The patch.

Tue Mar 19 09:48:47 EST 2002

Hey Yotam,
Hmmmm, I think you're missing my important point,
and I apologize for not being precise.

If a process with root privileges is allowed to create
any pid file, without restrictions, there is nothing to
keep it from creating, say, /var/run/identd.pid,
as an example.  If this is possible, then there is the
real possibility that the program can be used to prevent
key programs from running.  The real identd starts, finds
the rogue pid file, signals the pid that is in the file
and finds that there is a running process, and then
exists, since pid files are used by most programs as
an exclusive mechanism.

Really bad idea.  How can we avoid this fundamental
security problem?  I believe that httpd and the others
that you mention have this flaw, without any obvious
advantage.  Specifying the pid directory, rather than
the file, would be adequate.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: Yotam Rubin [mailto:yotam at makif.omer.k12.il] 
> Sent: Tuesday, March 19, 2002 9:32 AM
> To: Carter Bullard
> Subject: Re: The patch.
> 
> 
> On Tue, Mar 19, 2002 at 09:15:17AM -0500, Carter Bullard wrote:
> > Hey Yotam,
> > I'm not aware of any program that will let you specify
> > the name of the pid file, do you have any examples
> > in mind?    How do you prevent argus from overwriting
> > /var/run/identd.pid?
> 
> Well, it looks like thttpd and mason allow the user to 
> specify a PID file.
> Additionally, Debian's start-stop-daemon program allows it as 
> well, and
> many scripts rely on the specific location of the PID file.
> The only thing we can do to prevent argus from overwriting 
> other files 
> is to stat() the pid file before writing to it. Important 
> files can also be
> clobbered if the user specifies a certain archive file. 
> 
> 	Regards, Yotam Rubin
> 
> 
> > 
> > Carter
> > 
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street, Suite 18K
> > New York, New York  10022
> > 
> > carter at qosient.com
> > Phone +1 212 588-9133
> > Fax   +1 212 588-9134
> > http://qosient.com
> > 
> > 
> > > -----Original Message-----
> > > From: Yotam Rubin [mailto:yotam at makif.omer.k12.il] 
> > > Sent: Tuesday, March 19, 2002 8:56 AM
> > > To: Carter Bullard
> > > Subject: Re: The patch.
> > > 
> > > 
> > > On Tue, Mar 19, 2002 at 08:05:56AM -0500, Carter Bullard wrote:
> > > > Hey Yotam,
> > > >    I'm putting in the pid file support now, and I've
> > > > got a few questions.  Since argus normally runs with
> > > > root privileges, specifying an arbitrary pid filename
> > > > may cause some problems, writing over an existing system 
> > > file, etc...
> > > > 
> > > > It would seem a bit safer if we examine the target file
> > > > to see if its actually a pid file before clobbering it,
> > > > but that doesn't really work, as there is nothing
> > > > preventing someone from specifying that argus should use
> > > > the pid file for sendmail, as an example, which would
> > > > keep that application from running, if argus came before
> > > > it in the boot startup sequence.
> > > 
> > > 
> > > Yeah, we should probably stat() the pid file before writing it.
> > > 
> > > > 
> > > > Would it be alright if we allow the user to specify the
> > > > pid file directory, rather than the exact file?
> > > 
> > > Well, I find it more comfortable to specify the exact 
> > > location of the PID file. Also, this is common behavior in 
> > > other programs as well. The user probably wants a method to 
> > > distinctly determine the location of the pid file. Letting 
> > > argus select the name of the pidfile has no significant 
> > > benefit, and may cause errors. For example, the Debian 
> > > package may start argus whenever a PPP 
> > > interface comes up. It's more comfortable to rely on the 
> > > script's pid file handling, than on argus' pid file name 
> selection.
> > > 
> > > > 
> > > > Would you support a single option for the command
> > > > line pid file?  Say "-n [piddir]", rather than using
> > > > two options?
> > > 
> > > I preserved the original PID file option because I was unsure 
> > > whether it was alright to remove it. It is more comfortable 
> > > to have a single option[1] rather than having two options 
> > > which achieve a similar result. It would seem better to leave 
> > > only the -c option.
> > > 
> > > 	Regards, Yotam Rubin
> > > 
> > > [1] GNU getopt() supports options with optional arguments. 
> > > This enables
> > >     to let argus select the pid file name when no argument is 
> > > specified, 
> > >     or create the pid file at the user specified location. 
> > > Sadly, this behavior
> > >     is not portable, so if we want to use it the inclusion of 
> > > the GNU getopt()
> > >     is required.
> > > 
> > > 
> > > > 
> > > > Carter
> > > > 
> > > > Carter Bullard
> > > > QoSient, LLC
> > > > 300 E. 56th Street, Suite 18K
> > > > New York, New York  10022
> > > > 
> > > > carter at qosient.com
> > > > Phone +1 212 588-9133
> > > > Fax   +1 212 588-9134
> > > > http://qosient.com
> > > > 
> > > > > -----Original Message-----
> > > > > From: Yotam Rubin [mailto:yotam at makif.omer.k12.il]
> > > > > Sent: Wednesday, February 27, 2002 4:26 PM
> > > > > To: 'Carter Bullard'
> > > > > Subject: The patch.
> > > > > 
> > > > > 
> > > > > Hey,
> > > > > 
> > > > > 	The patch discussed on the list is attached herein.
> > > > > 
> > > > > 	Regards, Yotam Rubin
> > > > > 
> > > > 
> > > > 
> > > 
> > > 
> > 
> > 
> 
> 