amavis-mc creates its PID file after dropping privileges
Michael Orlitzky
michael at orlitzky.com
Mon Nov 6 01:07:01 CET 2017
On 09/14/2017 10:52 AM, Michael Orlitzky wrote:
> I noticed that the amavis-mc daemon creates its PID file after dropping
> privileges:
>
> if (defined $daemon_user) {
> drop_priv($daemon_user,$daemon_group);
> }
>
> if (defined $pid_file && $pid_file ne '') {
> my $pid_file_fh = IO::File->new;
> $pid_file_fh->open($pid_file, O_CREAT|O_WRONLY, 0640)
> ...
>
> This is in contrast to the main amavisd-new daemon and amavis-snmp which
> create their PID files as root, before dropping privileges.
>
> Is this intentional in amavis-mc? I ask because it makes things a bit
> hairy for init script writers. When stopping amavis-mc, most init
> systems will send a SIGTERM as root to the contents of the PID file. If
> the PID file is owned by an unprivileged user, he may be able to exploit
> that fact to kill off root processes.
>
Ping. I'm wondering if I should get a CVE for this and inform the
distros that ship an init script, or if for some reason the risk does
not exist in this case.
More information about the amavis-users
mailing list