This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=90f657a644d87f96d0161ddf0d039a61d77c6d93 commit 90f657a644d87f96d0161ddf0d039a61d77c6d93 Author: Guillem Jover <[email protected]> AuthorDate: Fri Feb 15 05:06:46 2019 +0100 s-s-d: Always refuse to parse a world-writable pidfile, except for /dev/null This is generally insecure, not just when using the --pidfile match option alone. The «/dev/null» excemption is still in place. --- debian/changelog | 2 ++ utils/start-stop-daemon.c | 13 ++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index e01e61a6b..f9de3194c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,8 @@ dpkg (1.19.5) UNRELEASED; urgency=medium * start-stop-daemon: Add new fatalv() and fatale() functions and use the latter for system errors, so that we are explicit on whether we want to use errno for error reporting or not. + * start-stop-daemon: Always refuse to parse a world-writable pidfile, + except when that is /dev/null. * Build system: - Check whether this dist is a release, based only on the version format. This will avoid having to do a two staged release to get a proper perl diff --git a/utils/start-stop-daemon.c b/utils/start-stop-daemon.c index 509f82be6..88c972663 100644 --- a/utils/start-stop-daemon.c +++ b/utils/start-stop-daemon.c @@ -2284,22 +2284,25 @@ do_pidfile(const char *name) * contents cannot be trusted, because the daemon might have * been compromised. * + * If the pidfile is world-writable we refuse to parse it. + * * If we got /dev/null specified as the pidfile, we ignore the * checks, as this is being used to run processes no matter * what. */ - if (match_mode == MATCH_PIDFILE && - strcmp(name, "/dev/null") != 0) { + if (strcmp(name, "/dev/null") != 0) { struct stat st; int fd = fileno(f); if (fstat(fd, &st) < 0) fatale("cannot stat pidfile %s", name); - if ((st.st_uid != getuid() && st.st_uid != 0) || - (st.st_gid != getgid() && st.st_gid != 0)) + if (match_mode == MATCH_PIDFILE && + ((st.st_uid != getuid() && st.st_uid != 0) || + (st.st_gid != getgid() && st.st_gid != 0))) fatal("matching only on non-root pidfile %s is insecure", name); if (st.st_mode & 0002) - fatal("matching only on world-writable pidfile %s is insecure", name); + fatal("matching on world-writable pidfile %s is insecure", name); + } if (fscanf(f, "%d", &pid) == 1) -- Dpkg.Org's dpkg
