The init script for flannel gives ownership of the PID file directory to the same user that the daemon runs as: start_pre() { checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}" } As a result, the flannel user can write whatever he wants into the PID file. Later, that may be exploitable: when the service is stopped, root will call "kill" on the contents of that file. (The default flannel user in this case is root, so there's no risk unless the default is changed.) But there's good news: there's no reason for the call to "checkpath" above. With command_background="true", OpenRC creates the PID file as root:root, and the "checkpath" can be deleted if you store the PID file directly in /run. Some other minor improvements to consider while you're touching the init script: 1. Update $SVCNAME to $RC_SVCNAME. 2. Use command_user for the user/group instead of start_stop_daemon_args. 3. command_args="${command_args}" ? 4. "after net" is redundant in light of "need net". 5. The log file *does* need to be writable by the flannel user. So long as the path to the log file is fixed, it should be safe to call checkpath on it in start_pre(). 6. command="/usr/bin/${SVCNAME}" is not really semantically correct. If you ever try to symlink the init script to run two daemons at once, the command should still be /usr/bin/flanneld, and not whatever the name of the symlink is.
Fixed in 0.8.0-r2: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40f02a0eaee5422f5eeb2b3dd7c7dd5c6b926cd5 There are no older versions to remove.
