Bug#889144: stricter PIDfile handling breaks several daemons
Sven Hartge
sven at svenhartge.de
Sun Feb 4 17:21:44 GMT 2018
On 04.02.2018 17:25, Michael Biebl wrote:
> Am 03.02.2018 um 14:35 schrieb Sven Hartge:
>> Um 14:00 Uhr am 03.02.18 schrieb Michael Biebl:
>>> The alternative afaics would be, that the daemon writes the pid file as
>>> munin:munin then (or ulog:ulog for the above case).
>>
>> No, this would open a potential DoS vector.
>>
>> Image an attacker gaining access to the munin user. He would then be able
>> to write any PID to the PIDfile and the init system would kill the other
>> process when the munin-node service is stopped/restarted.
>>
>
> I don't think this applies to systemd though. If the process id listed
> in the pid file is not found in the service cgroup, systemd should not
> kill the process listed in the pid file. I suspect that MainPID will not
> be properly set and systemd will complain about it.
But it applies to SysV-Init. If the init-script does not use
start-stop-daemon correctly to check if the PID in the PIDfile belongs
to the executable to be killed or if the init-script uses some other
method of killing the daemon, it might easily kill a different program.
I know, this is not systemds concern whether other init implementations
behave correctly, but if you change the behaviour of a program because
of a behaviour change in systemd and then break other init systems or
increase the insecurity when used with other init systems because of
this, it will fall back negatively on systemd.
Grüße,
Sven.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180204/ba50c7f7/attachment-0002.sig>
More information about the Pkg-systemd-maintainers
mailing list