603248 – mail-filter/rspamd: init script should use checkpath instead of mkdir/chown/chmod

Bug 603248 - mail-filter/rspamd: init script should use checkpath instead of mkdir/chown/chmod

Summary: mail-filter/rspamd: init script should use checkpath instead of mkdir/chown/c...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Dirkjan Ochtman (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-20 20:25 UTC by Michael Orlitzky
Modified:	2017-01-03 19:00 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2016-12-20 20:25:16 UTC

The init script for rspamd calls mkdir, chown, and chmod in sequence to create a directory with the specified ownership and permissions:

  start() {
      ...
      mkdir -m0750 -p $RUNDIR
      chown rspamd:rspamd $RUNDIR
      chmod g+s $RUNDIR
      ...

It would be better to call "checkpath" (man openrc-run) instead. Checkpath is slightly more portable, being part of OpenRC. But it is also safer: chown and chmod will blindly follow symlinks, creating a security vulnerability if root loses full control of their arguments. Using checkpath (which does not follow symlinks) provides an extra layer of security against that type of vulnerability.

(I don't see any issue here, but someone may do something silly in the future...)

Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev

2017-01-03 19:00:10 UTC

Fixed in the tree.