posted 2022-09-21
The Gentoo net-analyzer/smokeping package gives ownership of its PID file directory to the daemon's runtime user. That can be exploited by the runtime user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by the runtime user).
Before the smokeping OpenRC service starts, a call to checkpath gives ownership of its PID file directory to the runtime user smokeping in /etc/init.d/smokeping:
That can be exploited by the smokeping user to kill root processes, since when the service is stopped, root will send a SIGTERM to the contents of the PID file (which are controlled by smokeping).
An updated OpenRC service script uses,
causing smokeping to launch in the foreground and OpenRC's start-stop-daemon to background it and create a PID file at the safe location /run/${RC_SVCNAME}.pid.
The fixed service script was installed alongside net-analyzer/smokeping-2.7.1, but the net-analyzer/smokeping package has since been removed from Gentoo entirely.