[systemd-devel] Unprivileged user can kill root-owned processes by changing PID file and stopping service
Lennart Poettering
lennart at poettering.net
Fri Feb 19 14:44:39 UTC 2021
On Fr, 19.02.21 15:12, Frank Thommen (systemd-devel at lists.drosera.ch) wrote:
> Dear all,
>
> I am experiencing the issue, that an unprivileged user can kill
> root-owned processes by changing a service's PIDFile.
The file referenced by PIDFile= should not be under control of an
unpriv user.
v219 is more than 5 years old. Since then we have tightened controls:
we now automatically detect wether the PID file is under control of
unprivileged users either directly, or because a symlink is used in
the path that is controlled by an unprivileged user, in which case
we'll log abou this. We'll also ignore the PID file if the listed PID
doesn't actually belong to the cgroup of the service.
See documentation about PIDFile= in current versions:
https://www.freedesktop.org/software/systemd/man/systemd.service.html#PIDFile=
But in general: don't do this! It's simply not safe, neither on
systemd nor any other init system. The whole PID concept of UNIX is
racy anyway but giving unprivileged users control on it is even worse.
PID files are mostly SysV construct. A better replacement is using
Type=notify or Type=simple services that do not fork unnecessarily,
and thus do not need to communicate their main PID explicitly.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list