[Pkg-sogo-maintainers] Bug#923421: start-stop-daemon: matching only on non-root pidfile /run/sogo/sogo.pid is insecure

Niels Nowatzki niels at prepon.net
Wed Feb 27 22:32:30 GMT 2019 

Package: sogo
Version: 4.0.5-3
Severity: important

Dear Maintainer,

i just ran in a problem which was already reported on other packages (#921557 and #921016).
When i try to restart or stop sogod the initscript throws an error message as seen in the subject
and ceases to operate.

The attached patch resembles the solution of #921016 and works for me.

In other notes: The severity should probably really be "serious", but i could not easily find out 
how to feed it to the BTS.

Thanks for your good work,
niels
 

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages sogo depends on:
ii  adduser               3.118
ii  gnustep-base-runtime  1.26.0-4
ii  libc6                 2.28-7
ii  libcurl3-gnutls       7.64.0-1
ii  libgcc1               1:8.2.0-21
ii  libglib2.0-0          2.58.3-1
ii  libgnustep-base1.26   1.26.0-4
ii  libgnutls30           3.6.6-2
ii  liblasso3             2.6.0-2+b2
ii  libmemcached11        1.0.18-4.2
ii  libobjc4              8.2.0-21
ii  libsbjson2.3          2.3.2-4+b1
ii  libsope1              4.0.5-2
ii  lsb-base              10.2018112800
ii  memcached             1.5.6-1
ii  sogo-common           4.0.5-3
ii  tmpreaper             1.6.14
ii  zip                   3.0-11+b1

sogo recommends no packages.

Versions of packages sogo suggests:
pn  postgresql | default-mysql-server | virtual-mysql-server  <none>

-- Configuration Files:
/etc/init.d/sogo changed [not included]
/etc/sogo/sogo.conf [not included] 

-- no debconf information
-------------- next part --------------
diff -u orig/debian/sogo.init patch/debian/sogo.init
--- orig/debian/sogo.init	2019-02-27 22:13:00.809760064 +0100
+++ patch/debian/sogo.init	2019-02-27 22:17:41.581975621 +0100
@@ -74,12 +74,12 @@
 	;;
   stop)
 	log_daemon_msg "Stopping $DESC" "$NAME"
-	start-stop-daemon --stop --oknodo --pidfile $PIDFILE --retry=TERM/20/KILL/5
+	start-stop-daemon --stop --oknodo --pidfile $PIDFILE --retry=TERM/20/KILL/5 --user $USER
 	log_end_msg 0
 	;;
   restart|force-reload)
 	log_daemon_msg "Restarting $DESC" "$NAME"
-	start-stop-daemon --stop --oknodo --pidfile $PIDFILE --retry=TERM/20/KILL/5
+	start-stop-daemon --stop --oknodo --pidfile $PIDFILE --retry=TERM/20/KILL/5 --user $USER
         # Ensure run directory's existence and permissions
 	if [ ! -d /run/sogo ]; then
             install -o $USER -g $GROUP -d /run/sogo

More information about the Pkg-sogo-maintainers mailing list