|
|
923a60 |
From ce87ed7b47c61e649a0f9da39d272631b9524740 Mon Sep 17 00:00:00 2001
|
|
|
923a60 |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
923a60 |
Date: Fri, 9 Feb 2018 17:05:17 +0100
|
|
|
923a60 |
Subject: [PATCH] service: relax PID file symlink chain checks a bit (#8133)
|
|
|
923a60 |
|
|
|
923a60 |
Let's read the PID file after all if there's a potentially unsafe
|
|
|
923a60 |
symlink chain in place. But if we do, then refuse taking the PID if its
|
|
|
923a60 |
outside of the cgroup.
|
|
|
923a60 |
|
|
|
923a60 |
Fixes: #8085
|
|
|
923a60 |
(cherry picked from commit 73969ab61c39357e6892747e43307fbf07cafbed)
|
|
|
923a60 |
|
|
|
923a60 |
Resolves: #1724420
|
|
|
923a60 |
---
|
|
|
923a60 |
src/core/service.c | 15 +++++++++++++--
|
|
|
923a60 |
1 file changed, 13 insertions(+), 2 deletions(-)
|
|
|
923a60 |
|
|
|
923a60 |
diff --git a/src/core/service.c b/src/core/service.c
|
|
|
923a60 |
index eaa588863f..6b61ccac18 100644
|
|
|
923a60 |
--- a/src/core/service.c
|
|
|
923a60 |
+++ b/src/core/service.c
|
|
|
923a60 |
@@ -736,6 +736,7 @@ static int service_is_suitable_main_pid(Service *s, pid_t pid, int prio) {
|
|
|
923a60 |
|
|
|
923a60 |
static int service_load_pid_file(Service *s, bool may_warn) {
|
|
|
923a60 |
char procfs[sizeof("/proc/self/fd/") - 1 + DECIMAL_STR_MAX(int)];
|
|
|
923a60 |
+ bool questionable_pid_file = false;
|
|
|
923a60 |
_cleanup_free_ char *k = NULL;
|
|
|
923a60 |
_cleanup_close_ int fd = -1;
|
|
|
923a60 |
int r, prio;
|
|
|
923a60 |
@@ -749,8 +750,13 @@ static int service_load_pid_file(Service *s, bool may_warn) {
|
|
|
923a60 |
prio = may_warn ? LOG_INFO : LOG_DEBUG;
|
|
|
923a60 |
|
|
|
923a60 |
fd = chase_symlinks(s->pid_file, NULL, CHASE_OPEN|CHASE_SAFE, NULL);
|
|
|
923a60 |
- if (fd == -EPERM)
|
|
|
923a60 |
- return log_unit_full_errno(UNIT(s)->id, prio, fd, "Permission denied while opening PID file or unsafe symlink chain: %s", s->pid_file);
|
|
|
923a60 |
+ if (fd == -EPERM) {
|
|
|
923a60 |
+ log_unit_full(UNIT(s)->id, LOG_DEBUG, "Permission denied while opening PID file or potentially unsafe symlink chain, will now retry with relaxed checks: %s", s->pid_file);
|
|
|
923a60 |
+
|
|
|
923a60 |
+ questionable_pid_file = true;
|
|
|
923a60 |
+
|
|
|
923a60 |
+ fd = chase_symlinks(s->pid_file, NULL, CHASE_OPEN, NULL);
|
|
|
923a60 |
+ }
|
|
|
923a60 |
if (fd < 0)
|
|
|
923a60 |
return log_unit_full_errno(UNIT(s)->id, prio, fd, "Can't open PID file %s (yet?) after %s: %m", s->pid_file, service_state_to_string(s->state));
|
|
|
923a60 |
|
|
|
923a60 |
@@ -773,6 +779,11 @@ static int service_load_pid_file(Service *s, bool may_warn) {
|
|
|
923a60 |
if (r == 0) {
|
|
|
923a60 |
struct stat st;
|
|
|
923a60 |
|
|
|
923a60 |
+ if (questionable_pid_file) {
|
|
|
923a60 |
+ log_unit_error(UNIT(s)->id, "Refusing to accept PID outside of service control group, acquired through unsafe symlink chain: %s", s->pid_file);
|
|
|
923a60 |
+ return -EPERM;
|
|
|
923a60 |
+ }
|
|
|
923a60 |
+
|
|
|
923a60 |
/* Hmm, it's not clear if the new main PID is safe. Let's allow this if the PID file is owned by root */
|
|
|
923a60 |
|
|
|
923a60 |
if (fstat(fd, &st) < 0)
|