Bug 189212 - net-p2p/mldonkey will no longer drop privileges
|
Bug#:
189212
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: VERIFIED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: net-p2p@gentoo.org
|
Reported By: destotelhorus@googlemail.com
|
|
Component: Ebuilds
|
|
|
URL:
|
|
Summary: net-p2p/mldonkey will no longer drop privileges
|
|
Keywords:
|
|
Status Whiteboard:
|
|
Opened: 2007-08-17 09:51 0000
|
the init.d script provided, would normally start mlnet as user ${USER}. with
newer versions (mine is 2.9.0-r1) it wont, resulting in a p2p-application
running with root-privileges.
I labeled this bug "Major" as it might open the door for anyone exploiting the
mlnet-application providing them with root-access.
I did not label this bug "Critical" as to my knowledge, there are no current
exploits known for that version of mlnet.
Suggestions for a fix:
line: 32 of init.d/mldonkey: add the parameter --chuid "${USER}" to the
start-stop-daemon call in the start()-function.
(possibly --user "${USER}" was mistaken to provide chuid)
Reproducible: Always
Steps to Reproduce:
1. change conf.d/mldonkey value of USER to the username you want mlnet running
as.
2. execute /etc/init.d/mldonkey start
3. ps aux | grep mlnet
Actual Results:
mlnet running with root-uid:
# ps aux | grep mlnet
root 12699 13.7 5.3 52880 39784 ? RNsl 11:30 0:10 /usr/bin/mlnet
Expected Results:
mlnet running with ${USER}-uid:
# ps aux | grep mlnet
p2p 13078 82.7 2.0 20104 15184 ? RNs 11:35 0:03 /usr/bin/mlnet
Which baselayout version are you using?
Well, then upgrade to baselayout-2 and it will work. :)
I've also changed s-s-d for baselayout-2 so that --user foo does the same as
--chuid foo in case there are other instances of this.
The problem was that many files used by mldonkey were owned by root. That's why
mldonkey-2.9.0-r2 wasn't working and wasn't logging.
Changing the owner back to p2p solved the problem.
Thanks and sorry for buggin around...
-ermanno
