chmod of some pidfiles
Kostik Belousov
kostikbel at gmail.com
Wed Apr 16 13:39:04 UTC 2008
On Wed, Apr 16, 2008 at 03:23:45PM +0200, Jille wrote:
> Can you flock a file that is readonly for your user ?
> It doesn't make sense, it would allow a lot of (local) Denial of
> Services, I think ?
Yes, you can flock a file opened for read. The lock is advisory.
It would DoS only a service that takes the same lock.
Prevention of the described situation is the point of the choosen
mode for the pid files.
>
> Kostik Belousov schreef:
> >On Wed, Apr 16, 2008 at 03:12:03PM +0200, Jille wrote:
> >>Hello,
> >>
> >>Today I found out some pidfiles of 'system daemons', have a 'weird' chmod.
> >>
> >>[quis at istud ~]$ ls -l /var/run/cron.pid
> >>-rw------- 1 root wheel 4 Mar 1 19:25 /var/run/cron.pid
> >>
> >>Can somebody tell me why it is 0600 ?
> >>I don't think it will harm if it is 0644 ?
> >>
> >>I think this is only useful if the security.bsd.see_other_uids sysctl is
> >>set to 0.
> >
> >They are 0600 so that the advisory locking works reliably on them.
> >More details:
> >the daemons flock() the pidfile to indicate that it is alive. Any other
> >process may lock the file that can be opened for reading. Having more
> >permissive mode would allow anybody to lock the pidfile, falsely indicating
> >that the daemon is still alive, while it in fact died.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20080416/8677c33b/attachment.pgp
More information about the freebsd-current
mailing list