Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 Sep 2017 21:21:42 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-12847: nagios-core privilege escalation
 via PID file manipulation

On Mon, 11 Sep 2017 at 15:58:45 -0400, Michael Orlitzky wrote:
> With OpenRC
> we get to cheat a little, because we always have the option to run the
> daemon in the foreground and supervise it.

For SysV, if you don't need readiness-notification (for daemons that
other daemons don't depend on, so the ones where Type=simple would be
acceptable in a systemd unit) then Debian's start-stop-daemon can provide
the daemonization, and create a pid file if desired. This isn't proper
supervision, but does give the ability to write the daemon as though it
relied on being supervised.

start-stop-daemon is shipped as part of dpkg for historical reasons, but
I doubt it changes very often. If SysV init script writers wanted to spin
it off into a separate upstream project, then it could perhaps eventually
become non-Essential in Debian (since it isn't necessary if a machine boots
with systemd and all the daemons on that machine have native systemd units),
and that seems like a potential win for everyone?

(Also, one of the most vocally SysV-based distributions is a
Debian derivative, so they have start-stop-daemon anyway.)

    S

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ