Unsafe PID file ownership

Brought to you by: laitcg

#33 Unsafe PID file ownership

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2017-09-21

Created: 2017-09-16

Creator: Michael Orlitzky

Private: No

When p3scan creates its PID file, it does so after dropping privileges to the user specified in its configuration file. For example, on my machine, I wind up with,

$ ls -l /run/p3scan/
total 4
-rw-rw-rw- 1 mail mail 6 Sep 16 15:27 p3scan.pid

That fact can be exploited by the "mail" user (in this case) to kill root processes, since when an init script is used and the service is stopped, root will send a SIGTERM to the contents of the PID file (which are under the control of the "mail" user).

The simplest solution to the problem is to create the PID file as root, before dropping privileges. Another option would be to do away with the PID file entirely, and have p3scan run in the foreground -- that would require a more modern init system like systemd or OpenRC though.

Discussion

Michael Orlitzky - 2017-09-21

This has been assigned CVE-2017-14681.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Unsafe PID file ownership

Group

Searches

Help

#33 Unsafe PID file ownership

Discussion