[stunnel-users] privileges not dropped before libwrap processes are spawned

Micah Anderson micah at riseup.net
Tue Nov 24 07:20:08 CET 2009


Hi,

I recently stumbled on
http://mirt.net/pipermail/stunnel-users/2008-May/001977.html which is
exactly what I am seeing with version 4.27 of stunnel, namely the daemon
is not switching to the setuid/setgid specified in the config before it
is spawned.

This means that I get 6 processes, 5 run as root with only one (albeit
the one lisenting on the specified sockets) dropping privs to the
specified user.

The follow-up response from Mike was:

    I'll modify stunnel to delay spawning libwrap processes until
    privileges are dropped.

and indeed, I find in the Changelog file for version 4.25 the following
Bugfixes: 

* Bugfixes
  - Spawning libwrap processes delayed until privileges are dropped.

However, it seems that either this fix either didn't make it in, or it
somehow managed to creep its way back out because it is happening in
4.27.

Thanks,
micah






More information about the stunnel-users mailing list