Re: [systemd-devel] Unprivileged user can kill root-owned processes by changing PID file and stopping service
Am 19.02.21 um 21:05 schrieb Frank Thommen: Lennart Poettering hat am 19.02.2021 15:44 geschrieben: On Fr, 19.02.21 15:12, Frank Thommen (systemd-de...@lists.drosera.ch) wrote: Dear all, I am experiencing the issue, that an unprivileged user can kill root-owned processes by changing a service's PIDFile. The file referenced by PIDFile= should not be under control of an unpriv user. v219 is more than 5 years old. Since then we have tightened controls: I am aware of this, but unfortunately for the time being we are stuck with this version (CentOS 7.4) i yet need to see a real world usecase which needs "PIDFile=" at all - systemd kills everything in the cgroup anyways at stop i even start mariadb with --pid-file=/dev/null and without "mysqlsafe" for years to get rid of all that shit not a single service is using "PIDFile=" for years here and frankly i even forked systemd units only to get rid of that nosense from the 1990s ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Unprivileged user can kill root-owned processes by changing PID file and stopping service
> Lennart Poettering hat am 19.02.2021 15:44 > geschrieben: > > > On Fr, 19.02.21 15:12, Frank Thommen (systemd-de...@lists.drosera.ch) wrote: > > > Dear all, > > > > I am experiencing the issue, that an unprivileged user can kill > > root-owned processes by changing a service's PIDFile. > > The file referenced by PIDFile= should not be under control of an > unpriv user. > > v219 is more than 5 years old. Since then we have tightened controls: I am aware of this, but unfortunately for the time being we are stuck with this version (CentOS 7.4). > we now automatically detect wether the PID file is under control of > unprivileged users either directly, or because a symlink is used in > the path that is controlled by an unprivileged user, in which case > we'll log abou this. We'll also ignore the PID file if the listed PID > doesn't actually belong to the cgroup of the service. > > See documentation about PIDFile= in current versions: > > https://www.freedesktop.org/software/systemd/man/systemd.service.html#PIDFile= > > But in general: don't do this! It's simply not safe, neither on > systemd nor any other init system. The whole PID concept of UNIX is > racy anyway but giving unprivileged users control on it is even worse. > > PID files are mostly SysV construct. A better replacement is using > Type=notify or Type=simple services that do not fork unnecessarily, > and thus do not need to communicate their main PID explicitly. I understand that, but whatever is required for the "notify" service type is probably not a core competence of those who wrote the current service :-). I have therefore created a special service account which shares the group with the developers' account, so that it can read all required data but the developers cannot modify any of the service's files like the PIDFile and the start script. That works quite fine and we can probably use this setup as a template for future "mini services" Cheers and thanks for your feedback, Frank, Heidelberg > > Lennart > > -- > Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Unprivileged user can kill root-owned processes by changing PID file and stopping service
On Fr, 19.02.21 15:12, Frank Thommen (systemd-de...@lists.drosera.ch) wrote: > Dear all, > > I am experiencing the issue, that an unprivileged user can kill > root-owned processes by changing a service's PIDFile. The file referenced by PIDFile= should not be under control of an unpriv user. v219 is more than 5 years old. Since then we have tightened controls: we now automatically detect wether the PID file is under control of unprivileged users either directly, or because a symlink is used in the path that is controlled by an unprivileged user, in which case we'll log abou this. We'll also ignore the PID file if the listed PID doesn't actually belong to the cgroup of the service. See documentation about PIDFile= in current versions: https://www.freedesktop.org/software/systemd/man/systemd.service.html#PIDFile= But in general: don't do this! It's simply not safe, neither on systemd nor any other init system. The whole PID concept of UNIX is racy anyway but giving unprivileged users control on it is even worse. PID files are mostly SysV construct. A better replacement is using Type=notify or Type=simple services that do not fork unnecessarily, and thus do not need to communicate their main PID explicitly. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Unprivileged user can kill root-owned processes by changing PID file and stopping service
Dear all, I am experiencing the issue, that an unprivileged user can kill root-owned processes by changing a service's PIDFile. Situation: We are running a web service based on a software which is maintained by "external" developers. The service is running as an unprivileged user and the maintaing developers have access to the server and to this user account to make updates and apply fixes themselves and independently from the system administration. In a nutshell we have: a) an unprivileged user "srvcusr", where "external" persons have access to b) a start script /path1/to/startscript.sh which basically does -- #!/bin/bash PIDFILE=/path2/to/service.pid [... initialize the environment ...] run_service_script & echo $! > $PIDFILE -- "srvcusr" cannot modify this startscript! c) a unit file with (in very short): -- Type=simple User=srvcusr ExecStart=/path1/to/startscript.sh PIDFile=/path2/to/service.pid -- d) a `sudo` configuration which allows "srvcusr" to start and stop the service Problem: To run the service as "srvcusr", this accounts needs write access to $PIDFILE. However this also allows the user to write arbitrary PIDs to the file. Once (s)he has done so and stops the service (`sudo systemctl stop myservice`), this process will be killed even if it doesn't belong to "srvcusr". It doesn't work with PID=1 but it works with webservers, rootshell ecc. ecc. This is either a hole in systemd (which I cannot imagine) or a wrong usage of running a service on behalf of an non-root UID. This happens on CentOS 7.4.170 (for technical reasons we are currently bound to this version) with systemd version 219, release 42. Any hint on how to fix this is very appreciated. Thanks, Frank ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
