From owner-svn-src-head@FreeBSD.ORG Sun Feb 5 09:40:54 2012 Return-Path: Delivered-To: svn-src-head@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CCBC1065673; Sun, 5 Feb 2012 09:40:54 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (60.wheelsystems.com [83.12.187.60]) by mx1.freebsd.org (Postfix) with ESMTP id 07C788FC17; Sun, 5 Feb 2012 09:40:53 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 38121624; Sun, 5 Feb 2012 10:40:52 +0100 (CET) Date: Sun, 5 Feb 2012 10:39:38 +0100 From: Pawel Jakub Dawidek To: Mikolaj Golub Message-ID: <20120205093938.GC30033@garage.freebsd.pl> References: <201202011641.q11Gf0j6095461@svn.freebsd.org> <20120204074201.GA1694@garage.freebsd.pl> <4F2CEB1D.10607@zonov.org> <27A0A960-F767-4D2C-BF3E-31F73FBF4E28@palisadesystems.com> <86zkcy5ur9.fsf@kopusha.home.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UPT3ojh+0CqEDtpF" Content-Disposition: inline In-Reply-To: <86zkcy5ur9.fsf@kopusha.home.net> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@FreeBSD.org, Guy Helmer , svn-src-all@FreeBSD.org, Andrey Zonov , src-committers@FreeBSD.org Subject: Re: svn commit: r230869 - head/usr.sbin/daemon X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2012 09:40:54 -0000 --UPT3ojh+0CqEDtpF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 04, 2012 at 08:16:42PM +0200, Mikolaj Golub wrote: > ref8-amd64:/home/trociny% uname -r > 8.2-STABLE > ref8-amd64:/home/trociny% daemon -p /tmp/sleep.pid sleep 10 > ref8-amd64:/home/trociny% daemon -p /tmp/sleep.pid sleep 10 > daemon: process already running, pid: 19799 >=20 > kopusha:~% uname -r =20 > 10.0-CURRENT > kopusha:~% daemon -p /tmp/sleep.pid sleep 10 > kopusha:~% daemon -p /tmp/sleep.pid sleep 10 > kopusha:~%=20 Mikolaj, eventhough what we had in 8.2-STABLE looks correct, it also isn't correct. Passing open descriptor to a process that doesn't expect that is bad behaviour. If you pass, eg. open descriptor to a directory and the process is using chroot(2) or jail(2) to sandbox itself it will be able to escape from that sandbox. Passing descriptor to a file has smaller security implication, but it is still wrong. For example hastd, as you probably know, asserts, before sandboxing, that he knows about all open descriptors - if there are some unknown descriptors open it won't run. Also, daemon was passing open descriptor to a pidfile that the child process cannot clean up, because he doesn't know its name. This leaves pidfile with stale PID in it once the process exits, which is also bad. In my opinion, to make daemon(8) work with pidfiles, it cannot exit after executing the given command. It should stay around with pidfile open and just wait for the child to exit. Once the child exits, it should remove the pidfile and also exit. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --UPT3ojh+0CqEDtpF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk8uTloACgkQForvXbEpPzTCcACgqsmztAXiyZj/9qGD/Gs5FQix lV8Anj5C6M3S6VkO/I8cBwIh94U+hzrQ =Nzp3 -----END PGP SIGNATURE----- --UPT3ojh+0CqEDtpF--