[Pkg-utopia-maintainers] Bug#580183: pid file attack can be used to kill arbitrary processes

Joey Hess joeyh at debian.org
Tue May 4 05:30:21 UTC 2010


Package: avahi-daemon
Version: 0.6.25-3
Severity: normal
Tags; security

/var/run/avahi-daemon/pid is writable by the avahi user. Suppose this
user is compromised. If the pid is overwritten with a different process
id, such as 1, /etc/init.d/avahi-daemon stop will go ahead and kill
that.

start-stop-daemon avoids this kind of security flaw by checking
/proc/pid/exe (when run with -exec), or at least the process name (when
run with -name). avahi's init script uses avahi -k. which neglects such
checking.

Besides the (admittedly unlikely since if you can shell avahi you
probably have better things to do) security hole, killing a process that
is stored in a pid file without checking that the pid file is accurate
is asking for trouble.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20100504/f4148403/attachment.pgp>


More information about the Pkg-utopia-maintainers mailing list