220524 – pidfile_remove(3) is broken in capability mode

Bug 220524 - pidfile_remove(3) is broken in capability mode

Summary: pidfile_remove(3) is broken in capability mode

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Mariusz Zaborski

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-07-06 16:37 UTC by Mark Johnston
Modified:	2018-08-17 15:16 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Johnston freebsd_committer

2017-07-06 16:37:32 UTC

pidfile_remove() uses unlink() to remove the pidfile, so it will always fail when called in capability mode. It would be nice if the pidfile code used Capsicum-friendly syscalls instead. pidfile_open() could keep a descriptor for the directory containing the requested pidfile, and later use unlinkat() to remove it.

Comment 1 commit-hook freebsd_committer

2017-08-10 16:46:08 UTC

A commit references this bug:

Author: oshogbo
Date: Thu Aug 10 16:45:06 UTC 2017
New revision: 322369
URL: https://svnweb.freebsd.org/changeset/base/322369

Log:
  Store directory descriptor in the pidfh structure and use unlinkat(2)
  function instead of unlink(2).

  Now when pidfile_remove() uses unlinkat(2) to remove the pidfile
  it is safe to use this function in capability mode.

  Style fix: sort headers.

  PR:		220524
  Reviewed by:	markj
  Differential Revision:	https://reviews.freebsd.org/D11692

Changes:
  head/lib/libutil/pidfile.c

Comment 2 Mariusz Zaborski freebsd_committer

2018-08-17 14:51:28 UTC

Can we close this bug?

Comment 3 Mark Johnston freebsd_committer

2018-08-17 15:14:02 UTC

(In reply to Mariusz Zaborski from comment #2)
Sure.