Package: prosody Version: 0.6.2-1 Severity: normal Tags: security /var/run/prosody/prosody.pid is in a directory writable by the prosody user, as well as itself being writable by that user. Suppose this user is compromised. If the pid is overwritten with a different process id, such as 1, /etc/init.d/prosody stop will kill it.
start-stop-daemon avoids this kind of security flaw by checking /proc/pid/exe (when run with -exec), or at least the process name (when run with -name). But you have to include those switches when stopping the daemon, which you do not. Also, --name lua is only going to limit it to killing lua processes, which is hardly ideal. Note that beyond the possibility this could be used as a security hole, things go wrong, pid files end up with stale data in them. Blindling killing w/o checking is asking for trouble. -- see shy jo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
