potential privilege escalation by pidfile manipulation

Question

potential privilege escalation by pidfile manipulation

d-hat opened this issue 7 years ago · 2 comments

When thin is started as root but configured to drop privileges, the pidfile is chown()ed to the runtime user. Later, calls to "thin restart" or "thin stop" will as root, read the pidfile and kill() the identified process.

This privilege imbalance means a vulnerability in the application overwrite the pidfile or replace it with a symlink, leading to arbitrary root-owned processes being killed or other impacts ("thin stop" hanging or possibly information disclosure).

Controllers#stop should make some effort to validate the process being killed. Dropping privileges before sending the kill signal would be ideal.

This issue was first identified at https://bugs.gentoo.org/show_bug.cgi?id=642200 and has some further discussion at https://bugzilla.redhat.com/show_bug.cgi?id=1529154 .

Answer 1 · 2021-02-02T11:05:34.000Z

I wonder if this was this addressed somehow?

Answer 2 · 2021-02-13T21:23:08.000Z

Nope, thin is not actively maintained. Feel free to create a PR.