Created attachment 492422 [details] rspamd.init-r6 The rspamd init script gives ownership of its PID file directory to the "rspamd" user: RUNDIR=/var/run/rspamd PIDFILE=$RUNDIR/rspamd.pid ... checkpath -d $RUNDIR -m 2750 -o rspamd:rspamd This can be exploited by the "rspamd" user to kill root processes: when the rspamd service is stopped, root sends a SIGTERM to the contents of the PID file, which can be manipulated by the rspamd user. I rewrote the init script to launch rspamd as root, letting it create the PID file as root before dropping privileges itself to rspamd:rspamd. It looks like it works, but I don't know what rspamd is supposed to do, so please test it. Some random points: 1. The "reload" action sometimes crashes the daemon, but it's not consistent. I don't think I broke this, at least -- it still just sends a HUP to the main rspamd PID. 2. The "rspamd" binary now has its own "--config-test" flag. Would that be useful in the checkconfig() function? (Or does it do the same thing?)
Oh, I noticed the same this night (https://github.com/gentoo/gentoo/pull/10598#issuecomment-454635163). I have rewritten the entire runscript. Problem with PID should be solved now because rspamd.pid is now created in /run/rspamd.pid instead of /run/rspamd/rspamd.pid and is therefore only writeable for root. And checkconfig now uses rspamd, too... @ mjo: Can you please verify if you agree with my solution?
(In reply to Thomas Deutschmann from comment #1) > > @ mjo: Can you please verify if you agree with my solution? LGTM
(In reply to Thomas Deutschmann from comment #1) > Oh, I noticed the same this night > (https://github.com/gentoo/gentoo/pull/10598#issuecomment-454635163). > > I have rewritten the entire runscript. > Problem with PID should be solved now because rspamd.pid is now created in > /run/rspamd.pid instead of /run/rspamd/rspamd.pid and is therefore only > writeable for root. > And checkconfig now uses rspamd, too... > > @ mjo: Can you please verify if you agree with my solution? Which version is fixed?
tree is clean
