This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=754511aaef556ebad03560e689eeb2044a7ee1fd commit 754511aaef556ebad03560e689eeb2044a7ee1fd Author: Guillem Jover <[email protected]> AuthorDate: Fri Feb 15 05:09:11 2019 +0100 s-s-d(1): Document behavior of --pidfile security checks Describe what to expect from these new checks. Closes: #921557 --- debian/changelog | 3 +++ man/start-stop-daemon.man | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index f9de3194c..36d296541 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,9 @@ dpkg (1.19.5) UNRELEASED; urgency=medium use errno for error reporting or not. * start-stop-daemon: Always refuse to parse a world-writable pidfile, except when that is /dev/null. + * Documentation: + - start-stop-daemon(1): Document behavior of --pidfile security checks. + Closes: #921557 * Build system: - Check whether this dist is a release, based only on the version format. This will avoid having to do a two staged release to get a proper perl diff --git a/man/start-stop-daemon.man b/man/start-stop-daemon.man index 4723596d3..b6513cedd 100644 --- a/man/start-stop-daemon.man +++ b/man/start-stop-daemon.man @@ -122,11 +122,14 @@ Note: using this matching option alone might cause unintended processes to be acted on, if the old process terminated without being able to remove the \fIpid-file\fP. .IP -\fBWarning:\fP Using this match option alone with a daemon that writes the -pidfile as an unprivileged user is a security risk, because if the daemon -gets compromised the contents of the pidfile cannot be trusted, and then +\fBWarning:\fP using this match option with a world-writable pidfile or using +it alone with a daemon that writes the pidfile as an unprivileged (non-root) +user will be refused with an error (since version 1.19.3) as this is a +security risk, because either any user can write to it, or if the daemon +gets compromised, the contents of the pidfile cannot be trusted, and then a privileged runner (such as an init script executed as root) would end up acting on any system process. +Using \fI/dev/null\fP is excempt from these checks. .TP .BR \-x ", " \-\-exec " \fIexecutable\fP" Check for processes that are instances of this \fIexecutable\fP. The -- Dpkg.Org's dpkg
