Your message dated Tue, 08 Jan 2019 01:34:08 +0000 with message-id <[email protected]> and subject line Bug#872888: fixed in radsecproxy 1.7.2-1 has caused the Debian Bug report #872888, regarding Not running radsecproxy as root / circumvent a systemd flaw with PID files / dependency on debhelper >=10 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 872888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872888 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: radsecproxy Version: 1.6.9-1 First of all: thanks for providing this excellent package! :) I'd like to address three topics: (1) There's a flaw in some systemd versions that can be used for a DoS attack if the PID file of a daemon is manipulated, (2) radsecproxy shouldn't be run as root but as unprivileged user instead, (3) is the dependency "debhelper (>= 10)" a hard dependency or can it be lowered to "debhelper (>= 9)"? (1) There seems to be a flaw in some versions of systemd which concerns PID files. If a PID file of a service is manipulated (e. g. to contain the value "1"), stopping the service will kill the process whose process ID has been added to the PID file. To circumvent this you can omit writing a PID file if the daemon allows it. radsecproxy is simple enough so that systemd knows the PID after starting it, so not writing a PID file isn't a problem in this case. This is what I'd suggest for this package. The patch is included in the patch suggested for issue (2). (2) Right now, radsecproxy is running as root. I'd like to propose the following patch so that it's run a an unprivileged user "radsecproxy": --------8<--------8<--------8<--------8<--------8<-------- --- radsecproxy-1.6.9.old/debian/service 2017-08-04 21:12:38.000000000 +0200 +++ radsecproxy-1.6.9/debian/service 2017-08-18 07:56:46.080064099 +0200 @@ -6,12 +6,13 @@ [Service] Type=forking -ExecStart=/usr/sbin/radsecproxy -i /run/radsecproxy.pid -PIDFile=/run/radsecproxy.pid +ExecStart=/usr/sbin/radsecproxy +User=radsecproxy ProtectSystem=full PrivateDevices=true PrivateTmp=true ProtectHome=true [Install] WantedBy=multi-user.target --------8<--------8<--------8<--------8<--------8<-------- Furthermore, there needs to be an additional file radsecproxy-1.6.9/debian/postinst to add the user: --------8<--------8<--------8<--------8<--------8<-------- adduser --system radsecproxy --------8<--------8<--------8<--------8<--------8<-------- Please note that I didn't look into the classic init files so running radsecproxy as user "radsecproxy" should be added to the classic init script as well. I'm also not experienced with Debian packaging so please double check the above suggestion. (3) This issue is more a question than a bug report or suggestion. Right now the control file has the dependency "debhelper (>= 10)". Is this a hard dependency? If not, can it be changed to "debhelper (>= 9)" again? Thanks again for providing this package, it's highly appreciated! Kind regards, Christian Strauf -- Dipl.-Math. Christian Strauf Clausthal Univ. of Technology E-Mail: [email protected] Rechenzentrum Web: www.rz.tu-clausthal.de Erzstraße 18 Tel.: +49-5323-72-2086 Fax: -992086 D-38678 Clausthal-Zellerfeld
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---Source: radsecproxy Source-Version: 1.7.2-1 We believe that the bug you reported is fixed in the latest version of radsecproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Faidon Liambotis <[email protected]> (supplier of updated radsecproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 08 Jan 2019 03:16:13 +0200 Source: radsecproxy Binary: radsecproxy Architecture: source Version: 1.7.2-1 Distribution: unstable Urgency: medium Maintainer: Faidon Liambotis <[email protected]> Changed-By: Faidon Liambotis <[email protected]> Description: radsecproxy - RADIUS protocol proxy supporting RadSec Closes: 859675 872888 Changes: radsecproxy (1.7.2-1) unstable; urgency=medium . * New upstream release. * Bump Build-Depends to OpenSSL 1.1.0 (libssl-dev), as the new upstream version is now compatible with it. (Closes: #859675) * Remove --enable-fticks from configure, as it's now default and non-optional. * Update the shipped /etc/radsecproxy.conf with new (commented out) upstream directives. * Use a dedicated "radsecproxy" user to run the daemon instead of root. (Closes: #872888) * Remove dependency on docbook2x since this version ships the pregenerated manpages by default. These are now the preferred source of modification upstream, and the XMLs were removed entirely in a subsequent commit. Also adjust our path-correction patch to patch the manpages directly. * Update debian/upstream/signing-key.asc with the new upstream's key. * Update debian/control, debian/copyright and debian/watch with the project's new homepage on GitHub. * Update debian/copyright with an additional copyright author (SWITCH) and to reflect the license change, i.e. to remove GPLv2+ and update to a generic 3-clause BSD. * Add Vcs-* to point to the package's git at salsa.debian.org. * Bump debhelper compat to 11. * Bump Standards-Version to 4.3.0. Checksums-Sha1: 2e545340393826fca7e838b855b8f8666460626c 2132 radsecproxy_1.7.2-1.dsc f5d71744be53ac5dabbbef4613dae4928e814d27 327759 radsecproxy_1.7.2.orig.tar.gz 4349190fb76230ebd1cd33416b74ef0b31f0a0ee 873 radsecproxy_1.7.2.orig.tar.gz.asc 9b5e103c042a5e4f84492807e66ccfab3ede5e2a 11184 radsecproxy_1.7.2-1.debian.tar.xz 1e53257bcb6fd91c275538b1f2cad00a4def03df 5358 radsecproxy_1.7.2-1_source.buildinfo Checksums-Sha256: a253d0031ccb2b335d01d5bda1049e791b588d5227e18e1e635350aa4f4eb096 2132 radsecproxy_1.7.2-1.dsc 2cf23e618ab9275221350acf5a97bce4ff18aee472045f8a3b4c7673491079d2 327759 radsecproxy_1.7.2.orig.tar.gz 2b68da300c218817529a191b38ec898d0c27cc22b9f6067b904d8242c9c89e14 873 radsecproxy_1.7.2.orig.tar.gz.asc 4f56f9bee3c60b506ceaec170c1a2b1d47f3103105514f803e59f236dedd8a65 11184 radsecproxy_1.7.2-1.debian.tar.xz a8174ce0f4a31c7d7573b851eaa05d8b91c32e0c85a6ba5ebf7f7666a06a697d 5358 radsecproxy_1.7.2-1_source.buildinfo Files: 7b808d0e6d9402688c4353046b59fc89 2132 net optional radsecproxy_1.7.2-1.dsc 6b8538216310f1965fc0636044c757c9 327759 net optional radsecproxy_1.7.2.orig.tar.gz 84bbbe4e23bb591377ff5a69029de74d 873 net optional radsecproxy_1.7.2.orig.tar.gz.asc fff7a1796bc456a01ef7768deb7f4f33 11184 net optional radsecproxy_1.7.2-1.debian.tar.xz 2790082cd2c42d87f56cdc7f2da0753e 5358 net optional radsecproxy_1.7.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEqVksUhy5BAd9ZZgAnQteWx7sjw4FAlwz+5oACgkQnQteWx7s jw4HBRAAx2MV5PseaPCOH2sSZ+MA4v7J90WXC2oO2Oji1f2ewiDmSWMMLT8iMWFh bt6FZ/JBZDXSNnS6ScsaAFL9FBgTKPxUeh581EvVD+PF0r9C2crPhCMApvIG9S3E rZ7s0e+GzTD3SQ+k770G7yUTgh6d+5wpw3NGKqKRiv9iz5cOi3K1Dn/7m8Tc8LPN iBvEQsmcL2WEtoXSYLJ+Vi1MZcjUF4cD3pMbinkgHzHhR/9Mvmmqn0TthRic6TGU vs7vPVHzOKwHR9jCaSeTvmdc4O/oDIvw6v2qFUk58y9gBXSzodlwhRTKbvKXinUv VnJE8AkyQJWnvYo+UGka24USrDlRNjXfu9yxlFtlBFfI93/kVSgx6X07iF5jPFID lEMsUV2wVIrlrilpjkR5Jfd5IrWLLtzFydgtRx5v83xeYQXrN0kzZfYqmc3BvILV 7G37vXGCzVM1FcAYKPcPI+/xT7f7riC+2MkXmgpeGcHH/Cv7qwzQX2rFDDRxKOwe /HIei1NU6qaE2ACwq6WDp836bl/jmpyGGXSQTeNOmK3Op/6B1EqvNYE/4wcUrTEC lXnAmkTU7Md4TIuzu4r4Z8NwKl+xHe3y7VBVwX2NVpRYZ720lGQwwAxTOB2NbB17 HbMnCIvyEq41yG/2PJ49X13xKFEKS3KsZnGX6IkljtLxCo+R79A= =igLN -----END PGP SIGNATURE-----
--- End Message ---
