Package: radsecproxy Version: 1.6.9-1 First of all: thanks for providing this excellent package! :)
I'd like to address three topics:
(1) There's a flaw in some systemd versions that can be used for a DoS attack
if the PID file of a daemon is manipulated,
(2) radsecproxy shouldn't be run as root but as unprivileged user instead,
(3) is the dependency "debhelper (>= 10)" a hard dependency or can it be
lowered to "debhelper (>= 9)"?
(1) There seems to be a flaw in some versions of systemd which concerns PID
files. If a PID file of a service is manipulated (e. g. to contain the value
"1"), stopping the service will kill the process whose process ID has been
added to the PID file. To circumvent this you can omit writing a PID file if
the daemon allows it. radsecproxy is simple enough so that systemd knows the
PID after starting it, so not writing a PID file isn't a problem in this case.
This is what I'd suggest for this package. The patch is included in the patch
suggested for issue (2).
(2) Right now, radsecproxy is running as root. I'd like to propose the
following patch so that it's run a an unprivileged user "radsecproxy":
--------8<--------8<--------8<--------8<--------8<--------
--- radsecproxy-1.6.9.old/debian/service 2017-08-04 21:12:38.000000000
+0200
+++ radsecproxy-1.6.9/debian/service 2017-08-18 07:56:46.080064099 +0200
@@ -6,12 +6,13 @@
[Service]
Type=forking
-ExecStart=/usr/sbin/radsecproxy -i /run/radsecproxy.pid
-PIDFile=/run/radsecproxy.pid
+ExecStart=/usr/sbin/radsecproxy
+User=radsecproxy
ProtectSystem=full
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
[Install]
WantedBy=multi-user.target
--------8<--------8<--------8<--------8<--------8<--------
Furthermore, there needs to be an additional file
radsecproxy-1.6.9/debian/postinst to add the user:
--------8<--------8<--------8<--------8<--------8<--------
adduser --system radsecproxy
--------8<--------8<--------8<--------8<--------8<--------
Please note that I didn't look into the classic init files so running
radsecproxy as user "radsecproxy" should be added to the classic init script as
well. I'm also not experienced with Debian packaging so please double check the
above suggestion.
(3) This issue is more a question than a bug report or suggestion. Right now
the control file has the dependency "debhelper (>= 10)". Is this a hard
dependency? If not, can it be changed to "debhelper (>= 9)" again?
Thanks again for providing this package, it's highly appreciated!
Kind regards,
Christian Strauf
--
Dipl.-Math. Christian Strauf
Clausthal Univ. of Technology E-Mail: str...@rz.tu-clausthal.de
Rechenzentrum Web: www.rz.tu-clausthal.de
Erzstraße 18 Tel.: +49-5323-72-2086 Fax: -992086
D-38678 Clausthal-Zellerfeld
smime.p7s
Description: S/MIME cryptographic signature
