[gentoo-commits] proj/openrc:master commit in: / - gentoo-commits

From:	William Hubbs <williamh@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/openrc:master commit in: /
Date:	Wed, 24 Jan 2018 23:44:22
Message-Id:	`1516837388.110582491ff02db061b567636a237460afbc489c.williamh@OpenRC`

1

commit:     110582491ff02db061b567636a237460afbc489c

2

Author:     William Hubbs <w.d.hubbs <AT> gmail <DOT> com>

3

AuthorDate: Wed Jan 24 23:43:02 2018 +0000

4

Commit:     William Hubbs <williamh <AT> gentoo <DOT> org>

5

CommitDate: Wed Jan 24 23:43:08 2018 +0000

6

URL:        https://gitweb.gentoo.org/proj/openrc.git/commit/?id=11058249

7

8

service-script-guide.md cleanups

9

10

Refer to /var/run in the documentation instead of /run, and make it

11

clear at the top of the pidfile section that we use /run under Linux.

12

13

This is for #202.

14

15

 service-script-guide.md | 24 ++++++++++++------------

16

 1 file changed, 12 insertions(+), 12 deletions(-)

17

18

diff --git a/service-script-guide.md b/service-script-guide.md

19

index 56e0b339..2ae97029 100644

20

--- a/service-script-guide.md

21

+++ b/service-script-guide.md

22

@@ -302,11 +302,12 @@ reload() {

23

 ## PID files should be writable only by root

24

25

 PID files must be writable only by *root*, which means additionally

26

-that they must live in a *root*-owned directory.

27

+that they must live in a *root*-owned directory. This directory is

28

+normally /run under Linux and /var/run under other operating systems.

29

30

 Some daemons run as an unprivileged user account, and create their PID

31

 files (as the unprivileged user) in a path like

32

-`/run/foo/foo.pid`. That can usually be exploited by the unprivileged

33

+`/var/run/foo/foo.pid`. That can usually be exploited by the unprivileged

34

 user to kill *root* processes, since when a service is stopped, *root*

35

 usually sends a SIGTERM to the contents of the PID file (which are

36

 controlled by the unprivileged user). The main warning sign for that

37

@@ -317,13 +318,13 @@ containing the PID file. For example,

38

 # BAD BAD BAD BAD BAD BAD BAD BAD

39

 start_pre() {

40

   # Ensure that the pidfile directory is writable by the foo user/group.

41

-  checkpath --directory --mode 0700 --owner foo:foo "/run/foo"

42

+  checkpath --directory --mode 0700 --owner foo:foo "/var/run/foo"

43

}

44

 # BAD BAD BAD BAD BAD BAD BAD BAD

45

```

46

47

-If the *foo* user owns `/run/foo`, then he can put whatever he wants

48

-in the `/run/foo/foo.pid` file. Even if *root* owns the PID file, the

49

+If the *foo* user owns `/var/run/foo`, then he can put whatever he wants

50

+in the `/var/run/foo/foo.pid` file. Even if *root* owns the PID file, the

51

 *foo* user can delete it and replace it with his own. To avoid

52

 security concerns, the PID file must be created as *root* and live in

53

 a *root*-owned directory. If your daemon is responsible for forking

54

@@ -332,16 +333,15 @@ unprivileged runtime user, then you may have an upstream issue.

55

56

 Once the PID file is being created as *root* (before dropping

57

 privileges), it can be written directly to a *root*-owned

58

-directory. Typically this will be `/run` on Linux, and `/var/run`

59

-elsewhere. For example, the *foo* daemon might write

60

-`/run/foo.pid`. No calls to checkpath are needed. Note: there is

61

+directory.  For example, the *foo* daemon might write

62

+`/var/run/foo.pid`. No calls to checkpath are needed. Note: there is

63

 nothing technically wrong with using a directory structure like

64

-`/run/foo/foo.pid`, so long as *root* owns the PID file and the

65

+`/var/run/foo/foo.pid`, so long as *root* owns the PID file and the

66

 directory containing it.

67

68

 Ideally (see "Upstream your service scripts"), your service script

69

-will be integrated upstream and the build system will determine

70

-which of `/run` or `/var/run` is appropriate. For example,

71

+will be integrated upstream and the build system will determine the

72

+appropriate directory for the pid file. For example,

73

74

 ```sh

75

 pidfile="@piddir@/${RC_SVCNAME}.pid"

76

@@ -374,7 +374,7 @@ location through a conf.d variable, for a few reasons:

77

 Since OpenRC service names must be unique, a value of

78

79

 ```sh

80

-pidfile="/run/${RC_SVCNAME}.pid"

81

+pidfile="/var/run/${RC_SVCNAME}.pid"

82

```

83

84

 guarantees that your PID file has a unique name.

1	commit: 110582491ff02db061b567636a237460afbc489c
2	Author: William Hubbs <w.d.hubbs <AT> gmail <DOT> com>
3	AuthorDate: Wed Jan 24 23:43:02 2018 +0000
4	Commit: William Hubbs <williamh <AT> gentoo <DOT> org>
5	CommitDate: Wed Jan 24 23:43:08 2018 +0000
6	URL: https://gitweb.gentoo.org/proj/openrc.git/commit/?id=11058249
7
8	service-script-guide.md cleanups
9
10	Refer to /var/run in the documentation instead of /run, and make it
11	clear at the top of the pidfile section that we use /run under Linux.
12
13	This is for #202.
14
15	service-script-guide.md \| 24 ++++++++++++------------
16	1 file changed, 12 insertions(+), 12 deletions(-)
17
18	diff --git a/service-script-guide.md b/service-script-guide.md
19	index 56e0b339..2ae97029 100644
20	--- a/service-script-guide.md
21	+++ b/service-script-guide.md
22	@@ -302,11 +302,12 @@ reload() {
23	## PID files should be writable only by root
24
25	PID files must be writable only by root, which means additionally
26	-that they must live in a root-owned directory.
27	+that they must live in a root-owned directory. This directory is
28	+normally /run under Linux and /var/run under other operating systems.
29
30	Some daemons run as an unprivileged user account, and create their PID
31	files (as the unprivileged user) in a path like
32	-`/run/foo/foo.pid`. That can usually be exploited by the unprivileged
33	+`/var/run/foo/foo.pid`. That can usually be exploited by the unprivileged
34	user to kill root processes, since when a service is stopped, root
35	usually sends a SIGTERM to the contents of the PID file (which are
36	controlled by the unprivileged user). The main warning sign for that
37	@@ -317,13 +318,13 @@ containing the PID file. For example,
38	# BAD BAD BAD BAD BAD BAD BAD BAD
39	start_pre() {
40	# Ensure that the pidfile directory is writable by the foo user/group.
41	- checkpath --directory --mode 0700 --owner foo:foo "/run/foo"
42	+ checkpath --directory --mode 0700 --owner foo:foo "/var/run/foo"
43	}
44	# BAD BAD BAD BAD BAD BAD BAD BAD
45	```
46
47	-If the foo user owns `/run/foo`, then he can put whatever he wants
48	-in the `/run/foo/foo.pid` file. Even if root owns the PID file, the
49	+If the foo user owns `/var/run/foo`, then he can put whatever he wants
50	+in the `/var/run/foo/foo.pid` file. Even if root owns the PID file, the
51	foo user can delete it and replace it with his own. To avoid
52	security concerns, the PID file must be created as root and live in
53	a root-owned directory. If your daemon is responsible for forking
54	@@ -332,16 +333,15 @@ unprivileged runtime user, then you may have an upstream issue.
55
56	Once the PID file is being created as root (before dropping
57	privileges), it can be written directly to a root-owned
58	-directory. Typically this will be `/run` on Linux, and `/var/run`
59	-elsewhere. For example, the foo daemon might write
60	-`/run/foo.pid`. No calls to checkpath are needed. Note: there is
61	+directory. For example, the foo daemon might write
62	+`/var/run/foo.pid`. No calls to checkpath are needed. Note: there is
63	nothing technically wrong with using a directory structure like
64	-`/run/foo/foo.pid`, so long as root owns the PID file and the
65	+`/var/run/foo/foo.pid`, so long as root owns the PID file and the
66	directory containing it.
67
68	Ideally (see "Upstream your service scripts"), your service script
69	-will be integrated upstream and the build system will determine
70	-which of `/run` or `/var/run` is appropriate. For example,
71	+will be integrated upstream and the build system will determine the
72	+appropriate directory for the pid file. For example,
73
74	```sh
75	pidfile="@piddir@/${RC_SVCNAME}.pid"
76	@@ -374,7 +374,7 @@ location through a conf.d variable, for a few reasons:
77	Since OpenRC service names must be unique, a value of
78
79	```sh
80	-pidfile="/run/${RC_SVCNAME}.pid"
81	+pidfile="/var/run/${RC_SVCNAME}.pid"
82	```
83
84	guarantees that your PID file has a unique name.

Gentoo Archives: gentoo-commits