From owner-freebsd-hackers@FreeBSD.ORG Mon Oct 27 12:42:28 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B9C416A4B3 for ; Mon, 27 Oct 2003 12:42:28 -0800 (PST) Received: from xeon.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 591A743F93 for ; Mon, 27 Oct 2003 12:42:27 -0800 (PST) (envelope-from dan@langille.org) Received: by xeon.unixathome.org (Postfix, from userid 1000) id 8A20C3E50; Mon, 27 Oct 2003 15:42:26 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by xeon.unixathome.org (Postfix) with ESMTP id 69CFC3E4F; Mon, 27 Oct 2003 15:42:26 -0500 (EST) Date: Mon, 27 Oct 2003 15:42:26 -0500 (EST) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: Wes Peters In-Reply-To: <200310271150.23193.wes@softweyr.com> Message-ID: <20031027154010.Y61203@xeon.unixathome.org> References: <3F9CF3F6.8307.ABC1250@localhost> <200310271150.23193.wes@softweyr.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-hackers@freebsd.org Subject: Re: non-root process and PID files X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 20:42:28 -0000 On Mon, 27 Oct 2003, Wes Peters wrote: > On Monday 27 October 2003 07:31 am, Dan Langille wrote: > > If a process starts up and does a setuid, should it be writing the > > PID file before or after the setuid? > > > > Two methods exists AFAIK: > > > > 1 - write your PID immediately, and the file is chown root:wheel > > 2 - write your PID to /var/run/myapp/myapp.pid where /var/run/myapp/ > > is chown myapp:myapp > > > > Of the two, I think #1 is cleaner as it does not require another > > directory with special permissions. > > > > Any suggestions? > > Create the pid file while still root, and if you are going to change the > user or group id, chown(2) or chgrp(2) the file just before setuid(2) / > setgid(2) calls. I'm told that this leaves you open to a symlink attack. If you leave the file chown root:wheel, then if an attacker does gain control of the application, they can't change the PID file. The key point is the app is root when writing the PID file. If the attacker symlinks the PID to something else (e.g. /etc/fstab), then that's when the fun starts.