[Pkg-utopia-maintainers] Bug#580183: pid file attack can be used to kill arbitrary processes

Lennart Poettering lennart at poettering.net
Tue May 4 09:40:32 UTC 2010


On Tue, 04.05.10 01:30, Joey Hess (joeyh at debian.org) wrote:

> Package: avahi-daemon
> Version: 0.6.25-3
> Severity: normal
> Tags; security
> 
> /var/run/avahi-daemon/pid is writable by the avahi user. Suppose this
> user is compromised. If the pid is overwritten with a different process
> id, such as 1, /etc/init.d/avahi-daemon stop will go ahead and kill
> that.

Well, I am not too concerned with this issue tbh, given that this file
is both outside the chroot and we set RLIMIT_FSIZE to 0. Which basically
means that from inside Avahi you cannot write any file anyway, and
particularly not that one...

> start-stop-daemon avoids this kind of security flaw by checking
> /proc/pid/exe (when run with -exec), or at least the process name (when
> run with -name). avahi's init script uses avahi -k. which neglects such
> checking.

Well, both those checks can be easily fooled, they in fact do not
improve security.

> Besides the (admittedly unlikely since if you can shell avahi you
> probably have better things to do) security hole, killing a process that
> is stored in a pid file without checking that the pid file is accurate
> is asking for trouble.

PID files are simply broken. We probably shouldn't use them anyway, and
alway rely on the bus name instead.

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4





More information about the Pkg-utopia-maintainers mailing list