svn commit: r230869 - head/usr.sbin/daemon
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sun Feb 5 09:40:54 UTC 2012
On Sat, Feb 04, 2012 at 08:16:42PM +0200, Mikolaj Golub wrote:
> ref8-amd64:/home/trociny% uname -r
> 8.2-STABLE
> ref8-amd64:/home/trociny% daemon -p /tmp/sleep.pid sleep 10
> ref8-amd64:/home/trociny% daemon -p /tmp/sleep.pid sleep 10
> daemon: process already running, pid: 19799
>
> kopusha:~% uname -r
> 10.0-CURRENT
> kopusha:~% daemon -p /tmp/sleep.pid sleep 10
> kopusha:~% daemon -p /tmp/sleep.pid sleep 10
> kopusha:~%
Mikolaj, eventhough what we had in 8.2-STABLE looks correct, it also
isn't correct.
Passing open descriptor to a process that doesn't expect that is bad
behaviour. If you pass, eg. open descriptor to a directory and the
process is using chroot(2) or jail(2) to sandbox itself it will be able
to escape from that sandbox. Passing descriptor to a file has smaller
security implication, but it is still wrong. For example hastd, as you
probably know, asserts, before sandboxing, that he knows about all open
descriptors - if there are some unknown descriptors open it won't run.
Also, daemon was passing open descriptor to a pidfile that the child
process cannot clean up, because he doesn't know its name. This leaves
pidfile with stale PID in it once the process exits, which is also bad.
In my opinion, to make daemon(8) work with pidfiles, it cannot exit
after executing the given command. It should stay around with pidfile
open and just wait for the child to exit. Once the child exits, it
should remove the pidfile and also exit.
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://tupytaj.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/svn-src-all/attachments/20120205/70f3753d/attachment.pgp
More information about the svn-src-all
mailing list