non-root process and PID files
wes at softweyr.com
Mon Oct 27 13:31:06 PST 2003
On Monday 27 October 2003 12:42 pm, Dan Langille wrote:
> On Mon, 27 Oct 2003, Wes Peters wrote:
> > On Monday 27 October 2003 07:31 am, Dan Langille wrote:
> > > If a process starts up and does a setuid, should it be writing the
> > > PID file before or after the setuid?
> > >
> > > Two methods exists AFAIK:
> > >
> > > 1 - write your PID immediately, and the file is chown root:wheel
> > > 2 - write your PID to /var/run/myapp/myapp.pid where
> > > /var/run/myapp/ is chown myapp:myapp
> > >
> > > Of the two, I think #1 is cleaner as it does not require another
> > > directory with special permissions.
> > >
> > > Any suggestions?
> > Create the pid file while still root, and if you are going to change
> > the user or group id, chown(2) or chgrp(2) the file just before
> > setuid(2) / setgid(2) calls.
> I'm told that this leaves you open to a symlink attack. If you leave
> the file chown root:wheel, then if an attacker does gain control of the
> application, they can't change the PID file. The key point is the app
> is root when writing the PID file. If the attacker symlinks the PID to
> something else (e.g. /etc/fstab), then that's when the fun starts.
OK, bad knee-jerk design. In the past I've always just followed the
standard 'clean it up when the daemon is restarted' philosophy because it
seemed safe to leave the file 'protected' this way. For clean shutdowns,
shutdown scripts run as root can clean up any pid file they want, right?
If the process crashes, having the pid file available may prove helpful
in debugging, at least in terms of log traces and such.
Where am I, and what am I doing in this handbasket?
Wes Peters wes at softweyr.com
More information about the freebsd-hackers