From 403c2a4753db50897370442f907438357bc5f03b Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 14 May 2020 16:04:20 +0200 Subject: [PATCH] Bug 25481: Pass --user to start-stop-daemon when a pidfile is used Since D10, the behaviour of start-stop-daemon changed, see from its manual: """ Warning: using this match option with a world-writable pidfile or using it alone with a daemon that writes the pidfile as an unprivileged (non-root) user will be refused with an error (since version 1.19.3) as this is a security risk, because either any user can write to it, or if the daemon gets compromised, the contents of the pidfile cannot be trusted, and then a privileged runner (such as an init script executed as root) would end up acting on any system process. Using /dev/null is exempt from these checks. """ Test plan: koha-plack --restart kohadev should success with this patch. Without this patch you get: start-stop-daemon: matching only on non-root pidfile /var/run/koha/kohadev/plack.pid is insecure Signed-off-by: Nick Clemens Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Tomas Cohen Arazi Signed-off-by: Martin Renvoize Signed-off-by: Joy Nelson --- debian/scripts/koha-functions.sh | 2 ++ debian/scripts/koha-plack | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/scripts/koha-functions.sh b/debian/scripts/koha-functions.sh index 9d42bae9e0..aab5ebef08 100755 --- a/debian/scripts/koha-functions.sh +++ b/debian/scripts/koha-functions.sh @@ -269,6 +269,7 @@ is_plack_running() local instancename=$1 if start-stop-daemon --pidfile "/var/run/koha/${instancename}/plack.pid" \ + --user="$instancename-koha" \ --status ; then return 0 else @@ -292,6 +293,7 @@ is_z3950_running() local instancename=$1 if start-stop-daemon --pidfile "/var/run/koha/${instancename}/z3950-responder.pid" \ + --user="$instancename-koha" \ --status ; then return 0 else diff --git a/debian/scripts/koha-plack b/debian/scripts/koha-plack index e541d44178..90da6cbd36 100755 --- a/debian/scripts/koha-plack +++ b/debian/scripts/koha-plack @@ -144,7 +144,7 @@ stop_plack() log_daemon_msg "Stopping Plack daemon for ${instancename}" - if start-stop-daemon --pidfile ${PIDFILE} --stop --retry=TERM/30/KILL/5; then + if start-stop-daemon --pidfile ${PIDFILE} --user="${instancename}-koha" --stop --retry=TERM/30/KILL/5; then log_end_msg 0 else log_end_msg 1 -- 2.39.5