Your message dated Sat, 23 Feb 2019 17:49:13 +0000 with message-id <[email protected]> and subject line Bug#921557: fixed in dpkg 1.19.5 has caused the Debian Bug report #921557, regarding start-stop-daemon: behavior change on "matching only on non-root pidfile /run/exim4/exim.pid is insecure" not fully documented to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 921557: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921557 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dpkg Version: 1.19.3 Severity: important With 1.19.3 the following command stopped working: /sbin/start-stop-daemon --stop --retry 5 --quiet --pidfile /run/exim4/exim.pid /sbin/start-stop-daemon: matching only on non-root pidfile /run/exim4/exim.pid is insecure Afaict this broke exim #921326, amavisd-new #921016 and mldonkey-server #920466. dpkg's changelog.Debian says: * start-stop-daemon: Check whether standalone --pidfile use is secure. Prompted by Michael Orlitzky <[email protected]>. the regular changelog is more verbose: ------------------------ commit bc9736f6feae7625cc5ec063ea1b27d51a5f9317 Author: Guillem Jover <[email protected]> Date: Sat Sep 22 12:12:05 2018 +0200 s-s-d: Check whether standalone --pidfile use is secure If we are only matching on the pidfile, which is owned by a non-root user, and we are running as a root user then this is a security risk, and the contents cannot be trusted, because the daemon might have been compromised which would allow modifying the pid within. If we are then calling start-stop-daemon as a privileged user, that would allow acting on any PID in the system. Prompted-by: Michael Orlitzky <[email protected]> Ref: https://redmine.kannel.org/issues/771 ------------------------ However the manpage was not updated. Could you please describe which restrictions were added, what behavior I can rely on to work? For further entertainment exim does not use start-stop-daemon directly but uses lsb, which seems to translate killproc -p /run/exim4/exim.pid /usr/sbin/exim4 to /sbin/start-stop-daemon --stop --retry 5 --quiet --pidfile /run/exim4/exim.pid dropping the daemon name somewhere. I would appreciate if you could agree to keep this dpkg update put of testing a little bit to be able to solve this. cu Andreas
--- End Message ---
--- Begin Message ---Source: dpkg Source-Version: 1.19.5 We believe that the bug you reported is fixed in the latest version of dpkg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guillem Jover <[email protected]> (supplier of updated dpkg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 23 Feb 2019 18:00:54 +0100 Source: dpkg Architecture: source Version: 1.19.5 Distribution: unstable Urgency: medium Maintainer: Dpkg Developers <[email protected]> Changed-By: Guillem Jover <[email protected]> Closes: 666147 883700 920880 920905 920972 920974 921031 921557 921942 921943 922039 922212 922407 922410 922799 Changes: dpkg (1.19.5) unstable; urgency=medium . [ Guillem Jover ] * start-stop-daemon: Make sure that we get a meaningful errno on parse_unsigned(), so that the error messages always make sense. * start-stop-daemon: Add new fatalv() and fatale() functions and use the latter for system errors, so that we are explicit on whether we want to use errno for error reporting or not. * start-stop-daemon: Always refuse to parse a world-writable pidfile, except when that is /dev/null. * dpkg: Print the current set of enabled force options on --force-help. * dpkg: Parse and set new DPKG_FORCE environment variable for subprocesses. Closes: #666147 * dpkg-statoverride: Add support for --force-* options. * dpkg-statoverride: Switch from --force option to new --force-<thing> options. Deprecate --force option which will be considered an alias for --force-all for now. * dpkg, dpkg-statoverride: Add new option --refuse-security-mac to control SELinux. See #811037. * dpkg: Clarify error on unknown system user/group in statoverride database. Closes: #920880 * dpkg-buildpackage: Clarify the warning/error on short OpenPGP key IDs. Closes: #922039 * dpkg-maintscript-helper: Restrict find for dir-to-symlink move to -maxdepth 1. Thanks to Ralf Treinen <[email protected]>. Closes: #922799 * dpkg-genbuildinfo: Add support for a new Build-Tainted-By field in .buildinfo files. Suggested by Alexander E. Patrakov <[email protected]>. * libdpkg: Clarify field names in error and warning messages. * libdpkg: Optimize error handling. Move the error reporting outside the involved functions so that we do not need to call gettext if there is no error, which has a significant performance cost. * libdpkg: Merge nicknames table into fieldinfos, to stop penalizing the lookup of non-obsolete fieldnames. * libdpkg: Print a more accurate warning for Revision nicknames. * libdpkg: Increase the pkg-hash bins size to 65521, to improve hash table performance at the cost of a bit more memory usage. * libdpkg: Blank packages that are not-installed with unknown selection. Closes: #922410 * libdpkg, dpkg: Print the dpkg database directory on access errors. Closes: #883700 * Perl modules: - Dpkg::Vendor::Debian: Add support for merged-usr-via-symlinks tainted tag. Suggested by Alexander E. Patrakov <[email protected]>. - Dpkg::Vendor::Debian: Add support for usr-local-has-* tainted tags. - Dpkg::Source::Package: Add a missing use Dpkg::Source::Format. Diagnosed by Ian Jackson <[email protected]>. Closes: #921031 * Documentation: - start-stop-daemon(1): Document behavior of --pidfile security checks. Closes: #921557 - dpkg(1): Document the unknown selection state. Closes: #922407 * Code internals: - dpkg: Move SELinux fallback label to the SELinux specific code path. - dpkg: Simplify maintscript_set_exec_context(). - dpkg: Move force options support into its own file. - dpkg: Do not hardcode the program name in the --force-help output. - dpkg: Switch force options from individual variables to bit fields. - dpkg: Switch from a char to an enum to track the force options types. - dpkg: Switch to set the default force option from the forceinfos array. - libdpkg: New benchmark programs and infrastructure. - libdpkg: Add new dpkg_error_move() function. - libdpkg: Add new dpkg_has_error() function. - libdpkg: Move status names from parse errors to arguments. - libdpkg: Use va_arg copy instead of the original on a vasprintf() call. - libdpkg: Include <string.h> in pager.c. Reported by Y <[email protected]>. Closes: #922212 - libdpkg: Use pkg_set_want() instead of a direct assignment. * Build system: - Check whether this dist is a release, based only on the version format. This will avoid having to do a two staged release to get a proper perl distribution tarball. * Packaging: - autopkgtest: Add file to Depends fields. - autopkgtest: Clarify behavior on root/non-root requirement. - Bump Standards-Version to 4.3.0 (no changes required). - Remove now unused assert usertag description. - Remove trailing whitespace from changelog. - Remove Origin and Bugs fields from control file. - Include a bug-script to report on tainted merged-usr-via-symlinks. * Test suite: - libdpkg: Fix unit test for file_slurp(). Closes: #920974 Diagnosed by Frank Schaefer <[email protected]>. . [ Updated programs translations ] * Dutch (Frans Spiesschaert). Closes: #921942 * German (Sven Joachim). * Simplified Chinese (Zhou Mo). Closes: #920972 . [ Updated scripts translations ] * German (Helge Kreutzmann). . [ Updated man pages translations ] * Dutch (Frans Spiesschaert). Closes: #921943 * French (Jean-Pierre Giraud). Closes: #920905 * German (Helge Kreutzmann). Checksums-Sha1: c93c51dab02db4617f7ec02bc8b42a4f11fb1424 2103 dpkg_1.19.5.dsc fdb7768844d6f48a1ca7a76455303018d9532bf3 4699096 dpkg_1.19.5.tar.xz 5f0ab39ac04b23f54f2529b6042fb3c6d00d9980 7180 dpkg_1.19.5_amd64.buildinfo Checksums-Sha256: a799548f5b991d6b3701d4fea798811aa50cef9c6e87a89a14522e2a206d39e1 2103 dpkg_1.19.5.dsc ed327c9973610a695e1950613861c734974d9476e76ef713724558601ce63544 4699096 dpkg_1.19.5.tar.xz c11fb3eed26354384d45a26a31f4f00640617ffaa25ad159422c7e5a142a8c0d 7180 dpkg_1.19.5_amd64.buildinfo Files: fc9d8e7c820ddb1e99be56403123da6e 2103 admin required dpkg_1.19.5.dsc 74b2dc1265730c6f9bea614c64584f4d 4699096 admin required dpkg_1.19.5.tar.xz b708a0f6cc11e8db8736831a65fe6ace 7180 admin required dpkg_1.19.5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIyBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAlxxgUIACgkQuXK/PqSu V6PNJA/2IUhs30D5YjS6UboGJPI7VNr8DvJwHaAxyGLrDRtjNUO9pCntG0r9svGK HiUm/MSpUd88il90L9s1+VVylhHpJU3QLXBuf6LXlyXnsk4DwCppcAeryEIdhSi5 GptD/rj5t1LqLpp/V9/jMF+/0smPRZttoBEA36DtOQeqZXZ9avqv2sP1szNUV8gs dIdxRoweT/mAzA1rieSA8iOLpc6rrq/WVrkTN3kxwpe8dDXYpqnzsMFHs/EEln8p deRH0Q3yETXEoIHlNzyCk7hZpPi4z67O9kqLH0/CXOSJafl4A9Dcfuvgae2Alp2J ZyBqmNftTBgI6c+AZNeIBkmALfHk4REAQpBEFbGDlHLS5v3phDNaSR+UJbMreYCX 7HX3nmbJbVXyEvqluxATLtBLXUJJmPSi07bG/XUeFIHbbx5/fpNyc7xYzurIqM0y x/1Qe6kVbGk5kjvHCZeTdliMkicm7ediQrfLIakXQvlDH7WPbYXFQRQC5C9mC86H TgrGcCds/fr28MudSED/NFFQExVJljPLiB/vbaKHXV6f9h1B7xCxvJ5I6XBLkQg6 7JyBx9Q6MmW/33NgPcLTTGc7KkEgXQeYvqtK0C91/7iL22ZJewy/rt6lFsgJsmNU GQbeBYA8N564zSyA6DYACtbymdSA/kXMvNcecPvS8WQOOr8HmA== =/hnh -----END PGP SIGNATURE-----
--- End Message ---
