Date: Mon, 3 Apr 2006 16:49:52 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Tom Lane <tgl@sss.pgh.pa.us> Cc: "Marc G. Fournier" <scrappy@postgresql.org>, pgsql-hackers@postgresql.org, freebsd-stable@freebsd.org, Kris Kennaway <kris@obsecurity.org> Subject: Re: [HACKERS] semaphore usage "port based"? Message-ID: <20060403164139.D36756@fledge.watson.org> In-Reply-To: <27417.1144033691@sss.pgh.pa.us> References: <20060402163504.T947@ganymede.hub.org> <25422.1144016604@sss.pgh.pa.us> <25526.1144017388@sss.pgh.pa.us> <20060402213921.V947@ganymede.hub.org> <26524.1144026385@sss.pgh.pa.us> <20060402222843.X947@ganymede.hub.org> <26796.1144028094@sss.pgh.pa.us> <20060402225204.U947@ganymede.hub.org> <26985.1144029657@sss.pgh.pa.us> <20060402231232.C947@ganymede.hub.org> <27148.1144030940@sss.pgh.pa.us> <20060402232832.M947@ganymede.hub.org> <20060402234459.Y947@ganymede.hub.org> <27417.1144033691@sss.pgh.pa.us>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Apr 2006, Tom Lane wrote: > Oops. Here is the problem: kill() is lying by claiming there is no such > process as 83699. It looks to me like there in fact is such a process, but > it's in a different jail. > > I venture that FBSD 6 has decided to return ESRCH (no such process) where > FBSD 4 returned some other error that acknowledged that the process did > exist (EPERM would be a reasonable guess). > > If this is the story, then FBSD have broken their system and must revert > their change. They do not have kernel behavior that totally hides the > existence of the other process, and therefore having some calls that pretend > it's not there is simply inconsistent. FreeBSD's mandatory access control models, such as multi-level security, biba integrity, and type enforcement, will generally provide consistent protection under the circumstances you describe: specifically, that information flow invariants across IPC types, including System V IPC and inter-process signalling, will allow flow only in keeping with the policy. However, I guess I would counter with the following concern: the PID returned by semctl() has the following definition: GETPID Return the pid of the last process to perform an operation on semaphore number semnum. However, pid's in general uniquely identify a process only at the time they are recorded. So any pid returned here is necessarily stale -- even if there is another process with the pid returned by GETPID, it may actually be a different process that has ended up with the same pid. The longer the gap since the last semaphore operation, the more likely (presumably) it is that the pid has been recycled. And on modern systems with thousands of processes and high process turn-over (i.e., systems with CGI and other sorts of scripting),pid reuse can happen quickly. Is your use of the pid here consistent with fact that pid's are reused quickly after process exit? Use of pid's in UNIX is often unreliable, and must be combined with other synchronizing, such as file locking on a pidfile, to ensure that the pid read is valid. Even then, you can't implement atomic check-pid-and-signal using current UNIX APIs, which would require a notion of a process handle (or, in the parlance of Mach, a task port). Another thought along these lines -- especially with the proliferation of fine-grained access control systems, such as Type Enforcement in SELinux, I would be cautious about assuming that two processes being able to manipulate the same sempahore implies the ability to exchange signals using the signal facility. Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060403164139.D36756>