Package: stunnel4
Version: 3:5.50-3
Severity: serious
stopping or restarting stunnel4 on systems with sysvinit (or probably
also any other init system using start-stop-daemon) fails as follows for
me:
invoke-rc.d stunnel4 restart
Restarting TLS tunnels: /etc/stunnel/stunnel.conf: /sbin/start-stop-daemon:
matching only on non-root pidfile /var/lib/stunnel4///stunnel4.pid is insecure
stopped
And despite it claims at the end "stopped", stunnel is not stopped as ps
shows:
stunnel4 26991 0.0 0.0 87196 156 ? Ssl Jan21 0:00
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf
This is caused by the following change in dpkg 1.19.3 from 22 Jan 2019:
* start-stop-daemon: Check whether standalone --pidfile use is secure.
Prompted by Michael Orlitzky <mich...@orlitzky.com>.
The usual fix seems to be to also specify the binary to be stopped with
IIRC the --exec option.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'),
(500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1,
'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages stunnel4 depends on:
ii adduser 3.118
ii libc6 2.28-8
ii libssl1.1 1.1.1b-1
ii libsystemd0 241-1
ii libwrap0 7.6.q-28
ii lsb-base 10.2018112800
ii netbase 5.6
ii openssl 1.1.1b-1
ii perl 5.28.1-4
stunnel4 recommends no packages.
Versions of packages stunnel4 suggests:
pn logcheck-database <none>
-- Configuration Files:
/etc/stunnel/stunnel.conf changed:
; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot
jail)
; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = TLSv1
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
;debug = 7
;output = /var/log/stunnel4/stunnel.log
; Use it for client mode
;client = yes
; Service-level configuration
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0
[bbs]
;accept = localhost:1984
accept = 127.0.0.1:1984
connect = sym.noone.org:1983
client = yes
[bbs2]
;accept = localhost:1984
accept = 127.0.0.2:1984
connect = c3pio.deuxchevaux.org:1983
client = yes
; vim:ft=dosini
-- no debconf information
