Created attachment 491034 [details] uptimed.init-r1 The init script for uptimed gives ownership of its PID file directory to the same user that the daemon runs as: start_pre() { checkpath -q -d -o uptimed ${pidfile%/*} } That's currently necessary because of the way the daemon is invoked, start_stop_daemon_args="-u uptimed" but it poses a small security risk: the uptimed user can write whatever he wants in that file, and later, root will call "kill" on its contents in order to stop the service. Normally the daemon would drop privileges itself, after creating the PID file, but uptimed doesn't know how to do that. Instead, we can work around the issue by running uptimed in the foreground, and having OpenRC background it for us. Then the PID file is created as root, and we can store it in /run/uptimed.pid. Afterwards, uptimed itself runs as a restricted user. I'm attaching an init script that seems to do the trick.
commit 3eaffbeb6908660dc67de8a0fb8526de7dab9154 (HEAD -> master, origin/master, origin/HEAD) Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Aug 29 01:04:03 2017 app-misc/uptimed: Revbump to fix PID file sec issue (bug #629238). Thanks to Michael Orlitzky for finding the issue and providing a fixed init script. Bumped straight to stable. Package-Manager: Portage-2.3.8, Repoman-2.3.3
@
@security: please add to an existing GLSA or file a new one. Gentoo Security Padawan ChrisADR
While the user can "escalate" privileges to that of the uptimed user the process running under root is only killing services. This is effectively a DoS scenario. Michael, thanks for all of the great PID file work you have been doing!
