On Mon, Aug 07, 2017 at 05:54:07PM +0200, Salvatore Bonaccorso wrote:
> Source: tenshi
> Version: 0.13-2
> Severity: normal
> Tags: upstream patch security
> Forwarded: https://github.com/inversepath/tenshi/issues/6
>
> Hi,
>
> the following vulnerability was published for tenshi.
>
> CVE-2017-11746[0]:
> | Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a
> | non-root account, which might allow local users to kill arbitrary
> | processes by leveraging access to this non-root account for tenshi.pid
> | modification before a root script executes a "kill `cat
> | /pathname/tenshi.pid`" command.
Please provide a systemd unit, so that we can avoid using a PID file
altogether.
Cheers,
Moritz
