Re: Unprivileged user can kill root-owned processes by changing PID file and stopping service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fr, 19.02.21 15:12, Frank Thommen (systemd-devel@xxxxxxxxxxxxxxxx) wrote:

> Dear all,
>
> I am experiencing the issue, that an unprivileged user can kill
> root-owned processes by changing a service's PIDFile.

The file referenced by PIDFile= should not be under control of an
unpriv user.

v219 is more than 5 years old. Since then we have tightened controls:
we now automatically detect wether the PID file is under control of
unprivileged users either directly, or because a symlink is used in
the path that is controlled by an unprivileged user, in which case
we'll log abou this. We'll also ignore the PID file if the listed PID
doesn't actually belong to the cgroup of the service.

See documentation about PIDFile= in current versions:

https://www.freedesktop.org/software/systemd/man/systemd.service.html#PIDFile=

But in general: don't do this! It's simply not safe, neither on
systemd nor any other init system. The whole PID concept of UNIX is
racy anyway but giving unprivileged users control on it is even worse.

PID files are mostly SysV construct. A better replacement is using
Type=notify or Type=simple services that do not fork unnecessarily,
and thus do not need to communicate their main PID explicitly.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux