On 04.02.2018 17:25, Michael Biebl wrote: > Am 03.02.2018 um 14:35 schrieb Sven Hartge: >> Um 14:00 Uhr am 03.02.18 schrieb Michael Biebl:
>>> The alternative afaics would be, that the daemon writes the pid file as >>> munin:munin then (or ulog:ulog for the above case). >> >> No, this would open a potential DoS vector. >> >> Image an attacker gaining access to the munin user. He would then be able >> to write any PID to the PIDfile and the init system would kill the other >> process when the munin-node service is stopped/restarted. >> > > I don't think this applies to systemd though. If the process id listed > in the pid file is not found in the service cgroup, systemd should not > kill the process listed in the pid file. I suspect that MainPID will not > be properly set and systemd will complain about it. But it applies to SysV-Init. If the init-script does not use start-stop-daemon correctly to check if the PID in the PIDfile belongs to the executable to be killed or if the init-script uses some other method of killing the daemon, it might easily kill a different program. I know, this is not systemds concern whether other init implementations behave correctly, but if you change the behaviour of a program because of a behaviour change in systemd and then break other init systems or increase the insecurity when used with other init systems because of this, it will fall back negatively on systemd. Grüße, Sven.
Description: OpenPGP digital signature