upstart 1.4: setuid/setguid apply to ALL scripts
Bug #911207 reported by
James Page
This bug affects 10 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| upstart |
Confirmed
|
Low
|
Unassigned | ||
| upstart (Ubuntu) |
Confirmed
|
Low
|
Unassigned | ||
Bug Description
Upstart 1.4 on Ubuntu Precise from https:/
-------
My understanding of the setuid/setguid stanza's in upstart 1.4 is that they should emulate what start-stop-
At the moment the stanza's apply to all script blocks (not just the main exec one) which makes it hard to setup /var/run directories etc.. which normally need to be created by root, not the owner of the application.
| description: | updated |
Revision history for this message
| James Hunt (jamesodhunt) wrote | #1 |
Revision history for this message
| James Hunt (jamesodhunt) wrote | #2 |
| Changed in upstart (Ubuntu): | |
| importance: | Undecided → Low |
| Changed in upstart: | |
| importance: | Undecided → Low |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in upstart (Ubuntu): | |
| status: | New → Confirmed |
Revision history for this message
| Clint Byrum (clint-fewbar) wrote | #4 |
| Changed in upstart: | |
| status: | New → Confirmed |
To post a comment you must log in.
Most stanzas currently operate on all script/exec sections (with the notable exception of 'respawn').
A fix would be for job_process_run() to pass its ProcessType parameter to job_process_spawn() so that for example:
if (class->setuid) { ... }
would become:
if (class->setuid && process == PROCESS_MAIN) { ... }
However, if we did make setuid+setgid only apply to the main script/exec section:
1) it could be confusing to users expecting that stanza to "apply" to all script/exec sections.
2) it would be potentially dangerous if users create files in a pre-start for example thinking they will be
owned by the setuid user when in fact they'd be owned by root. It would also be slightly annoying
since users would need to remember to chown any files created in a pre-start section for example
to make sure their ownership matched the user specified in the setuid stanza.
That said, we can of course document the behaviour to guard against misunderstandings since maybe the only common scenario where setuid/setgid support is required is for the main script/exec section?
We could modify the setuid/setgid syntax to take an optional list of section names to apply the setuid/setgid to:
setuid USERNAME [<section>]
setgid GROUPNAME [<section>]
Example:
setuid james pre-start post-start
setgid james pre-stop
... but there is no "name" for the main section since it is either "exec" or "script". We could accept both but that's not very elegant in these scenarios:
setuid james pre-start exec
script
echo hello
end script
setuid james pre-start script
exec echo hello
We should also think ahead: what if we introduce 'mkdir', 'chown', and 'chmod' stanzas? Who would they run as if setuid is specified?