amavis-mc creates its PID file after dropping privileges

Michael Orlitzky michael at orlitzky.com
Thu Sep 14 16:52:56 CEST 2017


I noticed that the amavis-mc daemon creates its PID file after dropping
privileges:

  if (defined $daemon_user) {
    drop_priv($daemon_user,$daemon_group);
  }

  if (defined $pid_file && $pid_file ne '') {
    my $pid_file_fh = IO::File->new;
    $pid_file_fh->open($pid_file, O_CREAT|O_WRONLY, 0640)
    ...

This is in contrast to the main amavisd-new daemon and amavis-snmp which
create their PID files as root, before dropping privileges.

Is this intentional in amavis-mc? I ask because it makes things a bit
hairy for init script writers. When stopping amavis-mc, most init
systems will send a SIGTERM as root to the contents of the PID file. If
the PID file is owned by an unprivileged user, he may be able to exploit
that fact to kill off root processes.

When faced with the same problem in other software, a few solutions have
been suggested:

  1. Write the PID file as root, before dropping privileges.
  2. Screw you init-script guy, that's your problem.
  3. Run the daemon in the foreground, eliminate the PID file, and
     require systemd/OpenRC/etc. to supervise it.

Option #1 is the nicest for everyone, but #3 scratches my personal itch.


More information about the amavis-users mailing list