git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Fri, 5 Jan 2018 11:20:22 +0000 (12:20 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 11 Jan 2018 14:12:16 +0000 (15:12 +0100)
commit	db256aab13d8a89d583ecd2bacf0aca87c66effc
tree	0653543495bfdacba33ad303f1f4ff70bf301f15	tree \| snapshot
parent	65c6b99094580afa186199d8091cd7536900526c	commit \| diff

core: be stricter when handling PID files and MAINPID sd_notify() messages

Let's be more restrictive when validating PID files and MAINPID=
messages: don't accept PIDs that make no sense, and if the configuration
source is not trusted, don't accept out-of-cgroup PIDs. A configuratin
source is considered trusted when the PID file is owned by root, or the
message was received from root.

This should lock things down a bit, in case service authors write out
PID files from unprivileged code or use NotifyAccess=all with
unprivileged code. Note that doing so was always problematic, just now
it's a bit less problematic.

When we open the PID file we'll now use the CHASE_SAFE chase_symlinks()
logic, to ensure that we won't follow an unpriviled-owned symlink to a
privileged-owned file thinking this was a valid privileged PID file,
even though it really isn't.

Fixes: #6632

man/systemd.service.xml		diff \| blob \| blame \| history
src/core/manager.c		diff \| blob \| blame \| history
src/core/service.c		diff \| blob \| blame \| history
src/core/unit.h		diff \| blob \| blame \| history
test/TEST-20-MAINPIDGAMES/Makefile	[new file with mode: 0644]	blob
test/TEST-20-MAINPIDGAMES/test.sh	[new file with mode: 0755]	blob
test/TEST-20-MAINPIDGAMES/testsuite.sh	[new file with mode: 0755]	blob
test/test-functions		diff \| blob \| blame \| history