24572 – stunnel 4.02 uid/gid nobody/nogroup is insecure

Bug 24572 - stunnel 4.02 uid/gid nobody/nogroup is insecure

Summary: stunnel 4.02 uid/gid nobody/nogroup is insecure

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Daniel Ahlberg (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-07-16 00:58 UTC by Raimund Specht
Modified:	2003-10-28 07:23 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Raimund Specht 2003-07-16 00:58:20 UTC

The config file stunnel.conf which is installed by default attempts to start
stunnel setuid nobody and setgid nogroup. Generally it is not advisable to run
daemons setuid nobody because if there is more than one such program, they could
ptrace or send signals to each other.

The ebuild should better create dedicated user and group "stunnel".

Reproducible: Always
Steps to Reproduce:

Comment 1 Daniel Ahlberg (RETIRED) gentoo-dev

2003-10-28 07:23:24 UTC

Incorporated in 4.04-r2, please test.