Package: adequate
Version: 0.15
Severity: wishlist
Hi!
I just noticed a pid file that only root can read. There is no
sensitive information there, and it prevents normal users to check for
the service status for example.
It would be nice if adequate could check for pid files to be
world-readable. I'm not sure how it would match the pacakge with the
pid filename though?
Thanks,
Guillem
* Guillem Jover <[email protected]>, 2015-11-19, 22:41:
>I just noticed a pid file that only root can read. There is no
>sensitive information there, and it prevents normal users to check for
>the service status for example.
>
>It would be nice if adequate could check for pid files to be
>world-readable.
Hmm, I'm not sure there's consensus that all pid files should be
world-readable. Could you ask on debian-devel?
>I'm not sure how it would match the pacakge with the pid filename
>though?
Maybe something like this?
dpkg -S $(readlink /proc/$(cat /path/to/pidfile)/exe)
But it's not pretty, and it would work only for the root user, and
wouldn't work for scripts...
--
Jakub Wilk
Acknowledgement sent
to "Serafeim Zanikolas" <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Adequate Maintainers <[email protected]>.
(Sat, 15 Jun 2024 20:15:03 GMT) (full text, mbox, link).
hola Guillem, bon dia ;)
do you think that this bug is still relevant, especially with most daemons now
being handled internally by systemd? if so, can you please point me to a
specific package with non-readable pid file(s)?
gràcies,
Serafeim
Acknowledgement sent
to "Serafeim Zanikolas" <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Adequate Maintainers <[email protected]>.
(Sun, 30 Jun 2024 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guillem Jover <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Adequate Maintainers <[email protected]>.
(Tue, 02 Jul 2024 01:57:03 GMT) (full text, mbox, link).
Hola!
On Sat, 2024-06-15 at 21:29:35 +0200, Serafeim Zanikolas wrote:
> do you think that this bug is still relevant, especially with most daemons now
> being handled internally by systemd?
Personally I think portability is very important, and systemd being
Linux-only, it means any other port cannot rely or make use of it.
And I still think that these pid files are buggy, yes. :)
> if so, can you please point me to a
> specific package with non-readable pid file(s)?
On a bookworm system, I just listed what I had on /run and noticed,
dovecot, fail2ban and smartd for example.
Salut,
Guillem
Acknowledgement sent
to "Serafeim Zanikolas" <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Adequate Maintainers <[email protected]>.
(Fri, 05 Jul 2024 19:57:04 GMT) (full text, mbox, link).
thanks Guillem!
that all seems reasonable to me, and I think we can rely on Debian Policy 10.9:
Files should be owned by "root:root", and made writable only by the
owner and universally readable (and executable, if appropriate), that
is mode 644 or 755.
I'll make adequate emit a tag if /run is accessible (it normally is) and pid
files therein are not readable.
now, I'm not sure of what'd be the most reliable way to determine which package
is responsible for the creation of any given pid file, if adequate does not run
as root. (obviously, if it runs as root, we read the pid from the file to find
out which binary it points to). but if we're not running as root, one hacky
option would be to strip ".pid" from the filename and look for such binaries in
/s?bin/ (but that wouldn't always work, e.g. /sbin/cron creates crond.pid)
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.