The init script for serf gives ownership of the PID file directory to the same user that the daemon runs as: start_pre() { checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}" } As a result, the $user can write whatever he wants into the PID file. Later, that may be exploitable: when the service is stopped, root will call "kill" on the contents of that file. But there's good news: there's no need for the call to "checkpath" above. With command_background=true, OpenRC creates the PID file as root:root, and start_pre() can be deleted if you store the PID file directly in /run. Some other minor improvements to consider while you're touching the init script: 1. Use "command_user" for the user/group instead of start_stop_daemon_args. 2. Can the OpenRC "stopsig" variable be used to eliminate stop() ?
@Maintainer: After the bump please let us know when no vulnerable versions are in the tree, thanks. Gentoo Security Padawan ChrisADR
Fixed in 0.8.1-r1: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04685db032d949f93e0138d513da793e27d078e1 Removed vulnerable version: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa3d638f68a107d074e34ddb0792d32c9a534459
