posted 2018-04-15
Note: the app-admin/collectd package has been renamed to app-metrics/collectd.
The Gentoo app-admin/collectd package before 5.7.2-r1 gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).
Before the app-admin/collectd OpenRC service starts, a call to
checkpath gives ownership of the PID file
directory to the runtime $COLLECTD_USER:
start_pre() {
if [ "${RC_CMD}" != "restart" ]; then
configtest || return 1
fi
checkpath --directory \
--mode 0770 \
--owner ${COLLECTD_USER}:${COLLECTD_GROUP} \
"$(dirname "${COLLECTD_PIDFILE}")"
}
That can be exploited by $COLLECTD_USER to kill root
processes, since when the service is stopped, root will send a
SIGTERM to the contents of the PID file (which are controlled by
$COLLECTD_USER).
The collectd daemon is able to run in the foreground whence OpenRC can manage its PID file. A new version of the OpenRC service script achieves that with the -f flag:
command="/usr/sbin/collectd"
command_args="${COLLECTD_OPTS} -C \"${COLLECTD_CONFIGFILE}\" -f"
command_background=true
command_user="${COLLECTD_USER}"This results in a root-owned PID file, after which the ownership/permission changes on its directory are obsolete and have been removed.