Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Oct 2003 13:31:03 -0800
From:      Wes Peters <wes@softweyr.com>
To:        Dan Langille <dan@langille.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: non-root process and PID files
Message-ID:  <200310271331.03822.wes@softweyr.com>
In-Reply-To: <20031027154010.Y61203@xeon.unixathome.org>
References:  <3F9CF3F6.8307.ABC1250@localhost> <200310271150.23193.wes@softweyr.com> <20031027154010.Y61203@xeon.unixathome.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Monday 27 October 2003 12:42 pm, Dan Langille wrote:
> On Mon, 27 Oct 2003, Wes Peters wrote:
> > On Monday 27 October 2003 07:31 am, Dan Langille wrote:
> > > If a process starts up and does a setuid, should it be writing the
> > > PID file before or after the setuid?
> > >
> > > Two methods exists AFAIK:
> > >
> > > 1 - write your PID immediately, and the file is chown root:wheel
> > > 2 - write your PID to /var/run/myapp/myapp.pid where
> > > /var/run/myapp/ is chown myapp:myapp
> > >
> > > Of the two, I think #1 is cleaner as it does not require another
> > > directory with special permissions.
> > >
> > > Any suggestions?
> >
> > Create the pid file while still root, and if you are going to change
> > the user or group id, chown(2) or chgrp(2) the file just before
> > setuid(2) / setgid(2) calls.
>
> I'm told that this leaves you open to a symlink attack.  If you leave
> the file chown root:wheel, then if an attacker does gain control of the
> application, they can't change the PID file.  The key point is the app
> is root when writing the PID file.  If the attacker symlinks the PID to
> something else (e.g. /etc/fstab), then that's when the fun starts.

OK, bad knee-jerk design.  In the past I've always just followed the 
standard 'clean it up when the daemon is restarted' philosophy because it 
seemed safe to leave the file 'protected' this way.  For clean shutdowns, 
shutdown scripts run as root can clean up any pid file they want, right?  
If the process crashes, having the pid file available may prove helpful 
in debugging, at least in terms of log traces and such.

-- 

        Where am I, and what am I doing in this handbasket?

Wes Peters                                               wes@softweyr.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310271331.03822.wes>