[systemd-devel] Unprivileged user can kill root-owned processes by changing PID file and stopping service
Frank Thommen
systemd-devel at lists.drosera.ch
Fri Feb 19 14:12:11 UTC 2021
Dear all,
I am experiencing the issue, that an unprivileged user can kill root-owned processes by changing a service's PIDFile.
Situation: We are running a web service based on a software which is maintained by "external" developers. The service is running as an unprivileged user and the maintaing developers have access to the server and to this user account to make updates and apply fixes themselves and independently from the system administration.
In a nutshell we have:
a) an unprivileged user "srvcusr", where "external" persons have access to
b) a start script /path1/to/startscript.sh which basically does
------------------
#!/bin/bash
PIDFILE=/path2/to/service.pid
[... initialize the environment ...]
run_service_script &
echo $! > $PIDFILE
------------------
"srvcusr" cannot modify this startscript!
c) a unit file with (in very short):
------------------
Type=simple
User=srvcusr
ExecStart=/path1/to/startscript.sh
PIDFile=/path2/to/service.pid
------------------
d) a `sudo` configuration which allows "srvcusr" to start and stop the service
Problem: To run the service as "srvcusr", this accounts needs write access to $PIDFILE. However this also allows the user to write arbitrary PIDs to the file. Once (s)he has done so and stops the service (`sudo systemctl stop myservice`), this process will be killed even if it doesn't belong to "srvcusr". It doesn't work with PID=1 but it works with webservers, rootshell ecc. ecc.
This is either a hole in systemd (which I cannot imagine) or a wrong usage of running a service on behalf of an non-root UID.
This happens on CentOS 7.4.170 (for technical reasons we are currently bound to this version) with systemd version 219, release 42.
Any hint on how to fix this is very appreciated.
Thanks, Frank
More information about the systemd-devel
mailing list