Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
Dear RT
In buster, ndppd has a world writable pid file. This prevent the daemon
to be stop/restarted, which is a real pain when you set it up.
I would like to backport the fix from testing. Attached the proposal.
Do you think this is ok?
-- System Information:
Debian Release: 10.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enableddiff -Nru ndppd-0.2.5/debian/changelog ndppd-0.2.5/debian/changelog
--- ndppd-0.2.5/debian/changelog 2018-11-16 17:26:06.0 +0100
+++ ndppd-0.2.5/debian/changelog 2019-10-17 10:21:15.0 +0200
@@ -1,3 +1,12 @@
+ndppd (0.2.5-4+deb10u1) buster; urgency=medium
+
+ * Patch to avoid word writable pid file, that was breaking daemon init
+scripts. (Closes: #942117)
+ * postinst script fixing pid file permissions for pre 0.2.5-4+deb10u1
+running daemons.
+
+ -- Jean-Michel Vourgère Thu, 17 Oct 2019 10:21:15 +0200
+
ndppd (0.2.5-4) unstable; urgency=medium
* Migrated vcs to salsa.
diff -Nru ndppd-0.2.5/debian/patches/pid_perms ndppd-0.2.5/debian/patches/pid_perms
--- ndppd-0.2.5/debian/patches/pid_perms 1970-01-01 01:00:00.0 +0100
+++ ndppd-0.2.5/debian/patches/pid_perms 2019-10-16 22:48:06.0 +0200
@@ -0,0 +1,28 @@
+Description: Umask pid file permissions
+ Pid file was created with default 666 permissions. This causes security
+ issues when trying to stop the process. init stopped working because
+ start-stop-daemon(8) refuses to handle these nasty permissions, since dpkg
+ version 1.19.3.
+Author: Jean-Michel Vourgère
+Bug-Debian: https://bugs.debian.org/942117
+Bug: https://github.com/DanielAdolfsson/ndppd/issues/56
+Forwarded: yes
+Last-Update: 2019-10-12
+
+Index: ndppd-0.2.5/src/ndppd.cc
+===
+--- ndppd-0.2.5.orig/src/ndppd.cc
ndppd-0.2.5/src/ndppd.cc
+@@ -274,10 +274,12 @@ int main(int argc, char* argv[], char* e
+ return -1;
+
+ if (!pidfile.empty()) {
++mode_t old_umask = umask(022);
+ std::ofstream pf;
+ pf.open(pidfile.c_str(), std::ios::out | std::ios::trunc);
+ pf << getpid() << std::endl;
+ pf.close();
++umask(old_umask);
+ }
+
+ // Time stuff.
diff -Nru ndppd-0.2.5/debian/patches/series ndppd-0.2.5/debian/patches/series
--- ndppd-0.2.5/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ ndppd-0.2.5/debian/patches/series 2019-10-16 22:48:06.0 +0200
@@ -0,0 +1 @@
+pid_perms
diff -Nru ndppd-0.2.5/debian/postinst ndppd-0.2.5/debian/postinst
--- ndppd-0.2.5/debian/postinst 1970-01-01 01:00:00.0 +0100
+++ ndppd-0.2.5/debian/postinst 2019-10-17 10:19:32.0 +0200
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+ configure)
+if [ -n "$2" ] && dpkg --compare-versions "$2" lt-nl 0.2.5-4+deb10u1
+then
+ # Buster version can't be stopped. See #942117
+ if [ -f /var/run/ndppd.pid ]
+ then
+chmod 644 /var/run/ndppd.pid
+ fi
+fi
+ ;;
+esac
+
+#DEBHELPER#
signature.asc
Description: This is a digitally signed message part.