Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 642200 - www-servers/thin: privilege escalation via PID file manipulation
Summary: www-servers/thin: privilege escalation via PID file manipulation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+]
Depends on:
Reported: 2017-12-25 11:04 UTC by Michał Górny
Modified: 2020-07-27 00:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-12-25 11:04:50 UTC
It seems that thin server stores server PIDs somewhere and signals them without actually verifying that the PID is still valid and belongs to the thin server. In other words, if thin server dies before the kill, it can kill random processes reusing the same PID.

Stopping server on ... 
Sending QUIT signal to process 21488 ... 

process not found!

Sending KILL signal to process 21488 ... 

/var/www/ `kill': No such process (Errno::ESRCH)

	from /var/www/ `force_kill'

	from /var/www/ `rescue in send_signal'

	from /var/www/ `send_signal'

	from /var/www/ `kill'

	from /var/www/ `block in stop'

	from /var/www/ `tail_log'

	from /var/www/ `stop'

	from /var/www/ `run_command'

	from /var/www/ `run!'

	from /usr/lib64/ruby/gems/2.2.0/gems/thin-1.7.2/bin/thin:6:in `<top (required)>'

	from /usr/bin/thin:9:in `load'

	from /usr/bin/thin:9:in `<main>'
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-25 15:01:28 UTC
The thin init script gives ownership of its PID file directory to its runtime user:

  start_pre() {
          # If the path to the pidfile is /var/run/thin/foo/
          # then checkpath will fail if /var/run/thin/ does not exist.
          # This caught infra...
          d=$(dirname ${THIN_PID})
          mkdir -p "$d"
          checkpath -d -m 0775 -o ${THIN_USER}:${THIN_GROUP} "$d"

That can be exploited by $THIN_USER to kill root processes, since when the service is stopped, root sends a SIGTERM to the contents of the PID file (which are controlled by $THIN_USER).

If it is really necessary that the PIDFILE location is owned by $THIN_USER than it looks like the privilege drop happens before the PID file gets written, so the PID file winds up being owned by the runtime user (and thus we require the parent directory to be writable by it).

You may be able to work around the issue by having OpenRC background the process and manage its PID file when you run thin in non-daemon mode.

With the daemon running in the foreground, you can set


in the init script, and OpenRC will take care of the PID file for you. At which point it becomes appropriate to set


and to drop the start_pre() function. Since /run is owned by root, that will avoid the vulnerability.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-14 00:45:52 UTC
From db2de955d5f996cecf3495d50fa264683a43e13f Mon Sep 17 00:00:00 2001
From: Hans de Graaff <>
Date: Wed, 20 Nov 2019 18:53:40 +0100
Subject: www-servers/thin: remove last-rited package

Signed-off-by: Hans de Graaff <>
 www-servers/thin/Manifest            |  1 -
 www-servers/thin/files/thin.confd-2  | 39 ----------------
 www-servers/thin/files/thin.initd-r4 | 87 -----------------------------------
 www-servers/thin/metadata.xml        | 16 -------
 www-servers/thin/thin-1.7.2.ebuild   | 88 ------------------------------------
 5 files changed, 231 deletions(-)
 delete mode 100644 www-servers/thin/Manifest
 delete mode 100644 www-servers/thin/files/thin.confd-2
 delete mode 100644 www-servers/thin/files/thin.initd-r4
 delete mode 100644 www-servers/thin/metadata.xml
 delete mode 100644 www-servers/thin/thin-1.7.2.ebuild
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:51:28 UTC
This issue was resolved and addressed in
 GLSA 202007-40 at
by GLSA coordinator Sam James (sam_c).