1 |
commit: 110582491ff02db061b567636a237460afbc489c |
2 |
Author: William Hubbs <w.d.hubbs <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Jan 24 23:43:02 2018 +0000 |
4 |
Commit: William Hubbs <williamh <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jan 24 23:43:08 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/openrc.git/commit/?id=11058249 |
7 |
|
8 |
service-script-guide.md cleanups |
9 |
|
10 |
Refer to /var/run in the documentation instead of /run, and make it |
11 |
clear at the top of the pidfile section that we use /run under Linux. |
12 |
|
13 |
This is for #202. |
14 |
|
15 |
service-script-guide.md | 24 ++++++++++++------------ |
16 |
1 file changed, 12 insertions(+), 12 deletions(-) |
17 |
|
18 |
diff --git a/service-script-guide.md b/service-script-guide.md |
19 |
index 56e0b339..2ae97029 100644 |
20 |
--- a/service-script-guide.md |
21 |
+++ b/service-script-guide.md |
22 |
@@ -302,11 +302,12 @@ reload() { |
23 |
## PID files should be writable only by root |
24 |
|
25 |
PID files must be writable only by *root*, which means additionally |
26 |
-that they must live in a *root*-owned directory. |
27 |
+that they must live in a *root*-owned directory. This directory is |
28 |
+normally /run under Linux and /var/run under other operating systems. |
29 |
|
30 |
Some daemons run as an unprivileged user account, and create their PID |
31 |
files (as the unprivileged user) in a path like |
32 |
-`/run/foo/foo.pid`. That can usually be exploited by the unprivileged |
33 |
+`/var/run/foo/foo.pid`. That can usually be exploited by the unprivileged |
34 |
user to kill *root* processes, since when a service is stopped, *root* |
35 |
usually sends a SIGTERM to the contents of the PID file (which are |
36 |
controlled by the unprivileged user). The main warning sign for that |
37 |
@@ -317,13 +318,13 @@ containing the PID file. For example, |
38 |
# BAD BAD BAD BAD BAD BAD BAD BAD |
39 |
start_pre() { |
40 |
# Ensure that the pidfile directory is writable by the foo user/group. |
41 |
- checkpath --directory --mode 0700 --owner foo:foo "/run/foo" |
42 |
+ checkpath --directory --mode 0700 --owner foo:foo "/var/run/foo" |
43 |
} |
44 |
# BAD BAD BAD BAD BAD BAD BAD BAD |
45 |
``` |
46 |
|
47 |
-If the *foo* user owns `/run/foo`, then he can put whatever he wants |
48 |
-in the `/run/foo/foo.pid` file. Even if *root* owns the PID file, the |
49 |
+If the *foo* user owns `/var/run/foo`, then he can put whatever he wants |
50 |
+in the `/var/run/foo/foo.pid` file. Even if *root* owns the PID file, the |
51 |
*foo* user can delete it and replace it with his own. To avoid |
52 |
security concerns, the PID file must be created as *root* and live in |
53 |
a *root*-owned directory. If your daemon is responsible for forking |
54 |
@@ -332,16 +333,15 @@ unprivileged runtime user, then you may have an upstream issue. |
55 |
|
56 |
Once the PID file is being created as *root* (before dropping |
57 |
privileges), it can be written directly to a *root*-owned |
58 |
-directory. Typically this will be `/run` on Linux, and `/var/run` |
59 |
-elsewhere. For example, the *foo* daemon might write |
60 |
-`/run/foo.pid`. No calls to checkpath are needed. Note: there is |
61 |
+directory. For example, the *foo* daemon might write |
62 |
+`/var/run/foo.pid`. No calls to checkpath are needed. Note: there is |
63 |
nothing technically wrong with using a directory structure like |
64 |
-`/run/foo/foo.pid`, so long as *root* owns the PID file and the |
65 |
+`/var/run/foo/foo.pid`, so long as *root* owns the PID file and the |
66 |
directory containing it. |
67 |
|
68 |
Ideally (see "Upstream your service scripts"), your service script |
69 |
-will be integrated upstream and the build system will determine |
70 |
-which of `/run` or `/var/run` is appropriate. For example, |
71 |
+will be integrated upstream and the build system will determine the |
72 |
+appropriate directory for the pid file. For example, |
73 |
|
74 |
```sh |
75 |
pidfile="@piddir@/${RC_SVCNAME}.pid" |
76 |
@@ -374,7 +374,7 @@ location through a conf.d variable, for a few reasons: |
77 |
Since OpenRC service names must be unique, a value of |
78 |
|
79 |
```sh |
80 |
-pidfile="/run/${RC_SVCNAME}.pid" |
81 |
+pidfile="/var/run/${RC_SVCNAME}.pid" |
82 |
``` |
83 |
|
84 |
guarantees that your PID file has a unique name. |