[Debian-eeepc-devel] Bug#565855: eeepc-acpi-scripts: please do not use pidof in /etc/acpi/actions/{suspend, lid, sleep}.sh
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jan 19 01:41:11 UTC 2010
Package: eeepc-acpi-scripts
Version: 1.1.6
Severity: normal
Hi there eeepc-acpi people--
it looks like three files in eeepc-acpi-scripts all contain "pidof"
tests to check if something is happening on the system:
/etc/acpi/actions/suspend.sh:10:if (runlevel | grep -q [06]) || (pidof '/sbin/shutdown' > /dev/null); then
/etc/acpi/actions/suspend.sh-11- exit 0
--
/etc/acpi/actions/lid.sh:9:if pidof powersaved; then
/etc/acpi/actions/lid.sh-10- exit 0
--
/etc/acpi/actions/sleep.sh:8:if pidof powersaved; then
/etc/acpi/actions/sleep.sh-9- exit 0
the problem with these tests is that it's trivial for any local user
to spoof the output, and thereby get the acpi script to terminate
("exit 0"). All the user needs to do is run an executable which
re-writes ARGV[0] to the relevant string, and the pidof check will
pass :/
This means that any user on a system can effectively cause the
suspend, lid, or sleep script to fail silently. That's bad!
lid.sh and sleep.sh are easy to fix, since powersaved was recently
removed from debian:
http://packages.qa.debian.org/p/powersave/news/20091218T132117Z.html
You might want to check with the sysvinit folks to see what the
correct way to check for a running /sbin/shutdown might be? (maybe
you want to parse the output of "/sbin/runlevel"?)
See also http://bugs.debian.org/553643 for more discussion on the same
general concern.
Regards,
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages eeepc-acpi-scripts depends on:
ii acpi-support-base 0.132-1 scripts for handling base ACPI eve
ii acpid 1:2.0.0-1 Advanced Configuration and Power I
ii pm-utils 1.2.6.1-3 utilities and scripts for power ma
Versions of packages eeepc-acpi-scripts recommends:
ii alsa-utils 1.0.21-1 ALSA utilities
Versions of packages eeepc-acpi-scripts suggests:
pn aosd-cat <none> (no description available)
pn gnome-osd <none> (no description available)
ii ttf-dejavu 2.30-2 Metapackage to pull in ttf-dejavu-
ii ttf-freefont 20090104-5 Freefont Serif, Sans and Mono True
ii ttf-liberation 1.05.2.20091019-4 Fonts with the same metrics as Tim
ii ttf-mscorefonts-instal 3.0 Installer for Microsoft TrueType c
-- no debconf information
More information about the Debian-eeepc-devel
mailing list