Created attachment 494768 [details]
The init script for smokeping gives ownership of its PID file directory to the "smokeping" user:
checkconfig || return 1
checkpath -d -m 0755 -o smokeping:smokeping /run/smokeping
This can be exploited by the "smokeping" user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are under the control of the "smokeping" user).
Since smokeping cannot drop privileges itself, there is no way to safely use the PID file that it creates: to run as a restricted user, we need start-stop-daemon to execute smokeping as a restricted user, after which it's already to late.
I've rewritten the init script to work around this by passing "--nodaemon" to smokeping, and by letting OpenRC background it and manage its PID file. Since smokeping insists on writing a PID file (it won't start otherwise), I've modified the ebuild to stick the unsafe PID file in /var/lib/smokeping. Now that /run/smokeping is unused, the tmpfiles.d entry is no longer needed.
Created attachment 494770 [details]
One more thing: I dropped the line,
checkpath -d -m 0755 -o smokeping:smokeping /var/cache/smokeping
because /var/cache/smokeping doesn't appear in the config anywhere (and apparently systemd doesn't need it). If I messed that up, just add it back.
@maintainer(s), ebuild provided, please call for stabilization when ready, thank you.
Gentoo Security Padawan
Daj Uan (jmbailey/mbailey_j)
(In reply to jmbailey from comment #3)
> @maintainer(s), ebuild provided, please call for stabilization when ready,
> thank you.
> Gentoo Security Padawan
> Daj Uan (jmbailey/mbailey_j)
the ebuild would need to be in the tree first.
(In reply to Michael Orlitzky from comment #1)
> Created attachment 494770 [details]
It looks like this new init.d script does not fix bug #602652.
(In reply to Jeroen Roovers from comment #5)
> (In reply to Michael Orlitzky from comment #1)
> > Created attachment 494770 [details]
> > smokeping.init.5
> It looks like this new init.d script does not fix bug #602652.
That said, I have added it in 2.7.1.
--nodaemon breaks event logging to syslog bug #651212