[Debian-eeepc-devel] Bug#565855: eeepc-acpi-scripts: please do not use pidof in /etc/acpi/actions/{suspend, lid, sleep}.sh

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jan 19 01:41:11 UTC 2010 

Package: eeepc-acpi-scripts
Version: 1.1.6
Severity: normal

Hi there eeepc-acpi people--  

it looks like three files in eeepc-acpi-scripts all contain "pidof"
tests to check if something is happening on the system:

/etc/acpi/actions/suspend.sh:10:if (runlevel | grep -q [06]) || (pidof '/sbin/shutdown' > /dev/null); then
/etc/acpi/actions/suspend.sh-11-    exit 0
--
/etc/acpi/actions/lid.sh:9:if pidof powersaved; then
/etc/acpi/actions/lid.sh-10-	exit 0
--
/etc/acpi/actions/sleep.sh:8:if pidof powersaved; then
/etc/acpi/actions/sleep.sh-9-	exit 0

the problem with these tests is that it's trivial for any local user
to spoof the output, and thereby get the acpi script to terminate
("exit 0").  All the user needs to do is run an executable which
re-writes ARGV[0] to the relevant string, and the pidof check will
pass :/

This means that any user on a system can effectively cause the
suspend, lid, or sleep script to fail silently.  That's bad!

lid.sh and sleep.sh are easy to fix, since powersaved was recently
removed from debian:

 http://packages.qa.debian.org/p/powersave/news/20091218T132117Z.html

You might want to check with the sysvinit folks to see what the
correct way to check for a running /sbin/shutdown might be?  (maybe
you want to parse the output of "/sbin/runlevel"?)

See also http://bugs.debian.org/553643 for more discussion on the same
general concern.

Regards,

        --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages eeepc-acpi-scripts depends on:
ii  acpi-support-base             0.132-1    scripts for handling base ACPI eve
ii  acpid                         1:2.0.0-1  Advanced Configuration and Power I
ii  pm-utils                      1.2.6.1-3  utilities and scripts for power ma

Versions of packages eeepc-acpi-scripts recommends:
ii  alsa-utils                    1.0.21-1   ALSA utilities

Versions of packages eeepc-acpi-scripts suggests:
pn  aosd-cat               <none>            (no description available)
pn  gnome-osd              <none>            (no description available)
ii  ttf-dejavu             2.30-2            Metapackage to pull in ttf-dejavu-
ii  ttf-freefont           20090104-5        Freefont Serif, Sans and Mono True
ii  ttf-liberation         1.05.2.20091019-4 Fonts with the same metrics as Tim
ii  ttf-mscorefonts-instal 3.0               Installer for Microsoft TrueType c

-- no debconf information

More information about the Debian-eeepc-devel mailing list