Package: dpkg
Version: 1.17.13
Severity: normal
Dear Maintainer,
If the options --umask and --make-pidfile are both used when calling
start-stop-daemon --start, the umask is set before the pidfile is created. If
this umask is restrictive (e.g. 0007) then this leads to a pidfile being
created that is not even readable by unprivileged users. This means that only
root will be able to successfully check the status of a service with a command
like "service foo status".
Since it is easy for any user to find the PID of any running process (with
ps), I don't think there is any security issue with making all pidfiles
world-readable. Indeed, a quick check of both my Debian systems reveals that,
other than the one offending service that caused me to notice this problem
(deluged*), all other pidfiles in /run have permissions of 0644, consistent
with the default umask of 0022.
A quick look at the source of start-stop-daemon reveals that the umask is
applied immediately before calling "create-pidfile". Simply changing the order
of these two blocks of code fixes the problem. For your convenience, I have
attached a patch that does this.
* The deluged package just got a shiny new init-script in a recent Debian
package version, and there are a couple of issues with the script, one of
which is its overly-paranoid default umask. I am filing a bug with that
package about those issues as well, but clearly the root of this bug is in
start-stop-daemon.
*** Please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these lines ***
-- System Information:
Debian Release: 7.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.12-0.bpo.1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dpkg depends on:
ii libbz2-1.0 1.0.6-4
ii libc6 2.13-38+deb7u3
ii liblzma5 5.1.1alpha+20120614-2
ii libselinux1 2.1.9-5
ii tar 1.26+dfsg-0.1
ii zlib1g 1:1.2.7.dfsg-13
dpkg recommends no packages.
Versions of packages dpkg suggests:
ii apt 0.9.7.9+deb7u2
-- no debconf information
diff -rupN dpkg-1.17.13/utils/start-stop-daemon.c dpkg-1.17.13-new/utils/start-stop-daemon.c
--- dpkg-1.17.13/utils/start-stop-daemon.c 2014-08-19 11:12:18.000000000 -0700
+++ dpkg-1.17.13-new/utils/start-stop-daemon.c 2014-09-01 14:47:12.000000000 -0700
@@ -1780,11 +1780,11 @@ do_start(int argc, char **argv)
set_proc_schedule(proc_sched);
if (io_sched)
set_io_schedule(io_sched);
- if (umask_value >= 0)
- umask(umask_value);
if (mpidfile && pidfile != NULL)
/* User wants _us_ to make the pidfile. */
write_pidfile(pidfile, getpid());
+ if (umask_value >= 0)
+ umask(umask_value);
if (changeroot != NULL) {
if (chdir(changeroot) < 0)
fatal("unable to chdir() to %s", changeroot);
