Package: openrc
Version: 0.42-2.1
Severity: grave
Tags: newcomer security
Justification: user security hole

Dear Maintainer,

openrc-run's command_user flag does not function properly. If both a
user and group are specified, an error is returned:
"start-stop-daemon: user '$user:$group' not found", even if that user
and group exist. If only the user is specified, the script will run,
but as root, rather than as the user specified (which is the intended
behavior); the username specified is then passed to the command run as
an argument (not intended behavior).

I was able to make this option work as intended by editing
/lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
--chuid. I have not submitted a PR because in upstream, --chuid is
being deprecated in favor of --user, which does the same thing and
therefore there is no issue. On Devuan, however, these flags
apparently do different things, which causes this problem. I don't
understand very well Devuan's package's differences from upstream or
why this difference exists, but I assume there may be another solution
which does not rely on using an option deprecated in mainstream, which
maintainers may prefer to implement.

Best.

-- System Information:
Distributor ID: Devuan
Description:    Devuan GNU/Linux 4 (chimaera)
Release:        4
Codename:       chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-11-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: OpenRC (via /run/openrc), PID 1: init

Versions of packages openrc depends on:
ii  insserv      1.21.0-1.1
ii  libaudit1    1:3.0-2
ii  libc6        2.31-13+deb11u3
ii  libeinfo1    0.42-2.1
ii  libpam0g     1.4.0-9+deb11u1
ii  librc1       0.42-2.1
ii  libselinux1  3.1-3

openrc recommends no packages.

Versions of packages openrc suggests:
pn  policycoreutils  <none>
ii  sysvinit-core    2.96-7+devuan2

-- no debconf information