Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On Wed 2017-08-16 12:10:09 -0400, Michael Orlitzky wrote:
> The problem is avoided by creating the PID file as root, before
> dropping privileges.

The problem can also be avoided by not using PID files at all, and
relying instead on a service manager that actually keeps track of its
children using more robust means (like wait() and SIGCHLD).

Even when a process isn't malicious, if it dies unexpectedly a different
process may spawn re-using the PID stored in the pidfile, in an
accidental collision.

At what point do we treat hacks like pidfiles as security risks more
generally?

pidfiles, self-daemonization, privilege-dropping, are all things that
are easy to get subtly wrong.  What do we need to offer to developers of
daemons to encourage them to just stop doing them?

  --dkg

Attachment: signature.asc
Description: