Deluged daemon starting from /etc/init.d/deluged script is allways owned by root. I have no idea if there are any vulnerabilities in deluged itself however that's not safe by design. Reproducible: Always Steps to Reproduce: 1.Install deluge (emerge deluge, I have never installed old releases, only those masked with ~arch) 2.Edit /etc/conf.d/deluged 3.Run /etc/init.d/deluged start 4.Checkout deluged process owner: ps -ef|grep deluged Actual Results: Process belongs to root Expected Results: Create process from user mentioned in /etc/conf.d/deluged
Created attachment 166475 [details] my version of initscript It seems that author of original initscript thought --user option controls process owner in start-stop-daemon command. However -c option is responsible for that. Additionally, I used to export HOME variable (which corresponds to user) because deluged tried to writeits config in /root directory. Still its my first try in editing initscripts so I hope someone will examine it before accepting it.
Also, the config.d and init script should be updated with the option to start 'deluge -ui web' in addition to deluged with the 1.0 release since they are split.
I tried adding a web ui start function, but the UI starts and does not remain running. This also incorporates the user fix from above. I added to variables to the config.d DELUDED_USER_HOME="/home/user" DELUGEUI_START="true" DELUGEUI_OPTS="--ui web" x330-a1 init.d # diff -p deluged delugednew *** deluged Tue Dec 2 08:30:19 2008 --- delugednew Thu Dec 4 15:12:02 2008 *************** start() { *** 36,43 **** ebegin "Starting Deluged" start-stop-daemon --start --user "${DELUGED_USER}" \ --name deluged --pidfile /var/run/deluged.pid --background --make-pidfile \ ! --exec /usr/bin/deluged -- --do-not-daemonize "${DELUGED_OPTS}" eend $? } stop() { --- 36,52 ---- ebegin "Starting Deluged" start-stop-daemon --start --user "${DELUGED_USER}" \ --name deluged --pidfile /var/run/deluged.pid --background --make-pidfile \ ! --exec /usr/bin/deluged -c "${DELUGED_USER}" \ ! -e HOME="${DELUGED_HOME}" -- --do-not-daemonize "${DELUGED_OPTS}" eend $? + + if [[ "${DELUGEUI_START}" == "true" ]] ; then + ebegin "Starting Deluge" + start-stop-daemon --start --background --pidfile /var/run/deluge.pid \ + --make-pidfile --exec /usr/bin/deluge -c "${DELUGED_USER}" \ + -e HOME="${DELUGED_HOME}" -- "${DELUGEUI_OPTS}" + eend $? + fi } stop() { *************** stop() { *** 45,48 **** --- 54,64 ---- start-stop-daemon --stop --user "${DELUGED_USER}" \ --name deluged --pidfile /var/run/deluged.pid eend $? + + if [[ "${DELUGEUI_START}" == "true" ]] ; then + ebegin "Stopping Deluge" + start-stop-daemon --stop --user "${DELUGED_USER}" \ + --name deluge --pidfile /var/run/deluge.pid + eend $? + fi }
How can you bump to a pre-release version, yet leave a critical security flaw in tact despite a patch waiting here. Perhaps Gentoo security needs to be CC'd to take control?
Fixed, thanks for the help. Kevin, btw, security doesn't handle ~arch ebuilds.
