Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 189212 - net-p2p/mldonkey will no longer drop privileges
Summary: net-p2p/mldonkey will no longer drop privileges
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo net-p2p team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-17 09:51 UTC by Jörg Eitemüller
Modified: 2007-08-20 12:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jörg Eitemüller 2007-08-17 09:51:58 UTC
the init.d script provided, would normally start mlnet as user ${USER}. with newer versions (mine is 2.9.0-r1) it wont, resulting in a p2p-application running with root-privileges.

I labeled this bug "Major" as it might open the door for anyone exploiting the mlnet-application providing them with root-access.
I did not label this bug "Critical" as to my knowledge, there are no current exploits known for that version of mlnet.

Suggestions for a fix:
line: 32 of init.d/mldonkey: add the parameter --chuid "${USER}" to the start-stop-daemon call in the start()-function.
(possibly --user "${USER}" was mistaken to provide chuid)

Reproducible: Always

Steps to Reproduce:
1. change conf.d/mldonkey value of USER to the username you want mlnet running as.
2. execute /etc/init.d/mldonkey start
3. ps aux | grep mlnet

Actual Results:  
mlnet running with root-uid:

# ps aux | grep mlnet
root     12699 13.7  5.3  52880 39784 ?        RNsl 11:30   0:10 /usr/bin/mlnet

Expected Results:  
mlnet running with ${USER}-uid:

# ps aux | grep mlnet
p2p      13078 82.7  2.0  20104 15184 ?        RNs  11:35   0:03 /usr/bin/mlnet
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-08-17 10:09:07 UTC
Which baselayout version are you using?
Comment 2 Jörg Eitemüller 2007-08-17 10:32:05 UTC
baselayout-1.12.9-r2
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2007-08-17 10:35:42 UTC
Well, then upgrade to baselayout-2 and it will work. :)
Comment 4 Roy Marples (RETIRED) gentoo-dev 2007-08-17 10:46:17 UTC
Fixed in -r2, thanks
Comment 5 Roy Marples (RETIRED) gentoo-dev 2007-08-17 11:02:26 UTC
I've also changed s-s-d for baselayout-2 so that --user foo does the same as --chuid foo in case there are other instances of this.
Comment 6 Ermanno Baschiera 2007-08-19 12:41:18 UTC
Hi,
it seems that something went wrong with this update...
Mldonkey doensn't start and doesn't log anything...
Please see http://forums.gentoo.org/viewtopic-p-4194851.html

Thanks
-ermanno
Comment 7 Ermanno Baschiera 2007-08-20 12:10:26 UTC
The problem was that many files used by mldonkey were owned by root. That's why mldonkey-2.9.0-r2 wasn't working and wasn't logging.
Changing the owner back to p2p solved the problem.
Thanks and sorry for buggin around...

-ermanno