openconnect overwrites existing files when given as pid-file
Firstly published on mageia buglist:
https://bugs.mageia.org/show_bug.cgi?id=32418
Description of problem:
Openconnect can write a PID-file when started in background. In case this PID-file is set to an existing file by accident, like /etc/shadow, /dev/sda etc., then openconnect destroys this file without asking.
Some distros try to catch this by sanitizing the commandline, but it would be better if this is done by openconnect itself.
Version-Release number of selected component (if applicable):
9.11
How reproducible:
Always
Steps to Reproduce:
- install openconnect binary rpm
- set the required parameters
- set '-b --pid-file=/dev/sda' as part of the parameter list
Additional info:
I wrote some lines of additional code to first check if the given pid-file already exists. If so, the programm will not damage any file, but instead it will exit with error. You may have a look at the patch I created and inserted into the source rpm package which can be downloaded here:
https://www.dipl-ing-kessler.de/developer/test/linux-src/mageia9/openconnect/