The init script for vault gives ownership of the PID file directory to the same user that the daemon runs as: start_pre() { checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}" } As a result, the $user can write whatever he wants into the PID file. Later, that may be exploitable: when the service is stopped, root will call "kill" on the contents of that file. But there's good news: there's no need for the call to "checkpath" above. With command_background=true, OpenRC creates the PID file as root:root, and start_pre() can be deleted if you store the PID file directly in /run. Some other minor improvements to consider while you're touching the init script: 1. Use "command_user" for the user/group instead of start_stop_daemon_args.
@Maintainer: After the bump please let us know when the tree is clean from vulnerable versions, thanks. Gentoo Security Padawan ChrisADR
Fixed in 0.7.3-r1: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=090a2be8642f6de680cfe1e93c5e12b8074adf91 Removed vulnerable versions: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=555ea185d91907439adac5135b4c48d0210584cd
(In reply to Zac Medico from comment #2) > Fixed in 0.7.3-r1: > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=090a2be8642f6de680cfe1e93c5e12b8074adf91 > > Removed vulnerable versions: > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=555ea185d91907439adac5135b4c48d0210584cd Thanks again, Zac!
