amavis-mc creates its PID file after dropping privileges

Michael Orlitzky michael at orlitzky.com
Mon Nov 6 01:07:01 CET 2017


On 09/14/2017 10:52 AM, Michael Orlitzky wrote:
> I noticed that the amavis-mc daemon creates its PID file after dropping
> privileges:
> 
>   if (defined $daemon_user) {
>     drop_priv($daemon_user,$daemon_group);
>   }
> 
>   if (defined $pid_file && $pid_file ne '') {
>     my $pid_file_fh = IO::File->new;
>     $pid_file_fh->open($pid_file, O_CREAT|O_WRONLY, 0640)
>     ...
> 
> This is in contrast to the main amavisd-new daemon and amavis-snmp which
> create their PID files as root, before dropping privileges.
> 
> Is this intentional in amavis-mc? I ask because it makes things a bit
> hairy for init script writers. When stopping amavis-mc, most init
> systems will send a SIGTERM as root to the contents of the PID file. If
> the PID file is owned by an unprivileged user, he may be able to exploit
> that fact to kill off root processes.
> 

Ping. I'm wondering if I should get a CVE for this and inform the
distros that ship an init script, or if for some reason the risk does
not exist in this case.


More information about the amavis-users mailing list