[Bug 911207] Re: upstart 1.4: setuid/setguid apply to ALL scripts

James Hunt 911207 at bugs.launchpad.net
Tue Jan 3 16:24:54 UTC 2012 

Most stanzas currently operate on all script/exec sections (with the
notable exception of 'respawn').

A fix would be for job_process_run() to pass its ProcessType parameter
to job_process_spawn() so that for example:

    if (class->setuid) { ... }

would become:

    if (class->setuid && process == PROCESS_MAIN) { ... }

However, if we did make setuid+setgid only apply to the main script/exec
section:

1) it could be confusing to users expecting that stanza to "apply" to all script/exec sections.
2) it would be potentially dangerous if users create files in a pre-start for example thinking they will be
    owned by the setuid user when in fact they'd be owned by root. It would also be slightly annoying 
    since users would need to remember to chown any files created in a pre-start section for example
    to make sure their ownership matched the user specified in the setuid stanza.

That said, we can of course document the behaviour to guard against
misunderstandings since maybe the only common scenario where
setuid/setgid support is required is for the main script/exec section?

We could modify the setuid/setgid syntax to take an optional list of
section names to apply the setuid/setgid to:

    setuid USERNAME [<section>]
    setgid GROUPNAME [<section>]

Example:

    setuid james pre-start post-start
    setgid james pre-stop

... but there is no "name" for the main section since it is either
"exec" or "script". We could accept both but that's not very elegant in
these scenarios:

    setuid james pre-start exec
    script
      echo hello
    end script

    setuid james pre-start script
    exec echo hello

We should also think ahead: what if we introduce 'mkdir', 'chown', and
'chmod' stanzas? Who would they run as if setuid is specified?

** Also affects: upstart
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/911207

Title:
  upstart 1.4: setuid/setguid apply to ALL scripts

Status in Upstart:
  New
Status in “upstart” package in Ubuntu:
  New

Bug description:
  Upstart 1.4 on Ubuntu Precise from
  https://launchpad.net/~jamesodhunt/+archive/upstart-job-logging

  -----------------------

  My understanding of the setuid/setguid stanza's in upstart 1.4 is that
  they should emulate what start-stop-daemon/daemon and suchlike do with
  regards to dropping privileges.

  At the moment the stanza's apply to all script blocks (not just the
  main exec one) which makes it hard to setup /var/run directories etc..
  which normally need to be created by root, not the owner of the
  application.

To manage notifications about this bug go to:
https://bugs.launchpad.net/upstart/+bug/911207/+subscriptions

More information about the foundations-bugs mailing list