From owner-freebsd-current@FreeBSD.ORG  Wed Apr 16 13:39:03 2008
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D406610656AB
	for <freebsd-current@freebsd.org>; Wed, 16 Apr 2008 13:39:03 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from relay02.kiev.sovam.com (relay02.kiev.sovam.com [62.64.120.197])
	by mx1.freebsd.org (Postfix) with ESMTP id 77A828FC29
	for <freebsd-current@freebsd.org>; Wed, 16 Apr 2008 13:39:03 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from [212.82.216.226] (helo=skuns.kiev.zoral.com.ua)
	by relay02.kiev.sovam.com with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.67) (envelope-from <kostikbel@gmail.com>) id 1Jm7qm-000Ari-0g
	for freebsd-current@freebsd.org; Wed, 16 Apr 2008 16:39:02 +0300
Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua
	[10.1.1.148])
	by skuns.kiev.zoral.com.ua (8.14.2/8.14.2) with ESMTP id m3GDcjmX094702
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 16 Apr 2008 16:38:45 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1])
	by deviant.kiev.zoral.com.ua (8.14.2/8.14.2) with ESMTP id
	m3GDccpg046913; Wed, 16 Apr 2008 16:38:38 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
Received: (from kostik@localhost)
	by deviant.kiev.zoral.com.ua (8.14.2/8.14.2/Submit) id m3GDca72046912; 
	Wed, 16 Apr 2008 16:38:36 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to
	kostikbel@gmail.com using -f
Date: Wed, 16 Apr 2008 16:38:36 +0300
From: Kostik Belousov <kostikbel@gmail.com>
To: Jille <jille@quis.cx>
Message-ID: <20080416133836.GV18958@deviant.kiev.zoral.com.ua>
References: <4805FB23.4030600@quis.cx>
	<20080416131902.GU18958@deviant.kiev.zoral.com.ua>
	<4805FDE1.4010206@quis.cx>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="PSXRUCbmiibGgnYg"
Content-Disposition: inline
In-Reply-To: <4805FDE1.4010206@quis.cx>
User-Agent: Mutt/1.4.2.3i
X-Virus-Scanned: ClamAV version 0.91.2,
	clamav-milter version 0.91.2 on skuns.kiev.zoral.com.ua
X-Virus-Status: Clean
X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
	skuns.kiev.zoral.com.ua
X-Scanner-Signature: 362d5034abbfed611c52a2913ea5ff69
X-DrWeb-checked: yes
X-SpamTest-Envelope-From: kostikbel@gmail.com
X-SpamTest-Group-ID: 00000000
X-SpamTest-Header: Not Detected
X-SpamTest-Info: Profiles 2641 [Apr 16 2008]
X-SpamTest-Info: helo_type=3
X-SpamTest-Method: none
X-SpamTest-Rate: 0
X-SpamTest-Status: Not detected
X-SpamTest-Status-Extended: not_detected
X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0278], KAS30/Release
Cc: freebsd-current@freebsd.org
Subject: Re: chmod of some pidfiles
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2008 13:39:04 -0000


--PSXRUCbmiibGgnYg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 16, 2008 at 03:23:45PM +0200, Jille wrote:
> Can you flock a file that is readonly for your user ?
> It doesn't make sense, it would allow a lot of (local) Denial of=20
> Services, I think ?
Yes, you can flock a file opened for read. The lock is advisory.
It would DoS only a service that takes the same lock.

Prevention of the described situation is the point of the choosen
mode for the pid files.
>=20
> Kostik Belousov schreef:
> >On Wed, Apr 16, 2008 at 03:12:03PM +0200, Jille wrote:
> >>Hello,
> >>
> >>Today I found out some pidfiles of 'system daemons', have a 'weird' chm=
od.
> >>
> >>[quis@istud ~]$ ls -l /var/run/cron.pid
> >>-rw-------  1 root  wheel  4 Mar  1 19:25 /var/run/cron.pid
> >>
> >>Can somebody tell me why it is 0600 ?
> >>I don't think it will harm if it is 0644 ?
> >>
> >>I think this is only useful if the security.bsd.see_other_uids sysctl i=
s=20
> >>set to 0.
> >
> >They are 0600 so that the advisory locking works reliably on them.
> >More details:
> >the daemons flock() the pidfile to indicate that it is alive. Any other
> >process may lock the file that can be opened for reading. Having more
> >permissive mode would allow anybody to lock the pidfile, falsely indicat=
ing
> >that the daemon is still alive, while it in fact died.

--PSXRUCbmiibGgnYg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)

iEYEARECAAYFAkgGAVwACgkQC3+MBN1Mb4icSwCgxGhwR8u5Wzoz6ZEybI587oQa
J6EAn2jji4Jjia0JWga6PupNYna37mLv
=4+ta
-----END PGP SIGNATURE-----

--PSXRUCbmiibGgnYg--