Date: Mon, 27 Oct 2003 15:42:26 -0500 (EST) From: Dan Langille <dan@langille.org> To: Wes Peters <wes@softweyr.com> Cc: freebsd-hackers@freebsd.org Subject: Re: non-root process and PID files Message-ID: <20031027154010.Y61203@xeon.unixathome.org> In-Reply-To: <200310271150.23193.wes@softweyr.com> References: <3F9CF3F6.8307.ABC1250@localhost> <200310271150.23193.wes@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Oct 2003, Wes Peters wrote: > On Monday 27 October 2003 07:31 am, Dan Langille wrote: > > If a process starts up and does a setuid, should it be writing the > > PID file before or after the setuid? > > > > Two methods exists AFAIK: > > > > 1 - write your PID immediately, and the file is chown root:wheel > > 2 - write your PID to /var/run/myapp/myapp.pid where /var/run/myapp/ > > is chown myapp:myapp > > > > Of the two, I think #1 is cleaner as it does not require another > > directory with special permissions. > > > > Any suggestions? > > Create the pid file while still root, and if you are going to change the > user or group id, chown(2) or chgrp(2) the file just before setuid(2) / > setgid(2) calls. I'm told that this leaves you open to a symlink attack. If you leave the file chown root:wheel, then if an attacker does gain control of the application, they can't change the PID file. The key point is the app is root when writing the PID file. If the attacker symlinks the PID to something else (e.g. /etc/fstab), then that's when the fun starts.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031027154010.Y61203>