[dpkg] 02/02: s-s-d: Do not sanity check the pidfile when it is specified as /dev/null

Wed, 23 Jan 2019 01:04:11 -0800 

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch master
in repository dpkg.

View the commit online:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=15c2161f7d8093b2ec857c343987339f59c8afd5

commit 15c2161f7d8093b2ec857c343987339f59c8afd5 (HEAD -> master)
Author: Guillem Jover <[email protected]>
AuthorDate: Wed Jan 23 09:16:03 2019 +0100

    s-s-d: Do not sanity check the pidfile when it is specified as /dev/null
    
    Several projects use this to bypass the requirement for a matching
    option so that they can start a program no matter what. Even though
    the check should not fail on this condition, it does on some scenarios,
    such as when using Linux user namespaces.
    
    Closes: #920242
---
 debian/changelog          |  4 ++++
 utils/start-stop-daemon.c | 10 ++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index d9e176e94..f397b2642 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
 dpkg (1.19.4) UNRELEASED; urgency=medium
 
+  * start-stop-daemon: Do not sanity check the pidfile when it is specified as
+    /dev/null, as that implies the caller wants to start the program no matter
+    what. Even though the check should not fail on this condition, it does on
+    some scenarios, such as when using Linux user namespaces. Closes: #920242
   * Portability:
     - start-stop-daemon: Only use SO_PASSCRED if defined. Fixes build failure
       at least on GNU/Hurd.
diff --git a/utils/start-stop-daemon.c b/utils/start-stop-daemon.c
index 434cb40c8..f01a8982d 100644
--- a/utils/start-stop-daemon.c
+++ b/utils/start-stop-daemon.c
@@ -2265,8 +2265,14 @@ do_pidfile(const char *name)
                /* If we are only matching on the pidfile, and it is owned by
                 * a non-root user, then this is a security risk, and the
                 * contents cannot be trusted, because the daemon might have
-                * been compromised. */
-               if (match_mode == MATCH_PIDFILE) {
+                * been compromised.
+                *
+                * If we got /dev/null specified as the pidfile, we ignore the
+                * checks, as this is being used to run processes no matter
+                * what. Even though the checks should not fail, they do on
+                * some scenarios, such as when using Linux user namespaces. */
+               if (match_mode == MATCH_PIDFILE &&
+                   strcmp(name, "/dev/null") != 0) {
                        struct stat st;
                        int fd = fileno(f);
 

-- 
Dpkg.Org's dpkg

Reply via email to