Devuan bug report logs - #692
openrc: command_user flag in openrc-run does not function properly

version graph

Package: openrc; Maintainer for openrc is (unknown); Source for openrc is src:openrc.

Reported by: Adam <anoriginale.mailaddress99@gmail.com>

Date: Wed, 20 Jul 2022 17:38:02 UTC

Severity: grave

Tags: debian

Found in version 0.42-2.1

Fixed in version openrc/0.45.2-1

Done: Mark Hindley <mark@hindley.org.uk>

Forwarded to https://bugs.debian.org/1015765

Full log


🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Adam <anoriginale.mailaddress99@gmail.com>
Subject: bug#692 closed by Mark Hindley <mark@hindley.org.uk> (Fixed in
 Debian's openrc 0.45.2-1)
Message-ID: <handler.692.D692.165868389917025.notifdone@bugs.devuan.org>
References: <Yt2B470oMu7LMKrP@hindley.org.uk>
 <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
X-Devuan-PR-Message: they-closed 692
X-Devuan-PR-Package: openrc
X-Devuan-PR-Keywords: debian
X-Devuan-PR-Source: openrc
Reply-To: 692@bugs.devuan.org
Date: Sun, 24 Jul 2022 17:32:04 +0000
Content-Type: multipart/mixed; boundary="----------=_1658683924-17030-1"
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your bug report
which was filed against the openrc package:

#692: openrc: command_user flag in openrc-run does not function properly

It has been closed by Mark Hindley <mark@hindley.org.uk>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hindley.org.uk> by
replying to this email.


-- 
692: https://bugs.devuan.org/cgi/bugreport.cgi?bug=692
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems
[Message part 2 (message/rfc822, inline)]
From: Mark Hindley <mark@hindley.org.uk>
To: 692-close@bugs.devuan.org
Subject: Fixed in Debian's openrc 0.45.2-1
Date: Sun, 24 Jul 2022 18:31:15 +0100
Source: openrc
Source-Version: 0.45.2-1
Done: Mark Hindley <leepen@debian.org>

We believe that the bug you reported is fixed in the latest version of
openrc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1015765@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Hindley <leepen@debian.org> (supplier of updated openrc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 24 Jul 2022 15:32:06 +0100
Source: openrc
Architecture: source
Version: 0.45.2-1
Distribution: unstable
Urgency: medium
Maintainer: OpenRC Debian Maintainers <openrc@packages.debian.org>
Changed-By: Mark Hindley <leepen@debian.org>
Closes: 973245 1015765
Changes:
 openrc (0.45.2-1) unstable; urgency=medium
 .
   * d/watch: update to version 4 and fix path.
   * New upstream version 0.45.2
     - includes fix for CVE-2018-21269 (Closes: #973245).
   * d/control:
     - add myself to uploaders.
     - bump debhelper compat to 13.
     - add Build-Depends meson, pkg-config.
     - bump Standards Version to 4.6.1 (no changes).
   * debian/patches:
     - remove obsolete d/p/0001-no-rpath.patch.
     - delete patches applied upstream.
     - convert to meson
     - refresh.
   * d/rules:
     - convert to meson
     - override libexecdir to keep existing non-multiarch path.
     - cleanup and remove cruft.
   * Simplify d/rules and multiarch handling with dh-exec.
   * Install bash and zsh completions.
   * d/not-installed: add uninstalled files.
   * .gitignore backup files.
   * d/openrc.lintian-overrides:
     - update changed tag name.
     - update to pointed format.
     - remove unused override.
   * sh/start-stop-daemon.sh: use src:dpkg s-s-d compatible --chuid
     (Closes: #1015765).
Checksums-Sha1:
 960a37fa530d1e6eea59a7fc3e22a7956e415450 2283 openrc_0.45.2-1.dsc
 f61b8f40e9b2bd94a09a2ddd834d42c76a45b2d4 192020 openrc_0.45.2.orig.tar.xz
 64a6daac79f69a67b41646d156f83a9bf37c2c03 24820 openrc_0.45.2-1.debian.tar.xz
 04f4357d0257c144d67a68f1d5aa25695204d4f3 9205 openrc_0.45.2-1_amd64.buildinfo
Checksums-Sha256:
 d3463a04d868c3c6c7416c2186b4676713bc7e11a64a1cbb4363ed525aa9a761 2283 openrc_0.45.2-1.dsc
 2a47fbf6ef2d252bbee1232e7626f8cc445eaeeeabb49ced1e7b0d598dafeb66 192020 openrc_0.45.2.orig.tar.xz
 ae0aaeb164e701fcfe4f3228aecd09aefd032cd51653149a1cbb9d9e20f606d2 24820 openrc_0.45.2-1.debian.tar.xz
 88b33ee6075f3cc5089ac0ad782ec020cf8173303f6fef82bfe6c68b56e7e7fd 9205 openrc_0.45.2-1_amd64.buildinfo
Files:
 9707f0f464c446b72050ffaff3c94b9d 2283 admin optional openrc_0.45.2-1.dsc
 66c00b46950bf954d3e47b68999aa44a 192020 admin optional openrc_0.45.2.orig.tar.xz
 0bacb081ef0275873328d96e0eea79bc 24820 admin optional openrc_0.45.2-1.debian.tar.xz
 acca86f8c757dacde74107ca2da3f53b 9205 admin optional openrc_0.45.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUGwVpCsK9aCoVCPu0opFvzKH1kkFAmLdczEACgkQ0opFvzKH
1kljixAAoSSfckl/l3mP3JcClslCUAW9lbQbFHlLW+6pJaRy/ro4mV7G62MBeEpU
fDMTZ8kwduibkbVjDetz3/hbIyUEN/dHXDH3apkAVs4OBXWEXhE9jY5VWAEKd+w6
mu2K1U/oQ0CO/GESKXSqJwAwoCaNtxJj3F5L8NfcfG4W40gpU5oUHZkZwddOPatf
BuCnrlJjq4MdP1YHgWSLQRrrFQDe6KHlF0H/IVaD9AaXw6A//k3ZD6+KZ7Okh3OK
8EvKDli9SNp4g9AAPT1OsDXmlEVJ4nBeLTB3IQRdhgoDyIt64Kkq30wv2+a4rI48
QaObwFbZNshUsX5WeF5MiBSOKL1hREzk9Nsh2W0Zhdtfk1qfR0tfKd1/VcU/P8LR
f10TYMQ0yYV645OmYT448j0Eh7Bnw0Ss1XIWWWqJa6Fq4dr988qGzRt2fD7S/2ax
haWIJTGvWKZXQfvXFkTdZKqyrEqJwY4BO4LrQo9oqLggE/Bl8ciHqrubGZmmo0Fn
NO5fgf782PALE5QK9RTyGfTAWHVrzY4pZHgaSp2HAhr3ny+RDLQJ6QudHZNAIWiL
KjbhSThG/ag0l5V2dcXgoHU2Miph6yuTouhEi9x0J27sKmXVCK1wI43LvxWnvQK+
3DZAOhOJGDef/cXXLlJK0zPKCUVUaKeOVYlTi3GvNU96EXvI+m4=
=VWC4
-----END PGP SIGNATURE-----
[Message part 3 (message/rfc822, inline)]
From: Adam <anoriginale.mailaddress99@gmail.com>
To: submit@bugs.devuan.org
Subject: openrc: command_user flag in openrc-run does not function properly
Date: Wed, 20 Jul 2022 12:36:04 -0500
Package: openrc
Version: 0.42-2.1
Severity: grave
Tags: newcomer security
Justification: user security hole

Dear Maintainer,

openrc-run's command_user flag does not function properly. If both a
user and group are specified, an error is returned:
"start-stop-daemon: user '$user:$group' not found", even if that user
and group exist. If only the user is specified, the script will run,
but as root, rather than as the user specified (which is the intended
behavior); the username specified is then passed to the command run as
an argument (not intended behavior).

I was able to make this option work as intended by editing
/lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
--chuid. I have not submitted a PR because in upstream, --chuid is
being deprecated in favor of --user, which does the same thing and
therefore there is no issue. On Devuan, however, these flags
apparently do different things, which causes this problem. I don't
understand very well Devuan's package's differences from upstream or
why this difference exists, but I assume there may be another solution
which does not rely on using an option deprecated in mainstream, which
maintainers may prefer to implement.

Best.

-- System Information:
Distributor ID: Devuan
Description:    Devuan GNU/Linux 4 (chimaera)
Release:        4
Codename:       chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-11-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: OpenRC (via /run/openrc), PID 1: init

Versions of packages openrc depends on:
ii  insserv      1.21.0-1.1
ii  libaudit1    1:3.0-2
ii  libc6        2.31-13+deb11u3
ii  libeinfo1    0.42-2.1
ii  libpam0g     1.4.0-9+deb11u1
ii  librc1       0.42-2.1
ii  libselinux1  3.1-3

openrc recommends no packages.

Versions of packages openrc suggests:
pn  policycoreutils  <none>
ii  sysvinit-core    2.96-7+devuan2

-- no debconf information

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun Nov 24 01:36:31 2024;