Re: Default permissions on supervise/ok

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

From: Laurent Bercot <ska-supervision@skarnet.org>
To: supervision@list.skarnet.org
Subject: Re: Default permissions on supervise/ok
Date: Tue, 21 May 2013 11:58:14 +0200	[thread overview]
Message-ID: <20130521095814.GA2290@skarnet.org> (raw)
In-Reply-To: <20130521044322.GA27482@frap.net>

> My understanding is that runsv will never read from the fifo, and will
> only use opening it as a test to verify the process exists the other end.
> This doesn't seem exploitable as it's a read-only channel. At least, as
> far as I can tell.

 Here's an exploit:

 If runsv is down, "sv status" will normally return a "runsv not running"
message. But if some user has supervise/ok open for reading, "sv status"
will mistakenly think runsv is running, because it assumes runsv is the
only process able to keep supervise/ok open for reading. So, a user can
deny a service recovery routine from running.

 Don't meddle with supervise/ permissions. If you want to trust a group
of users with service checking/control abilities, make the sv binary
setgid.
 Unfortunately, runit does not separate service checking and service
control abilities at the executable level, so I'm afraid you cannot
achieve what you want here.

 Shameless plug: you could switch s6, which gives you s6-svok and
s6-svstat executables for service checking, separate from the s6-svc
executable for service control. You can make s6-svok and s6-svstat
setgid at your convenience, without endangering the reliability of the
service.

-- 
 Laurent

next prev parent reply	other threads:[~2013-05-21  9:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-20 23:52 eam
2013-05-21  0:47 ` Charlie Brady
2013-05-21  4:43   ` eam
2013-05-21  9:58     ` Laurent Bercot [this message]
2013-05-21 15:29       ` eam
2013-05-21 15:10         ` Laurent Bercot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130521095814.GA2290@skarnet.org \
    --to=ska-supervision@skarnet.org \
    --cc=supervision@list.skarnet.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).