This init script for flower gives ownership of its PID file directory to the daemon's runtime user: start_pre() { checkpath -d -m 0755 -o "${user}":"${group}" "${pidfile%/*}" } That can be exploited by $user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by $user). Fortunately, the PID file is already created as root:root, so the call to checkpath above is superfluous, and the issue can be fixed by setting, pidfile="/run/${RC_SVCNAME}.pid" and by deleting the start_pre() function entirely. Some unrelated suggestions: 1. Change the deprecated $SVCNAME to $RC_SVCNAME 2. Use command_user instead of --user and --group in start_stop_daemon_args. 3. One of "need net" and "after net" is redundant. 4. The ebuild runs, fowners ${PN}:${PN} /var/log/${PN} but the init script gives you the ability to switch users. If the user and group are ever switched, the ownership information on /var/log/flower will be wrong. Unless there's a good reason for it, I would settle on user=group=flower and leave it unconfigurable.
Fixed in 0.9.1-r1: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54fcfe2d700b35705ce973ef2dab40212854b3b3 There are no older versions to remove.
This bug will be kept open for CVE assignment, the CVE has been requested. Gentoo Security Padawan Kivak