http://bugzilla.suse.com/show_bug.cgi?id=1065951 Bug ID: 1065951 Summary: systemd service Type=forking and PIDFile privilege escalation Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: All OS: openSUSE 42.3 Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: wullinger@rz.uni-kiel.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 746593 --> http://bugzilla.suse.com/attachment.cgi?id=746593&action=edit Example service code When creating a systemd service with Type=forking and PIDFile=, there seems to be a privilege escalation that makes it possible to have the service manager kill an arbitrary (maybe privileged) process with information from a non-privileged process. Example: Define a service as follows, where $TARGET_PID is the PID of a root owned process. /opt/test/escalator forks and writes the specified PID into a file. # /etc/systemd/system/escalator.service [Service] Type=forking PIDFile=/run/escalator/pid ExecStart=/opt/test/escalator $TARGET_PID RuntimeDirectory=escalator User=nobody Group=nogroup If one starts such a unit, systemd will notice if the specified target PID is not a direct descendent of the service manager: systemd[1]: escalator.service: Supervising process $TARGET_PID which is not our child. We'll most likely not notice when it exits. It will, however, kill the target PID on when the unprivileged unit is stopped. The target PID may be running with higher privileges than the stopped unit, it seems possible to have systemd kill arbitrary processes with information from a non-privileged process. -- You are receiving this mail because: You are on the CC list for the bug.