop-daemon directly
but uses lsb, which seems to translate
killproc -p /run/exim4/exim.pid /usr/sbin/exim4
to
/sbin/start-stop-daemon --stop --retry 5 --quiet --pidfile /run/exim4/exim.pid

dropping the daemon name somewhere.

I would appreciate if you could agree to keep this dpkg update put of
testing a little bit to be able to solve this.

cu Andreas