The init script for prometheus gives ownership of its PID file directory to the prometheus $user: start_pre() { checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}" } That can be exploited by $user to kill root processes, since when the service is stopped, root will send a sigterm to the contents of the PID file (which are controlled by $user). Fortunately, the call to checkpath above is superfluous, and the PID file is already created as root. The vulnerability can be avoided by deleting start_pre() and then setting pidfile="/run/${RC_SVCNAME}.pid" at the top of the init script. Some unrelated suggestions: 1. Update the deprecated SVCNAME to RC_SVCNAME. 2. Use the command_user variable instead of passing --user and --group to start-stop-daemon. 3. The user=${user:-default} construct can also be written : ${user:=default} 4. Changing $user and $group won't work because the log file permissions will be wrong. If it's all the same, you might just hard-code those variables to "prometheus". 5. One of "need net" and "after net" is redundant.
All vulnerable versions should be removed.
