[Pkg-sysvinit-devel] Bug#738855: initscripts: Skip killing root-owned process starting with @
helmut at subdivi.de
Fri Feb 14 08:18:19 UTC 2014
On Fri, Feb 14, 2014 at 12:28:52AM +0000, Dimitri John Ledkov wrote:
> Thanks a lot for the review!
Hmm. Maybe you can hold this patch off for a little longer?
Pulling in oss-sec, because I am no longer sure that the remedy
addresses all relevant aspects. Summary of previous discussion follows
Dimitri Ledkov asked for the initscripts package to exempt root-owned
processes whose process name starts with an '@' from being killed in the
sendsigs script during shutdown. This support would make initscripts a
little more compatible with systemd, which is a good thing! The relevant
systemd documentation can be found at:
However, I doubt that the proposed restriction (effective UID of process
equals 0) is sufficient. For example in a SELinux context being root may
mean significantly less. Russel Coker runs a machine where you can log
into as root remotely, see http://www.coker.com.au/selinux/play.html. In
this context allowing user processes to not be killed merely by changing
their name could cause data loss during shutdown by blocking umount. I
do not understand the consequences of the above technique in other
security extension contexts, so I am asking here for help.
The alternative mechanism currently used by initscripts is to allow
daemons to write their PID to /run/sendsigs.omit.d/$daemon. Being a
file-based approach, it can be easily controlled in the SELinux context
Another aspect of interest could be processes running as root with their
capability bounding set cleared or reduced.
So dear oss-sec readers, do you think that allowing processes whose
effective UID is 0 to not being killed during shutdown is a good idea?
If the answer is no, then please assign a CVE identifier for systemd
(version 38+, src/core/killall.c).
More information about the Pkg-sysvinit-devel