Bug#924312: marked as done (stunnel4: Fails to stop with sysvinit: start-stop-daemon: matching only on non-root pidfile /var/lib/stunnel4///stunnel4.pid is insecure)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#924312: marked as done (stunnel4: Fails to stop with sysvinit: start-stop-daemon: matching only on non-root pidfile /var/lib/stunnel4///stunnel4.pid is insecure)

Debian Bug Tracking System
Your message dated Wed, 13 Mar 2019 21:04:19 +0000
with message-id <[hidden email]>
and subject line Bug#921558: fixed in lsb 10.2019031300
has caused the Debian Bug report #921558,
regarding stunnel4: Fails to stop with sysvinit: start-stop-daemon: matching only on non-root pidfile /var/lib/stunnel4///stunnel4.pid is insecure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
921558: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921558
Debian Bug Tracking System
Contact [hidden email] with problems

Package: stunnel4
Version: 3:5.50-3
Severity: serious

stopping or restarting stunnel4 on systems with sysvinit (or probably
also any other init system using start-stop-daemon) fails as follows for
me:

 invoke-rc.d stunnel4 restart
Restarting TLS tunnels: /etc/stunnel/stunnel.conf: /sbin/start-stop-daemon: matching only on non-root pidfile /var/lib/stunnel4///stunnel4.pid is insecure
stopped

And despite it claims at the end "stopped", stunnel is not stopped as ps
shows:

stunnel4 26991  0.0  0.0  87196   156 ?        Ssl  Jan21   0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf

This is caused by the following change in dpkg 1.19.3 from 22 Jan 2019:

  * start-stop-daemon: Check whether standalone --pidfile use is secure.
    Prompted by Michael Orlitzky <[hidden email]>.

The usual fix seems to be to also specify the binary to be stopped with
IIRC the --exec option.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages stunnel4 depends on:
ii  adduser      3.118
ii  libc6        2.28-8
ii  libssl1.1    1.1.1b-1
ii  libsystemd0  241-1
ii  libwrap0     7.6.q-28
ii  lsb-base     10.2018112800
ii  netbase      5.6
ii  openssl      1.1.1b-1
ii  perl         5.28.1-4

stunnel4 recommends no packages.

Versions of packages stunnel4 suggests:
pn  logcheck-database  <none>

-- Configuration Files:
/etc/stunnel/stunnel.conf changed:
; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = TLSv1
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
;debug = 7
;output = /var/log/stunnel4/stunnel.log
; Use it for client mode
;client = yes
; Service-level configuration
;[pop3s]
;accept  = 995
;connect = 110
;[imaps]
;accept  = 993
;connect = 143
;[ssmtp]
;accept  = 465
;connect = 25
;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0
[bbs]
;accept  = localhost:1984
accept  = 127.0.0.1:1984
connect = sym.noone.org:1983
client = yes
[bbs2]
;accept  = localhost:1984
accept  = 127.0.0.2:1984
connect = c3pio.deuxchevaux.org:1983
client = yes
; vim:ft=dosini


-- no debconf information

Source: lsb
Source-Version: 10.2019031300

We believe that the bug you reported is fixed in the latest version of
lsb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <[hidden email]> (supplier of updated lsb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 13 Mar 2019 21:42:26 +0100
Source: lsb
Architecture: source
Version: 10.2019031300
Distribution: unstable
Urgency: low
Maintainer: Debian LSB Team <[hidden email]>
Changed-By: Didier Raboud <[hidden email]>
Closes: 921558
Changes:
 lsb (10.2019031300) unstable; urgency=low
 .
   [ Dmitry Bogatov ]
   * init-functions: in killproc, pass '--name' to start-stop-daemon
     (Closes: #921558)
Checksums-Sha1:
 ba44df4600d285880f68e50cb271e324c42ce3c7 1695 lsb_10.2019031300.dsc
 1635aec3dc49e88e6f0761bdfbcd1b32946762d0 42132 lsb_10.2019031300.tar.xz
Checksums-Sha256:
 7b71ba5ea22d9d650d4066aeff92f63b2795e02b2b23b8f2ad4328b02a67e646 1695 lsb_10.2019031300.dsc
 a956c45c7e0830b9c9a17407ed91c3373972493cead42b9c4dc53a8619a3898a 42132 lsb_10.2019031300.tar.xz
Files:
 523af3064863251feef1391e2aad0744 1695 misc extra lsb_10.2019031300.dsc
 c19e974983e70abcb128ed03999023b7 42132 misc extra lsb_10.2019031300.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEe+WPIRpjNw1/GSB7i8+nHsoWNFUFAlyJbCUACgkQi8+nHsoW
NFWwaQv/VT0mLI+9BRMz5WL7idk11YSzBQj7msbocPUFF0u9L/wj8lk1FFUgaXeV
SlszkjmT6snzjR1RjvTdlVIe7YosXHu73u3fsq+WsvV3DRU7anx3sL+rRCTmh1Hk
g360mPzwmNvfDgHYuymnESEbV96qSCWhcmiBwKuta3QnBDcBYrJUbeLGDkXsLmuB
r0T6gNSel5Nmwn+yX+e7kR1Vv6o0X31fa0O/HVg2Fi+Nf9Z8VA9NP3GN2QqlXV7L
vYEY0w1gMROy1om88Ixkcszdeew19K2rnSb3beWQ93fYZsErvjv5W1gjGtl68GV6
pg/q/k20ybHhrjsoMS7XgsmiC1IIkcfXmWodcWrqyoaYLOfgfxjxvU8D82X3+Njd
nnp43nTjy4JijoYikKqMT+diFzTan3OxiurMq6vQ0CQ5oo3PbHS6eafW8m3fbENs
MibXktv3S9nkqiLCUcV+/n+Q5zEM3WmhAd6Gt6kTFrvP4pGm5bDhI47RgY3U1EX5
F1IPmL4L
=xeQT
-----END PGP SIGNATURE-----