*** This bug is a security vulnerability *** Public security bug reported:
Manual page of pidof says: "When pidof is invoked with a full pathname to the program it should find the pid of, it is reasonably safe. Otherwise it is possible that it returns pids of running programs that happen to have the same name as the program you're after but are actually other programs." However, in the following pidof displays the process number of /bin/sleep sleep 5 & pidof /wrongdir/sleep /wrongdir/sleep could be another executable, but the above happens even if the file or even the /wrongdir does not exist. However, if sleep was called with full path $(command -v sleep) 5 & pidof /wrongdir/sleep pidof does not display anything, which is expected. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: sysvinit-utils 2.88dsf-59.2ubuntu2.1 ProcVersionSignature: Ubuntu 4.2.0-27.32-generic 4.2.8-ckt1 Uname: Linux 4.2.0-27-generic x86_64 NonfreeKernelModules: nvidia ApportVersion: 2.19.1-0ubuntu5 Architecture: amd64 CurrentDesktop: XFCE Date: Tue Feb 16 16:26:47 2016 Dependencies: gcc-5-base 5.2.1-22ubuntu2 libc6 2.21-0ubuntu4 libgcc1 1:5.2.1-22ubuntu2 EcryptfsInUse: Yes InstallationDate: Installed on 2015-11-21 (86 days ago) InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: sysvinit UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: sysvinit (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug wily ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1546126 Title: pidof is unsafe even with full path To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sysvinit/+bug/1546126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs