pidof is unsafe even with full path

Bug #1546126 reported by Jarno Suni on 2016-02-16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sysvinit (Ubuntu)

Bug Description

Manual page of pidof says: "When pidof is invoked with a full pathname to the program it should find the pid of, it is reasonably safe. Otherwise it is possible that it returns pids of running programs that happen to have the same name as the program you're after but are actually other programs."

However, in the following pidof displays the process number of /bin/sleep
sleep 5 & pidof /wrongdir/sleep

/wrongdir/sleep could be another executable, but the above happens even if the file or even the /wrongdir does not exist.

However, if sleep was called with full path
$(command -v sleep) 5 & pidof /wrongdir/sleep
pidof does not display anything, which is expected.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: sysvinit-utils 2.88dsf-59.2ubuntu2.1
ProcVersionSignature: Ubuntu 4.2.0-27.32-generic 4.2.8-ckt1
Uname: Linux 4.2.0-27-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: XFCE
Date: Tue Feb 16 16:26:47 2016
 gcc-5-base 5.2.1-22ubuntu2
 libc6 2.21-0ubuntu4
 libgcc1 1:5.2.1-22ubuntu2
EcryptfsInUse: Yes
InstallationDate: Installed on 2015-11-21 (86 days ago)
InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: sysvinit
UpgradeStatus: No upgrade log present (probably fresh install)

Jarno Suni (jarnos) wrote :
information type: Private Security → Public Security
Steve Beattie (sbeattie) wrote :

Thanks for reporting this. I have reported this upstream at .

Changed in sysvinit (Ubuntu):
status: New → Triaged
importance: Undecided → Low
jessesmith (jessefrgsmith) wrote :

This was fixed upstream in sysvinit-2.89. Bug can be closed when the package is updated.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers