29 Jul
2017
29 Jul
'17
8:13 a.m.
The problem scenario looks like the following:
1. I run "/etc/init.d/slapd start" to start the daemon.
2. slapd drops to the "slapd" user.
3. slapd writes its PID file, now owned by the "slapd" user.
4. Someone compromises the daemon, which sits on the open network.
5. The attacker is generally limited in what he can do because the daemon doesn't run as root. However, he can write "1" into the slapd.pid file, and he does.
6. I run "/etc/init.d/slapd stop" to stop the daemon while I investigate the weird behavior resulting from the hack.
7. Oops, the machine reboots, because I killed PID 1.