Devuan bug report logs - #692
openrc: command_user flag in openrc-run does not function properly

Full log

Message #10 received at 692@bugs.devuan.org (full text, mbox, reply):

Received: (at 692) by bugs.devuan.org; 20 Jul 2022 18:25:41 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: devuanbugs@dyne.org
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 20 Jul 2022 18:25:41 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id BAD77661832
	for <692@bugs.devuan.org>; Wed, 20 Jul 2022 20:25:10 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <mark@hindley.org.uk>)
	id 1oEENh-0002rA-1f; Wed, 20 Jul 2022 19:25:09 +0100
Received: (nullmailer pid 10898 invoked by uid 1000);
	Wed, 20 Jul 2022 18:25:08 -0000
Date: Wed, 20 Jul 2022 19:25:08 +0100
From: Mark Hindley <mark@hindley.org.uk>
To: Adam <anoriginale.mailaddress99@gmail.com>, 692@bugs.devuan.org
Subject: Re: bug#692: openrc: command_user flag in openrc-run does not
 function properly
Message-ID: <YthIhNhvWWwA7yVF@hindley.org.uk>
References: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
X-Debbugs-No-Ack: No Thanks
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Control: tags -1 debian

Adam,

Thanks for this.

On Wed, Jul 20, 2022 at 12:36:04PM -0500, Adam wrote:
> Package: openrc
> Version: 0.42-2.1

Openrc is not a forked package in Devuan and we use Debian's packages directly
without recompilation. Therefore this issue is present in Debian and should be
reported there to be fixed. However, I am aware that Debian's openrc is not well
maintained at the moment. In fact I did the last upload as an NMU. Debian's
package is only 0.42 whereas Github has 0.45.2.

Reporting it there is still probably the best course. If we can find a fix, then
I can probably do another NMU.

> Severity: grave
> Tags: newcomer security
> Justification: user security hole
> 
> Dear Maintainer,
> 
> openrc-run's command_user flag does not function properly. If both a
> user and group are specified, an error is returned:
> "start-stop-daemon: user '$user:$group' not found", even if that user
> and group exist. If only the user is specified, the script will run,
> but as root, rather than as the user specified (which is the intended
> behavior); the username specified is then passed to the command run as
> an argument (not intended behavior).
> 
> I was able to make this option work as intended by editing
> /lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
> --chuid. I have not submitted a PR because in upstream,


Which upstream do you mean here, Debian or Github?

> --chuid is
> being deprecated in favor of --user, which does the same thing and
> therefore there is no issue. On Devuan, however, these flags
> apparently do different things, which causes this problem. I don't
> understand very well Devuan's package's differences from upstream or
> why this difference exists,

There are none wrt openrc, so I think a difference in behaviour is unlikely. Can
you demonstrate it?

Thanks

Mark

Send a report that this bug log contains spam.