Skribent: Mark Hindley Dato: Til: Adam, 692 Emne: [devuan-dev] bug#692: openrc: command_user flag in openrc-run does
not function properly
Control: tags -1 debian
Adam,
Thanks for this.
On Wed, Jul 20, 2022 at 12:36:04PM -0500, Adam wrote: > Package: openrc
> Version: 0.42-2.1
Openrc is not a forked package in Devuan and we use Debian's packages directly
without recompilation. Therefore this issue is present in Debian and should be
reported there to be fixed. However, I am aware that Debian's openrc is not well
maintained at the moment. In fact I did the last upload as an NMU. Debian's
package is only 0.42 whereas Github has 0.45.2.
Reporting it there is still probably the best course. If we can find a fix, then
I can probably do another NMU.
> Severity: grave
> Tags: newcomer security
> Justification: user security hole
>
> Dear Maintainer,
>
> openrc-run's command_user flag does not function properly. If both a
> user and group are specified, an error is returned:
> "start-stop-daemon: user '$user:$group' not found", even if that user
> and group exist. If only the user is specified, the script will run,
> but as root, rather than as the user specified (which is the intended
> behavior); the username specified is then passed to the command run as
> an argument (not intended behavior).
>
> I was able to make this option work as intended by editing
> /lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
> --chuid. I have not submitted a PR because in upstream,
Which upstream do you mean here, Debian or Github?
> --chuid is
> being deprecated in favor of --user, which does the same thing and
> therefore there is no issue. On Devuan, however, these flags
> apparently do different things, which causes this problem. I don't
> understand very well Devuan's package's differences from upstream or
> why this difference exists,
There are none wrt openrc, so I think a difference in behaviour is unlikely. Can
you demonstrate it?