The init script for glance gives ownership of the PID file directory to the same user that the daemon runs as: start_pre() { checkpath --directory \ --owner ${GLANCE_USER:-glance}:${GLANCE_GROUP:-glance} \ --mode 0755 ${GLANCE_RUN:-/var/run/glance} } As a result, the GLANCE_USER can write whatever he wants into the PID file. Later, that may be exploitable: when the service is stopped, root will call "kill" on the contents of that file. But there's good news: there's absolutely no reason for the call to "checkpath" above. With command_background=yes, OpenRC creates the PID file as root:root, and the whole start_pre() function can be deleted if you store the PID file directly in /run. Some other minor improvements to consider while you're touching the init script: 1. Update $SVCNAME to $RC_SVCNAME. 2. Utilize command_user for the user/group instead of start_stop_daemon_args 3. Update to /run from /var/run
Created attachment 490180 [details, diff] init update look good?
> pidfile=/var/run/glance/${RC_SVCNAME}.pid /var/run/glance won't usually exist without the call to "checkpath", but the PID file will be created as root, so pidfile=/run/${RC_SVCNAME}.pid should work fine (/var/run is a symlink to run these days). Otherwise, looks good.
thanks, in 14.0.0-r1 and 2017.1.9999
