Devuan logs - #692, boring messages

Message sent to [email protected], [email protected]:

Subject: bug#692: openrc: command_user flag in openrc-run does not function properly
Reply-To: Adam <[email protected]>, [email protected]
Resent-From: Adam <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected]
Resent-Date: Wed, 20 Jul 2022 17:38:02 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
MIME-Version: 1.0
From: Adam <[email protected]>
Date: Wed, 20 Jul 2022 12:36:04 -0500
Message-ID: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
To: [email protected]
Content-Type: text/plain; charset="UTF-8"

Package: openrc
Version: 0.42-2.1
Severity: grave
Tags: newcomer security
Justification: user security hole

Dear Maintainer,

openrc-run's command_user flag does not function properly. If both a
user and group are specified, an error is returned:
"start-stop-daemon: user '$user:$group' not found", even if that user
and group exist. If only the user is specified, the script will run,
but as root, rather than as the user specified (which is the intended
behavior); the username specified is then passed to the command run as
an argument (not intended behavior).

I was able to make this option work as intended by editing
/lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
--chuid. I have not submitted a PR because in upstream, --chuid is
being deprecated in favor of --user, which does the same thing and
therefore there is no issue. On Devuan, however, these flags
apparently do different things, which causes this problem. I don't
understand very well Devuan's package's differences from upstream or
why this difference exists, but I assume there may be another solution
which does not rely on using an option deprecated in mainstream, which
maintainers may prefer to implement.

Best.

-- System Information:
Distributor ID: Devuan
Description:    Devuan GNU/Linux 4 (chimaera)
Release:        4
Codename:       chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-11-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: OpenRC (via /run/openrc), PID 1: init

Versions of packages openrc depends on:
ii  insserv      1.21.0-1.1
ii  libaudit1    1:3.0-2
ii  libc6        2.31-13+deb11u3
ii  libeinfo1    0.42-2.1
ii  libpam0g     1.4.0-9+deb11u1
ii  librc1       0.42-2.1
ii  libselinux1  3.1-3

openrc recommends no packages.

Versions of packages openrc suggests:
pn  policycoreutils  <none>
ii  sysvinit-core    2.96-7+devuan2

-- no debconf information

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Adam <[email protected]>
Subject: bug#692: Acknowledgement (openrc: command_user flag in openrc-run
 does not function properly)
Message-ID: <[email protected]>
References: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
X-Devuan-PR-Message: ack 692
X-Devuan-PR-Package: openrc
Reply-To: [email protected]
Date: Wed, 20 Jul 2022 17:38:05 +0000

Thank you for filing a new bug report with Devuan.

You can follow progress on this bug here: 692: https://bugs.devuan.org/cgi/=
bugreport.cgi?bug=3D692.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 [email protected]

If you wish to submit further information on this problem, please
send it to [email protected].

Please do not send mail to [email protected] unless you wish
to report a problem with the Bug-tracking system.

--=20
692: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D692
Devuan Bug Tracking System
Contact [email protected] with problems

Message sent to [email protected], [email protected]:

Subject: bug#692: openrc: command_user flag in openrc-run does not function properly
Reply-To: Mark Hindley <[email protected]>, [email protected]
Resent-From: Mark Hindley <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected]
Resent-Date: Wed, 20 Jul 2022 18:26:02 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
References: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com> <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
Date: Wed, 20 Jul 2022 19:25:08 +0100
From: Mark Hindley <[email protected]>
To: Adam <[email protected]>, [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>

Control: tags -1 debian

Adam,

Thanks for this.

On Wed, Jul 20, 2022 at 12:36:04PM -0500, Adam wrote:
> Package: openrc
> Version: 0.42-2.1

Openrc is not a forked package in Devuan and we use Debian's packages directly
without recompilation. Therefore this issue is present in Debian and should be
reported there to be fixed. However, I am aware that Debian's openrc is not well
maintained at the moment. In fact I did the last upload as an NMU. Debian's
package is only 0.42 whereas Github has 0.45.2.

Reporting it there is still probably the best course. If we can find a fix, then
I can probably do another NMU.

> Severity: grave
> Tags: newcomer security
> Justification: user security hole
> 
> Dear Maintainer,
> 
> openrc-run's command_user flag does not function properly. If both a
> user and group are specified, an error is returned:
> "start-stop-daemon: user '$user:$group' not found", even if that user
> and group exist. If only the user is specified, the script will run,
> but as root, rather than as the user specified (which is the intended
> behavior); the username specified is then passed to the command run as
> an argument (not intended behavior).
> 
> I was able to make this option work as intended by editing
> /lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
> --chuid. I have not submitted a PR because in upstream,


Which upstream do you mean here, Debian or Github?

> --chuid is
> being deprecated in favor of --user, which does the same thing and
> therefore there is no issue. On Devuan, however, these flags
> apparently do different things, which causes this problem. I don't
> understand very well Devuan's package's differences from upstream or
> why this difference exists,

There are none wrt openrc, so I think a difference in behaviour is unlikely. Can
you demonstrate it?

Thanks

Mark

Message received at [email protected]:

Date: Wed, 20 Jul 2022 19:25:08 +0100
From: Mark Hindley <[email protected]>
To: Adam <[email protected]>, [email protected]
Subject: Re: bug#692: openrc: command_user flag in openrc-run does not
 function properly
Message-ID: <[email protected]>
References: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>

Control: tags -1 debian

Adam,

Thanks for this.

On Wed, Jul 20, 2022 at 12:36:04PM -0500, Adam wrote:
> Package: openrc
> Version: 0.42-2.1

Openrc is not a forked package in Devuan and we use Debian's packages directly
without recompilation. Therefore this issue is present in Debian and should be
reported there to be fixed. However, I am aware that Debian's openrc is not well
maintained at the moment. In fact I did the last upload as an NMU. Debian's
package is only 0.42 whereas Github has 0.45.2.

Reporting it there is still probably the best course. If we can find a fix, then
I can probably do another NMU.

> Severity: grave
> Tags: newcomer security
> Justification: user security hole
> 
> Dear Maintainer,
> 
> openrc-run's command_user flag does not function properly. If both a
> user and group are specified, an error is returned:
> "start-stop-daemon: user '$user:$group' not found", even if that user
> and group exist. If only the user is specified, the script will run,
> but as root, rather than as the user specified (which is the intended
> behavior); the username specified is then passed to the command run as
> an argument (not intended behavior).
> 
> I was able to make this option work as intended by editing
> /lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
> --chuid. I have not submitted a PR because in upstream,


Which upstream do you mean here, Debian or Github?

> --chuid is
> being deprecated in favor of --user, which does the same thing and
> therefore there is no issue. On Devuan, however, these flags
> apparently do different things, which causes this problem. I don't
> understand very well Devuan's package's differences from upstream or
> why this difference exists,

There are none wrt openrc, so I think a difference in behaviour is unlikely. Can
you demonstrate it?

Thanks

Mark

Message sent to [email protected], [email protected]:

X-Loop: [email protected]
Subject: bug#692: openrc: command_user flag in openrc-run does not function properly
Reply-To: Mark Hindley <[email protected]>, [email protected]
Resent-From: Mark Hindley <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected]
X-Loop: [email protected]
Resent-Date: Wed, 20 Jul 2022 19:04:01 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Devuan-PR-Message: followup 692
X-Devuan-PR-Package: openrc
X-Devuan-PR-Keywords: debian
References: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com> <[email protected]> <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
Received: via spool by [email protected] id=B692.165834378310602
          (code B ref 692); Wed, 20 Jul 2022 19:04:01 +0000
Received: (at 692) by bugs.devuan.org; 20 Jul 2022 19:03:03 +0000
Delivered-To: [email protected]
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 20 Jul 2022 19:03:03 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 6B26A66183E
	for <[email protected]>; Wed, 20 Jul 2022 21:01:47 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1oEEx7-00032a-FX; Wed, 20 Jul 2022 20:01:45 +0100
Received: (nullmailer pid 11882 invoked by uid 1000);
	Wed, 20 Jul 2022 19:01:45 -0000
Date: Wed, 20 Jul 2022 20:01:45 +0100
From: Mark Hindley <[email protected]>
To: Adam <[email protected]>, [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS,
	URIBL_BLOCKED autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Adam,

I think this explains what is going on[1]. Basically, both Debian ships it's own
version of start-stop-daemon in dpkg and the arguments are different from the
Openrc implementation. See man start-stop-daemon(8).

This is definitely a Debian bug; please submit a report there. It maybe that
patching sh/start-stop-daemon is the right fix in Debian as it can only be
calling dpkg's s-s-d.

Thanks

Mark

[1]  https://github.com/OpenRC/openrc/issues/383

Message sent to [email protected], [email protected]:

X-Loop: [email protected]
Subject: bug#692: openrc: command_user flag in openrc-run does not function properly
Reply-To: Mark Hindley <[email protected]>, [email protected]
Resent-From: Mark Hindley <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected]
X-Loop: [email protected]
Resent-Date: Thu, 21 Jul 2022 06:08:02 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Devuan-PR-Message: followup 692
X-Devuan-PR-Package: openrc
X-Devuan-PR-Keywords: debian
References: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com> <[email protected]> <[email protected]> <CAL2tVp2E=nH9u7wmE8Uw_OX=ntYH3f1i4YYfpqKR4S_rH+9K7w@mail.gmail.com> <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
Received: via spool by [email protected] id=B692.1658383570837
          (code B ref 692); Thu, 21 Jul 2022 06:08:02 +0000
Received: (at 692) by bugs.devuan.org; 21 Jul 2022 06:06:10 +0000
Delivered-To: [email protected]
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Thu, 21 Jul 2022 06:06:10 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 4C03F6617CC
	for <[email protected]>; Thu, 21 Jul 2022 08:05:12 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1oEPJ8-00070z-Br; Thu, 21 Jul 2022 07:05:10 +0100
Received: (nullmailer pid 31387 invoked by uid 1000);
	Thu, 21 Jul 2022 06:05:10 -0000
Date: Thu, 21 Jul 2022 07:05:10 +0100
From: Mark Hindley <[email protected]>
To: Adam <[email protected]>
Cc: [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL2tVp2E=nH9u7wmE8Uw_OX=ntYH3f1i4YYfpqKR4S_rH+9K7w@mail.gmail.com>
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Control: forwarded -1  https://bugs.debian.org/1015765

On Wed, Jul 20, 2022 at 03:32:28PM -0500, Adam wrote:
> Mark,
> 
> Will do. Many thanks for the guidance.

Thanks.

Mark

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Mark Hindley <[email protected]>
Subject: bug#692: Info received (bug#692: openrc: command_user flag in
 openrc-run does not function properly)
Message-ID: <[email protected]>
References: <[email protected]>
X-Devuan-PR-Message: ack-info 692
X-Devuan-PR-Package: openrc
X-Devuan-PR-Keywords: debian
Reply-To: [email protected]
Date: Thu, 21 Jul 2022 06:08:07 +0000

Thank you for the additional information you have supplied regarding
this bug report.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 [email protected]

If you wish to submit further information on this problem, please
send it to [email protected].

Please do not send mail to [email protected] unless you wish
to report a problem with the Bug-tracking system.

--=20
692: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D692
Devuan Bug Tracking System
Contact [email protected] with problems

Message received at [email protected]:

Received: (at 692) by bugs.devuan.org; 21 Jul 2022 06:06:10 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Thu, 21 Jul 2022 06:06:10 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 4C03F6617CC
	for <[email protected]>; Thu, 21 Jul 2022 08:05:12 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1oEPJ8-00070z-Br; Thu, 21 Jul 2022 07:05:10 +0100
Received: (nullmailer pid 31387 invoked by uid 1000);
	Thu, 21 Jul 2022 06:05:10 -0000
Date: Thu, 21 Jul 2022 07:05:10 +0100
From: Mark Hindley <[email protected]>
To: Adam <[email protected]>
Cc: [email protected]
Subject: Re: bug#692: openrc: command_user flag in openrc-run does not
 function properly
Message-ID: <[email protected]>
References: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
 <[email protected]>
 <[email protected]>
 <CAL2tVp2E=nH9u7wmE8Uw_OX=ntYH3f1i4YYfpqKR4S_rH+9K7w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL2tVp2E=nH9u7wmE8Uw_OX=ntYH3f1i4YYfpqKR4S_rH+9K7w@mail.gmail.com>
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Control: forwarded -1  https://bugs.debian.org/1015765

On Wed, Jul 20, 2022 at 03:32:28PM -0500, Adam wrote:
> Mark,
> 
> Will do. Many thanks for the guidance.

Thanks.

Mark

Message sent:

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Mark Hindley <[email protected]>
Subject: bug#692: marked as done (openrc: command_user flag in openrc-run
 does not function properly)
Message-ID: <[email protected]>
References: <[email protected]>
 <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
X-Devuan-PR-Message: closed 692
X-Devuan-PR-Package: openrc
X-Devuan-PR-Keywords: debian
X-Devuan-PR-Source: openrc
Reply-To: [email protected]
Date: Sun, 24 Jul 2022 17:32:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1658683921-17030-0"

This is a multi-part message in MIME format...

------------=_1658683921-17030-0
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your message dated Sun, 24 Jul 2022 18:31:15 +0100
with message-id <[email protected]>
and subject line Fixed in Debian's openrc 0.45.2-1
has caused the Devuan bug report #692,
regarding openrc: command_user flag in openrc-run does not function properly
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


--=20
692: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D692
Devuan Bug Tracking System
Contact [email protected] with problems

------------=_1658683921-17030-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.devuan.org; 20 Jul 2022 17:37:45 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 20 Jul 2022 17:37:45 +0000 (UTC)
Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 3D4BD661813
	for <[email protected]>; Wed, 20 Jul 2022 19:36:44 +0200 (CEST)
Authentication-Results: mail.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com [email protected] header.b="FFgYx2RR";
	dkim-atps=neutral
Received: by mail-vs1-f41.google.com with SMTP id l190so17012822vsc.0
        for <[email protected]>; Wed, 20 Jul 2022 10:36:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:from:date:message-id:subject:to;
        bh=3PwKsTPVUJL32+cddEbJS/9+6rtO4LmNbJ6TcFxCEOI=;
        b=FFgYx2RROaIiwoJwyZAN/IdaPsHdcjc6KOd2085ynjtUXFopHmAROtak3TuZqt84lX
         P0gxJxMAkiP3f7IcRcxyUyUkHikTb6DHTLx1am/czDUdkBxblYo0VcCTi/5i+bTidjFE
         6/b0GXZgs2PQilvV2cfs0sEdtMKmFyttIUAyVPrZqx67gOdFK4vfyTY6LesUv69GNyjp
         ePi805xxBt+fLKMTnEzsUTpRksaMbyigQ+/Qx/TUa+CDM30CZOicaAaAWUWlmSkqzIr8
         O+GVc90JvFqLGTBC9zadjulYGj7Sn/1INrIe/obXe3Uv92wiGZ81+WieiVBCK0YCj004
         6Q/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=3PwKsTPVUJL32+cddEbJS/9+6rtO4LmNbJ6TcFxCEOI=;
        b=pMTAA9kv8EjqFz4Iq+5uPd073I8ST4UqVl/+W5jsiNq6As/sGXryGQqlwmvH7HMxli
         oiUjTc/4memFyHZoy4e0wqSglsT3WUA6Wx7chPbZw8PoHeGWnTrwefWI0GsHZByUATFr
         4XXMUaZj/edWyjn+OTRKAOnbp57ThYV+ZYCPOY+dKd4ju2PWMMV7kbTD6ts/nt4YvPy1
         10xEU4JkYz2/ayc+9pwT+a7FupYgRW0lGAZ5Ljx8vC7gLTrZ4EPRqBl1uTQV+eyFdB1k
         iMYI8+60z19nSB5NVlvfusL27KjuDXccP8foL3kKmkej5Ca+lP3JIbWdXpDMxrltWDd0
         QJbw==
X-Gm-Message-State: AJIora8vochLG9i0kQmMUxkAKfmRUJhx0DqndNpUbjkWE5TfQzXuhKoT
	6wroPhTVA6geDcn1O7tlnJuQgb6LdlvpLV7juD2EJS2o
X-Google-Smtp-Source: AGRyM1sXu2i5guI8jRtUA7zPvZkannnguQk95a9jFNFmQJRAJcOahG0iYdRUHj0dtbj4Ol3ogfRmB6Xm7cG+2mCSUx0=
X-Received: by 2002:a67:c488:0:b0:357:4848:c366 with SMTP id
 d8-20020a67c488000000b003574848c366mr13778739vsk.36.1658338601590; Wed, 20
 Jul 2022 10:36:41 -0700 (PDT)
MIME-Version: 1.0
From: Adam <[email protected]>
Date: Wed, 20 Jul 2022 12:36:04 -0500
Message-ID: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
Subject: openrc: command_user flag in openrc-run does not function properly
To: [email protected]
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	RCVD_IN_MSPIKE_H2,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Package: openrc
Version: 0.42-2.1
Severity: grave
Tags: newcomer security
Justification: user security hole

Dear Maintainer,

openrc-run's command_user flag does not function properly. If both a
user and group are specified, an error is returned:
"start-stop-daemon: user '$user:$group' not found", even if that user
and group exist. If only the user is specified, the script will run,
but as root, rather than as the user specified (which is the intended
behavior); the username specified is then passed to the command run as
an argument (not intended behavior).

I was able to make this option work as intended by editing
/lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
--chuid. I have not submitted a PR because in upstream, --chuid is
being deprecated in favor of --user, which does the same thing and
therefore there is no issue. On Devuan, however, these flags
apparently do different things, which causes this problem. I don't
understand very well Devuan's package's differences from upstream or
why this difference exists, but I assume there may be another solution
which does not rely on using an option deprecated in mainstream, which
maintainers may prefer to implement.

Best.

-- System Information:
Distributor ID: Devuan
Description:    Devuan GNU/Linux 4 (chimaera)
Release:        4
Codename:       chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-11-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: OpenRC (via /run/openrc), PID 1: init

Versions of packages openrc depends on:
ii  insserv      1.21.0-1.1
ii  libaudit1    1:3.0-2
ii  libc6        2.31-13+deb11u3
ii  libeinfo1    0.42-2.1
ii  libpam0g     1.4.0-9+deb11u1
ii  librc1       0.42-2.1
ii  libselinux1  3.1-3

openrc recommends no packages.

Versions of packages openrc suggests:
pn  policycoreutils  <none>
ii  sysvinit-core    2.96-7+devuan2

-- no debconf information

------------=_1658683921-17030-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 692-close) by bugs.devuan.org; 24 Jul 2022 17:31:39 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Sun, 24 Jul 2022 17:31:39 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 97EE4661848
	for <[email protected]>; Sun, 24 Jul 2022 19:31:17 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1oFfRj-0007CH-If
	for [email protected]; Sun, 24 Jul 2022 18:31:15 +0100
Received: (nullmailer pid 4070 invoked by uid 1000);
	Sun, 24 Jul 2022 17:31:15 -0000
Date: Sun, 24 Jul 2022 18:31:15 +0100
From: Mark Hindley <[email protected]>
To: [email protected]
Subject: Fixed in Debian's openrc 0.45.2-1
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Source: openrc
Source-Version: 0.45.2-1
Done: Mark Hindley <[email protected]>

We believe that the bug you reported is fixed in the latest version of
openrc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Hindley <[email protected]> (supplier of updated openrc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 24 Jul 2022 15:32:06 +0100
Source: openrc
Architecture: source
Version: 0.45.2-1
Distribution: unstable
Urgency: medium
Maintainer: OpenRC Debian Maintainers <[email protected]>
Changed-By: Mark Hindley <[email protected]>
Closes: 973245 1015765
Changes:
 openrc (0.45.2-1) unstable; urgency=medium
 .
   * d/watch: update to version 4 and fix path.
   * New upstream version 0.45.2
     - includes fix for CVE-2018-21269 (Closes: #973245).
   * d/control:
     - add myself to uploaders.
     - bump debhelper compat to 13.
     - add Build-Depends meson, pkg-config.
     - bump Standards Version to 4.6.1 (no changes).
   * debian/patches:
     - remove obsolete d/p/0001-no-rpath.patch.
     - delete patches applied upstream.
     - convert to meson
     - refresh.
   * d/rules:
     - convert to meson
     - override libexecdir to keep existing non-multiarch path.
     - cleanup and remove cruft.
   * Simplify d/rules and multiarch handling with dh-exec.
   * Install bash and zsh completions.
   * d/not-installed: add uninstalled files.
   * .gitignore backup files.
   * d/openrc.lintian-overrides:
     - update changed tag name.
     - update to pointed format.
     - remove unused override.
   * sh/start-stop-daemon.sh: use src:dpkg s-s-d compatible --chuid
     (Closes: #1015765).
Checksums-Sha1:
 960a37fa530d1e6eea59a7fc3e22a7956e415450 2283 openrc_0.45.2-1.dsc
 f61b8f40e9b2bd94a09a2ddd834d42c76a45b2d4 192020 openrc_0.45.2.orig.tar.xz
 64a6daac79f69a67b41646d156f83a9bf37c2c03 24820 openrc_0.45.2-1.debian.tar.xz
 04f4357d0257c144d67a68f1d5aa25695204d4f3 9205 openrc_0.45.2-1_amd64.buildinfo
Checksums-Sha256:
 d3463a04d868c3c6c7416c2186b4676713bc7e11a64a1cbb4363ed525aa9a761 2283 openrc_0.45.2-1.dsc
 2a47fbf6ef2d252bbee1232e7626f8cc445eaeeeabb49ced1e7b0d598dafeb66 192020 openrc_0.45.2.orig.tar.xz
 ae0aaeb164e701fcfe4f3228aecd09aefd032cd51653149a1cbb9d9e20f606d2 24820 openrc_0.45.2-1.debian.tar.xz
 88b33ee6075f3cc5089ac0ad782ec020cf8173303f6fef82bfe6c68b56e7e7fd 9205 openrc_0.45.2-1_amd64.buildinfo
Files:
 9707f0f464c446b72050ffaff3c94b9d 2283 admin optional openrc_0.45.2-1.dsc
 66c00b46950bf954d3e47b68999aa44a 192020 admin optional openrc_0.45.2.orig.tar.xz
 0bacb081ef0275873328d96e0eea79bc 24820 admin optional openrc_0.45.2-1.debian.tar.xz
 acca86f8c757dacde74107ca2da3f53b 9205 admin optional openrc_0.45.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUGwVpCsK9aCoVCPu0opFvzKH1kkFAmLdczEACgkQ0opFvzKH
1kljixAAoSSfckl/l3mP3JcClslCUAW9lbQbFHlLW+6pJaRy/ro4mV7G62MBeEpU
fDMTZ8kwduibkbVjDetz3/hbIyUEN/dHXDH3apkAVs4OBXWEXhE9jY5VWAEKd+w6
mu2K1U/oQ0CO/GESKXSqJwAwoCaNtxJj3F5L8NfcfG4W40gpU5oUHZkZwddOPatf
BuCnrlJjq4MdP1YHgWSLQRrrFQDe6KHlF0H/IVaD9AaXw6A//k3ZD6+KZ7Okh3OK
8EvKDli9SNp4g9AAPT1OsDXmlEVJ4nBeLTB3IQRdhgoDyIt64Kkq30wv2+a4rI48
QaObwFbZNshUsX5WeF5MiBSOKL1hREzk9Nsh2W0Zhdtfk1qfR0tfKd1/VcU/P8LR
f10TYMQ0yYV645OmYT448j0Eh7Bnw0Ss1XIWWWqJa6Fq4dr988qGzRt2fD7S/2ax
haWIJTGvWKZXQfvXFkTdZKqyrEqJwY4BO4LrQo9oqLggE/Bl8ciHqrubGZmmo0Fn
NO5fgf782PALE5QK9RTyGfTAWHVrzY4pZHgaSp2HAhr3ny+RDLQJ6QudHZNAIWiL
KjbhSThG/ag0l5V2dcXgoHU2Miph6yuTouhEi9x0J27sKmXVCK1wI43LvxWnvQK+
3DZAOhOJGDef/cXXLlJK0zPKCUVUaKeOVYlTi3GvNU96EXvI+m4=
=VWC4
-----END PGP SIGNATURE-----
------------=_1658683921-17030-0--

Message sent:

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Adam <[email protected]>
Subject: bug#692 closed by Mark Hindley <[email protected]> (Fixed in
 Debian's openrc 0.45.2-1)
Message-ID: <[email protected]>
References: <[email protected]>
 <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
X-Devuan-PR-Message: they-closed 692
X-Devuan-PR-Package: openrc
X-Devuan-PR-Keywords: debian
X-Devuan-PR-Source: openrc
Reply-To: [email protected]
Date: Sun, 24 Jul 2022 17:32:04 +0000
Content-Type: multipart/mixed; boundary="----------=_1658683924-17030-1"

This is a multi-part message in MIME format...

------------=_1658683924-17030-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

This is an automatic notification regarding your bug report
which was filed against the openrc package:

#692: openrc: command_user flag in openrc-run does not function properly

It has been closed by Mark Hindley <[email protected]>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hin=
dley.org.uk> by
replying to this email.


--=20
692: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D692
Devuan Bug Tracking System
Contact [email protected] with problems

------------=_1658683924-17030-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 692-close) by bugs.devuan.org; 24 Jul 2022 17:31:39 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Sun, 24 Jul 2022 17:31:39 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 97EE4661848
	for <[email protected]>; Sun, 24 Jul 2022 19:31:17 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1oFfRj-0007CH-If
	for [email protected]; Sun, 24 Jul 2022 18:31:15 +0100
Received: (nullmailer pid 4070 invoked by uid 1000);
	Sun, 24 Jul 2022 17:31:15 -0000
Date: Sun, 24 Jul 2022 18:31:15 +0100
From: Mark Hindley <[email protected]>
To: [email protected]
Subject: Fixed in Debian's openrc 0.45.2-1
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Source: openrc
Source-Version: 0.45.2-1
Done: Mark Hindley <[email protected]>

We believe that the bug you reported is fixed in the latest version of
openrc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Hindley <[email protected]> (supplier of updated openrc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 24 Jul 2022 15:32:06 +0100
Source: openrc
Architecture: source
Version: 0.45.2-1
Distribution: unstable
Urgency: medium
Maintainer: OpenRC Debian Maintainers <[email protected]>
Changed-By: Mark Hindley <[email protected]>
Closes: 973245 1015765
Changes:
 openrc (0.45.2-1) unstable; urgency=medium
 .
   * d/watch: update to version 4 and fix path.
   * New upstream version 0.45.2
     - includes fix for CVE-2018-21269 (Closes: #973245).
   * d/control:
     - add myself to uploaders.
     - bump debhelper compat to 13.
     - add Build-Depends meson, pkg-config.
     - bump Standards Version to 4.6.1 (no changes).
   * debian/patches:
     - remove obsolete d/p/0001-no-rpath.patch.
     - delete patches applied upstream.
     - convert to meson
     - refresh.
   * d/rules:
     - convert to meson
     - override libexecdir to keep existing non-multiarch path.
     - cleanup and remove cruft.
   * Simplify d/rules and multiarch handling with dh-exec.
   * Install bash and zsh completions.
   * d/not-installed: add uninstalled files.
   * .gitignore backup files.
   * d/openrc.lintian-overrides:
     - update changed tag name.
     - update to pointed format.
     - remove unused override.
   * sh/start-stop-daemon.sh: use src:dpkg s-s-d compatible --chuid
     (Closes: #1015765).
Checksums-Sha1:
 960a37fa530d1e6eea59a7fc3e22a7956e415450 2283 openrc_0.45.2-1.dsc
 f61b8f40e9b2bd94a09a2ddd834d42c76a45b2d4 192020 openrc_0.45.2.orig.tar.xz
 64a6daac79f69a67b41646d156f83a9bf37c2c03 24820 openrc_0.45.2-1.debian.tar.xz
 04f4357d0257c144d67a68f1d5aa25695204d4f3 9205 openrc_0.45.2-1_amd64.buildinfo
Checksums-Sha256:
 d3463a04d868c3c6c7416c2186b4676713bc7e11a64a1cbb4363ed525aa9a761 2283 openrc_0.45.2-1.dsc
 2a47fbf6ef2d252bbee1232e7626f8cc445eaeeeabb49ced1e7b0d598dafeb66 192020 openrc_0.45.2.orig.tar.xz
 ae0aaeb164e701fcfe4f3228aecd09aefd032cd51653149a1cbb9d9e20f606d2 24820 openrc_0.45.2-1.debian.tar.xz
 88b33ee6075f3cc5089ac0ad782ec020cf8173303f6fef82bfe6c68b56e7e7fd 9205 openrc_0.45.2-1_amd64.buildinfo
Files:
 9707f0f464c446b72050ffaff3c94b9d 2283 admin optional openrc_0.45.2-1.dsc
 66c00b46950bf954d3e47b68999aa44a 192020 admin optional openrc_0.45.2.orig.tar.xz
 0bacb081ef0275873328d96e0eea79bc 24820 admin optional openrc_0.45.2-1.debian.tar.xz
 acca86f8c757dacde74107ca2da3f53b 9205 admin optional openrc_0.45.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUGwVpCsK9aCoVCPu0opFvzKH1kkFAmLdczEACgkQ0opFvzKH
1kljixAAoSSfckl/l3mP3JcClslCUAW9lbQbFHlLW+6pJaRy/ro4mV7G62MBeEpU
fDMTZ8kwduibkbVjDetz3/hbIyUEN/dHXDH3apkAVs4OBXWEXhE9jY5VWAEKd+w6
mu2K1U/oQ0CO/GESKXSqJwAwoCaNtxJj3F5L8NfcfG4W40gpU5oUHZkZwddOPatf
BuCnrlJjq4MdP1YHgWSLQRrrFQDe6KHlF0H/IVaD9AaXw6A//k3ZD6+KZ7Okh3OK
8EvKDli9SNp4g9AAPT1OsDXmlEVJ4nBeLTB3IQRdhgoDyIt64Kkq30wv2+a4rI48
QaObwFbZNshUsX5WeF5MiBSOKL1hREzk9Nsh2W0Zhdtfk1qfR0tfKd1/VcU/P8LR
f10TYMQ0yYV645OmYT448j0Eh7Bnw0Ss1XIWWWqJa6Fq4dr988qGzRt2fD7S/2ax
haWIJTGvWKZXQfvXFkTdZKqyrEqJwY4BO4LrQo9oqLggE/Bl8ciHqrubGZmmo0Fn
NO5fgf782PALE5QK9RTyGfTAWHVrzY4pZHgaSp2HAhr3ny+RDLQJ6QudHZNAIWiL
KjbhSThG/ag0l5V2dcXgoHU2Miph6yuTouhEi9x0J27sKmXVCK1wI43LvxWnvQK+
3DZAOhOJGDef/cXXLlJK0zPKCUVUaKeOVYlTi3GvNU96EXvI+m4=
=VWC4
-----END PGP SIGNATURE-----
------------=_1658683924-17030-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.devuan.org; 20 Jul 2022 17:37:45 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 20 Jul 2022 17:37:45 +0000 (UTC)
Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 3D4BD661813
	for <[email protected]>; Wed, 20 Jul 2022 19:36:44 +0200 (CEST)
Authentication-Results: mail.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com [email protected] header.b="FFgYx2RR";
	dkim-atps=neutral
Received: by mail-vs1-f41.google.com with SMTP id l190so17012822vsc.0
        for <[email protected]>; Wed, 20 Jul 2022 10:36:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:from:date:message-id:subject:to;
        bh=3PwKsTPVUJL32+cddEbJS/9+6rtO4LmNbJ6TcFxCEOI=;
        b=FFgYx2RROaIiwoJwyZAN/IdaPsHdcjc6KOd2085ynjtUXFopHmAROtak3TuZqt84lX
         P0gxJxMAkiP3f7IcRcxyUyUkHikTb6DHTLx1am/czDUdkBxblYo0VcCTi/5i+bTidjFE
         6/b0GXZgs2PQilvV2cfs0sEdtMKmFyttIUAyVPrZqx67gOdFK4vfyTY6LesUv69GNyjp
         ePi805xxBt+fLKMTnEzsUTpRksaMbyigQ+/Qx/TUa+CDM30CZOicaAaAWUWlmSkqzIr8
         O+GVc90JvFqLGTBC9zadjulYGj7Sn/1INrIe/obXe3Uv92wiGZ81+WieiVBCK0YCj004
         6Q/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=3PwKsTPVUJL32+cddEbJS/9+6rtO4LmNbJ6TcFxCEOI=;
        b=pMTAA9kv8EjqFz4Iq+5uPd073I8ST4UqVl/+W5jsiNq6As/sGXryGQqlwmvH7HMxli
         oiUjTc/4memFyHZoy4e0wqSglsT3WUA6Wx7chPbZw8PoHeGWnTrwefWI0GsHZByUATFr
         4XXMUaZj/edWyjn+OTRKAOnbp57ThYV+ZYCPOY+dKd4ju2PWMMV7kbTD6ts/nt4YvPy1
         10xEU4JkYz2/ayc+9pwT+a7FupYgRW0lGAZ5Ljx8vC7gLTrZ4EPRqBl1uTQV+eyFdB1k
         iMYI8+60z19nSB5NVlvfusL27KjuDXccP8foL3kKmkej5Ca+lP3JIbWdXpDMxrltWDd0
         QJbw==
X-Gm-Message-State: AJIora8vochLG9i0kQmMUxkAKfmRUJhx0DqndNpUbjkWE5TfQzXuhKoT
	6wroPhTVA6geDcn1O7tlnJuQgb6LdlvpLV7juD2EJS2o
X-Google-Smtp-Source: AGRyM1sXu2i5guI8jRtUA7zPvZkannnguQk95a9jFNFmQJRAJcOahG0iYdRUHj0dtbj4Ol3ogfRmB6Xm7cG+2mCSUx0=
X-Received: by 2002:a67:c488:0:b0:357:4848:c366 with SMTP id
 d8-20020a67c488000000b003574848c366mr13778739vsk.36.1658338601590; Wed, 20
 Jul 2022 10:36:41 -0700 (PDT)
MIME-Version: 1.0
From: Adam <[email protected]>
Date: Wed, 20 Jul 2022 12:36:04 -0500
Message-ID: <CAL2tVp0iNP=ct6vJyLaaGaLHddFZxy1tXWWVkh1RLqOE4rzG9g@mail.gmail.com>
Subject: openrc: command_user flag in openrc-run does not function properly
To: [email protected]
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	RCVD_IN_MSPIKE_H2,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Package: openrc
Version: 0.42-2.1
Severity: grave
Tags: newcomer security
Justification: user security hole

Dear Maintainer,

openrc-run's command_user flag does not function properly. If both a
user and group are specified, an error is returned:
"start-stop-daemon: user '$user:$group' not found", even if that user
and group exist. If only the user is specified, the script will run,
but as root, rather than as the user specified (which is the intended
behavior); the username specified is then passed to the command run as
an argument (not intended behavior).

I was able to make this option work as intended by editing
/lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
--chuid. I have not submitted a PR because in upstream, --chuid is
being deprecated in favor of --user, which does the same thing and
therefore there is no issue. On Devuan, however, these flags
apparently do different things, which causes this problem. I don't
understand very well Devuan's package's differences from upstream or
why this difference exists, but I assume there may be another solution
which does not rely on using an option deprecated in mainstream, which
maintainers may prefer to implement.

Best.

-- System Information:
Distributor ID: Devuan
Description:    Devuan GNU/Linux 4 (chimaera)
Release:        4
Codename:       chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-11-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: OpenRC (via /run/openrc), PID 1: init

Versions of packages openrc depends on:
ii  insserv      1.21.0-1.1
ii  libaudit1    1:3.0-2
ii  libc6        2.31-13+deb11u3
ii  libeinfo1    0.42-2.1
ii  libpam0g     1.4.0-9+deb11u1
ii  librc1       0.42-2.1
ii  libselinux1  3.1-3

openrc recommends no packages.

Versions of packages openrc suggests:
pn  policycoreutils  <none>
ii  sysvinit-core    2.96-7+devuan2

-- no debconf information

------------=_1658683924-17030-1--