446210 – extra_commands and extra_started_commands do not check for superuser access

Bug 446210 - extra_commands and extra_started_commands do not check for superuser access

Summary: extra_commands and extra_started_commands do not check for superuser access

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Hosted Projects
Classification:	Unclassified
Component:	OpenRC (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	OpenRC Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-12-06 03:40 UTC by Gordon Pettey
Modified:	2012-12-20 21:23 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gordon Pettey 2012-12-06 03:40:01 UTC

openrc version: 0.11.6

Expect that a normal user running init scripts would fail. This works as expected for start/stop, but extra_commands and extra_started_commands do not produce a "superuser access required" error.

e.g.
$ /etc/init.d/nginx reload

Expected result:
 * nginx: superuser access required

Actual result:
nginx: [alert] could not open error log file: open() "/var/log/nginx/error_log" failed (13: Permission denied)
2012/12/06 03:36:00 [warn] 24340#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2012/12/06 03:36:00 [emerg] 24340#0: open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
nginx: [alert] could not open error log file: open() "/var/log/nginx/error_log" failed (13: Permission denied)
2012/12/06 03:36:00 [warn] 24341#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
2012/12/06 03:36:00 [emerg] 24341#0: open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
 * failed, please correct errors above

e.g.
$ /etc/init.d/sshd checkconfig

Expected result:
 * sshd: superuser access required

Actual result:
egrep: /etc/ssh/sshd_config: Permission denied
/etc/ssh/sshd_config: Permission denied

Comment 1 William Hubbs gentoo-dev

2012-12-17 02:24:16 UTC

(In reply to comment #0)
> openrc version: 0.11.6
> 
> Expect that a normal user running init scripts would fail. This works as
> expected for start/stop, but extra_commands and extra_started_commands do
> not produce a "superuser access required" error.

The status command doesn't require super user access, and there is no way of knowing whether or not any specific command you might add to extra_* requires superuser access. The examples you site are not because of restrictions within OpenRC; the errors happen because the specific commands you are running try to access files they do not have permission to access.

Given that, I'm not sure whether we can do anything in OpenRC or not.

Comment 2 William Hubbs gentoo-dev

2012-12-20 21:23:30 UTC

As stated above, this is not really a bug in OpenRC, but in the init
scripts themselves.


The command functions themselves are responsible for checking
permissions on files they need to access.

We could consider a helper for this, but that might be a topic that
should be discussed somewhere else instead of on this bug.