Package: munin-node Version: 2.0.34-3 Severity: normal --- Please enter the report below this line. --- systemd db256aab13 broke munin-node. > core: be stricter when handling PID files and MAINPID sd_notify() > messages > > Let's be more restrictive when validating PID files and MAINPID= > > messages: don't accept PIDs that make no sense, and if the configuration > > source is not trusted, don't accept out-of-cgroup PIDs. A configuratin > > source is considered trusted when the PID file is owned by root, or the > > message was received from root. > > > This should lock things down a bit, in case service authors write out > > PID files from unprivileged code or use NotifyAccess=all with > > unprivileged code. Note that doing so was always problematic, just now > > it's a bit less problematic. > > > When we open the PID file we'll now use the CHASE_SAFE chase_symlinks() > > logic, to ensure that we won't follow an unpriviled-owned symlink to a > > privileged-owned file thinking this was a valid privileged PID file, > > even though it really isn't. > > > Fixes: #6632 >
That should teach me a lessen to follow systemd updates! I don't even understand the problem, the pid file is no symlink and is owned by root. chase_symlinks() appears a massive fluke to me. 😄 --- System information. --- Architecture: Kernel: Linux 4.14.0-14.1-liquorix-amd64 Debian Release: buster/sid 510 unstable liquorix.net 510 unstable ftp.de.debian.org 510 unstable dl.winehq.org 510 unstable deb-multimedia.org 510 testing ftp.de.debian.org 509 experimental ftp.de.debian.org 502 zesty ppa.launchpad.net 502 yakkety ppa.launchpad.net 500 zesty build.openmodelica.org 500 stable ftp.de.debian.org 500 stable dl.google.com --- Package information. --- Depends (Version) | Installed ====================================-+-============== perl | 5.26.1-4 gawk | 1:4.1.4+dfsg-1+b1 libnet-server-perl | 2.008-4 lsb-base (>= 4.1) | 9.20170808 munin-common (>= 2.0.34-3) | 2.0.34-3 munin-plugins-core | 2.0.34-3 procps | 2:3.3.12-3 Recommends (Version) | Installed ==================================-+-=========== libnet-snmp-perl | 6.0.1-3 munin-plugins-extra | 2.0.34-3 Suggests (Version) | Installed ===============================================-+-=========== acpi | OR lm-sensors | 1:3.4.0-4 ethtool | 1:4.11-1 hdparm | 9.53+ds-1 libcrypt-ssleay-perl | libdbd-pg-perl | liblwp-useragent-determined-perl | libnet-irc-perl | libtext-csv-xs-perl | libwww-perl | 6.31-1 libxml-simple-perl | 2.24-1 logtail | munin | 2.0.34-3 munin-plugins-java | default-mysql-client | net-tools | 1.60+git20161116.90da8a0-1 python | 2.7.14-4 ruby | 1:2.3.3 smartmontools | 6.5+svn4324-1
