Bug#889144: stricter PIDfile handling breaks several daemons
Sven Hartge
sven at svenhartge.de
Sat Feb 3 13:35:26 GMT 2018
Um 14:00 Uhr am 03.02.18 schrieb Michael Biebl:
> Am 03.02.2018 um 13:27 schrieb Sven Hartge:
>> Um 03:02 Uhr am 03.02.18 schrieb Michael Biebl:
>>> Does munin-node have the same mismatch?
>> It has:
>> But, as you can see, the directory is also used by the munin-updater
>> which is run as user "munin" so you can't make the directory owned by
>> root.
> The alternative afaics would be, that the daemon writes the pid file as
> munin:munin then (or ulog:ulog for the above case).
No, this would open a potential DoS vector.
Image an attacker gaining access to the munin user. He would then be able
to write any PID to the PIDfile and the init system would kill the other
process when the munin-node service is stopped/restarted.
See https://security-tracker.debian.org/tracker/CVE-2017-14610 for
example.
Acknowleged, this is a a bit unlikely issue, but I don't think it would be
wise to propagate it further.
Also looking at the bigger picture here: This change in systemd, while
with security in mind, changes the way PIDfiles have been handled for the
last ... forever.
Debian packages one might be able to fix but what about all the other 3rd
party packages and locally written code out there? It is susceptible to
break upon upgrade to Buster and who will be blamed (again)? systemd of
course, "breaking all the things again".
Grüße,
Sven.
More information about the Pkg-systemd-maintainers
mailing list