The init script for docker-registry gives ownership of the PID file directory to the same user that the daemon runs as: start_pre() { checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}" } As a result, the registry user can write whatever he wants into the PID file. Later, that may be exploitable: when the service is stopped, root will call "kill" on the contents of that file. But there's good news: there's no reason for the call to "checkpath" above. With command_background="true", OpenRC creates the PID file as root:root, and the "checkpath" can be deleted if you store the PID file directly in /run. Some other minor improvements to consider while you're touching the init script: 1. Update $SVCNAME to $RC_SVCNAME. 2. Use command_user for the user/group instead of start_stop_daemon_args. 3. "after net" is redundant in light of "need net". 4. Using $SVCNAME in $command is not really semantically correct. If you ever try to symlink the init script to run two daemons at once, the command should remain the same, and not become whatever the name of the symlink is. 5. The ebuild and init script set things up halfway for a fixed user/group, and halfway for a variable user/group. For example, we have fowners ${SVCNAME}:${SVCNAME} /var/{lib,log}/${SVCNAME} in the ebuild but no associated checkpath call in the ebuild. If the $user or $group variable changes, the user/group won't be able to access the log file. If there's no need to change the user/group, you would be better off setting things up in the ebuild, and then not doing anything in the init script. But if you want the end user to be able to change the $user and $group variables, then there's no point in doing things in the ebuild -- they need to be done in the init script anyway.
> in the ebuild but no associated checkpath call in the ebuild. This should be: no associated checkpath call in the *init script*.
Fixed in 2.6.2-r1: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0eea13ca58aba2306a979fdc0bd307bccedbfe60 There are no older versions to remove.
