From owner-freebsd-hackers@FreeBSD.ORG Mon Oct 27 13:31:06 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15B3B16A4B3 for ; Mon, 27 Oct 2003 13:31:06 -0800 (PST) Received: from smtp.omnis.com (smtp.omnis.com [216.239.128.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C53043F75 for ; Mon, 27 Oct 2003 13:31:05 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.homeunix.net (66-91-236-204.san.rr.com [66.91.236.204]) by smtp-relay.omnis.com (Postfix) with ESMTP id 6924F72E34; Mon, 27 Oct 2003 13:26:24 -0800 (PST) From: Wes Peters Organization: Softweyr To: Dan Langille Date: Mon, 27 Oct 2003 13:31:03 -0800 User-Agent: KMail/1.5.4 References: <3F9CF3F6.8307.ABC1250@localhost> <200310271150.23193.wes@softweyr.com> <20031027154010.Y61203@xeon.unixathome.org> In-Reply-To: <20031027154010.Y61203@xeon.unixathome.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200310271331.03822.wes@softweyr.com> cc: freebsd-hackers@freebsd.org Subject: Re: non-root process and PID files X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 21:31:06 -0000 On Monday 27 October 2003 12:42 pm, Dan Langille wrote: > On Mon, 27 Oct 2003, Wes Peters wrote: > > On Monday 27 October 2003 07:31 am, Dan Langille wrote: > > > If a process starts up and does a setuid, should it be writing the > > > PID file before or after the setuid? > > > > > > Two methods exists AFAIK: > > > > > > 1 - write your PID immediately, and the file is chown root:wheel > > > 2 - write your PID to /var/run/myapp/myapp.pid where > > > /var/run/myapp/ is chown myapp:myapp > > > > > > Of the two, I think #1 is cleaner as it does not require another > > > directory with special permissions. > > > > > > Any suggestions? > > > > Create the pid file while still root, and if you are going to change > > the user or group id, chown(2) or chgrp(2) the file just before > > setuid(2) / setgid(2) calls. > > I'm told that this leaves you open to a symlink attack. If you leave > the file chown root:wheel, then if an attacker does gain control of the > application, they can't change the PID file. The key point is the app > is root when writing the PID file. If the attacker symlinks the PID to > something else (e.g. /etc/fstab), then that's when the fun starts. OK, bad knee-jerk design. In the past I've always just followed the standard 'clean it up when the daemon is restarted' philosophy because it seemed safe to leave the file 'protected' this way. For clean shutdowns, shutdown scripts run as root can clean up any pid file they want, right? If the process crashes, having the pid file available may prove helpful in debugging, at least in terms of log traces and such. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com