Devuan bug report logs - #692
openrc: command_user flag in openrc-run does not function properly

Package: openrc; Maintainer for openrc is (unknown); Source for openrc is src:openrc.

Reported by: Adam <anoriginale.mailaddress99@gmail.com>

Date: Wed, 20 Jul 2022 17:38:02 UTC

Severity: grave

Tags: debian

Found in version 0.42-2.1

Fixed in version openrc/0.45.2-1

Done: Mark Hindley <mark@hindley.org.uk>

Forwarded to https://bugs.debian.org/1015765

Full log

Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

Received: (at submit) by bugs.devuan.org; 20 Jul 2022 17:37:45 +0000
Return-Path: <anoriginale.mailaddress99@gmail.com>
Delivered-To: devuanbugs@dyne.org
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 20 Jul 2022 17:37:45 +0000 (UTC)
Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 3D4BD661813
	for <submit@bugs.devuan.org>; Wed, 20 Jul 2022 19:36:44 +0200 (CEST)
Authentication-Results: mail.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="FFgYx2RR";
	dkim-atps=neutral
Received: by mail-vs1-f41.google.com with SMTP id l190so17012822vsc.0
        for <submit@bugs.devuan.org>; Wed, 20 Jul 2022 10:36:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:from:date:message-id:subject:to;
        bh=3PwKsTPVUJL32+cddEbJS/9+6rtO4LmNbJ6TcFxCEOI=;
        b=FFgYx2RROaIiwoJwyZAN/IdaPsHdcjc6KOd2085ynjtUXFopHmAROtak3TuZqt84lX
         P0gxJxMAkiP3f7IcRcxyUyUkHikTb6DHTLx1am/czDUdkBxblYo0VcCTi/5i+bTidjFE
         6/b0GXZgs2PQilvV2cfs0sEdtMKmFyttIUAyVPrZqx67gOdFK4vfyTY6LesUv69GNyjp
         ePi805xxBt+fLKMTnEzsUTpRksaMbyigQ+/Qx/TUa+CDM30CZOicaAaAWUWlmSkqzIr8
         O+GVc90JvFqLGTBC9zadjulYGj7Sn/1INrIe/obXe3Uv92wiGZ81+WieiVBCK0YCj004
         6Q/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=3PwKsTPVUJL32+cddEbJS/9+6rtO4LmNbJ6TcFxCEOI=;
        b=pMTAA9kv8EjqFz4Iq+5uPd073I8ST4UqVl/+W5jsiNq6As/sGXryGQqlwmvH7HMxli
         oiUjTc/4memFyHZoy4e0wqSglsT3WUA6Wx7chPbZw8PoHeGWnTrwefWI0GsHZByUATFr
         4XXMUaZj/edWyjn+OTRKAOnbp57ThYV+ZYCPOY+dKd4ju2PWMMV7kbTD6ts/nt4YvPy1
         10xEU4JkYz2/ayc+9pwT+a7FupYgRW0lGAZ5Ljx8vC7gLTrZ4EPRqBl1uTQV+eyFdB1k
         iMYI8+60z19nSB5NVlvfusL27KjuDXccP8foL3kKmkej5Ca+lP3JIbWdXpDMxrltWDd0
         QJbw==
X-Gm-Message-State: AJIora8vochLG9i0kQmMUxkAKfmRUJhx0DqndNpUbjkWE5TfQzXuhKoT
	6wroPhTVA6geDcn1O7tlnJuQgb6LdlvpLV7juD2EJS2o
X-Google-Smtp-Source: AGRyM1sXu2i5guI8jRtUA7zPvZkannnguQk95a9jFNFmQJRAJcOahG0iYdRUHj0dtbj4Ol3ogfRmB6Xm7cG+2mCSUx0=
X-Received: by 2002:a67:c488:0:b0:357:4848:c366 with SMTP id
 d8-20020a67c488000000b003574848c366mr13778739vsk.36.1658338601590; Wed, 20
 Jul 2022 10:36:41 -0700 (PDT)
MIME-Version: 1.0
From: Adam <anoriginale.mailaddress99@gmail.com>
Date: Wed, 20 Jul 2022 12:36:04 -0500
Message-ID: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
Subject: openrc: command_user flag in openrc-run does not function properly
To: submit@bugs.devuan.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	RCVD_IN_MSPIKE_H2,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Package: openrc
Version: 0.42-2.1
Severity: grave
Tags: newcomer security
Justification: user security hole

Dear Maintainer,

openrc-run's command_user flag does not function properly. If both a
user and group are specified, an error is returned:
"start-stop-daemon: user '$user:$group' not found", even if that user
and group exist. If only the user is specified, the script will run,
but as root, rather than as the user specified (which is the intended
behavior); the username specified is then passed to the command run as
an argument (not intended behavior).

I was able to make this option work as intended by editing
/lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
--chuid. I have not submitted a PR because in upstream, --chuid is
being deprecated in favor of --user, which does the same thing and
therefore there is no issue. On Devuan, however, these flags
apparently do different things, which causes this problem. I don't
understand very well Devuan's package's differences from upstream or
why this difference exists, but I assume there may be another solution
which does not rely on using an option deprecated in mainstream, which
maintainers may prefer to implement.

Best.

-- System Information:
Distributor ID: Devuan
Description:    Devuan GNU/Linux 4 (chimaera)
Release:        4
Codename:       chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-11-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: OpenRC (via /run/openrc), PID 1: init

Versions of packages openrc depends on:
ii  insserv      1.21.0-1.1
ii  libaudit1    1:3.0-2
ii  libc6        2.31-13+deb11u3
ii  libeinfo1    0.42-2.1
ii  libpam0g     1.4.0-9+deb11u1
ii  librc1       0.42-2.1
ii  libselinux1  3.1-3

openrc recommends no packages.

Versions of packages openrc suggests:
pn  policycoreutils  <none>
ii  sysvinit-core    2.96-7+devuan2

-- no debconf information

Send a report that this bug log contains spam.

Devuan bug report logs - #692 openrc: command_user flag in openrc-run does not function properly

Devuan bug report logs - #692
openrc: command_user flag in openrc-run does not function properly