From owner-svn-src-all@FreeBSD.ORG Mon Feb 6 14:32:24 2012 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 439D6106566C; Mon, 6 Feb 2012 14:32:24 +0000 (UTC) (envelope-from ghelmer@palisadesystems.com) Received: from ps-1-a.compliancesafe.com (ps-1-a.compliancesafe.com [216.81.161.161]) by mx1.freebsd.org (Postfix) with ESMTP id C9F858FC1A; Mon, 6 Feb 2012 14:32:22 +0000 (UTC) Received: from mail.palisadesystems.com (localhost [127.0.0.1]) by ps-1-a.compliancesafe.com (8.14.4/8.14.3) with ESMTP id q16EVvsO019560; Mon, 6 Feb 2012 08:32:04 -0600 (CST) (envelope-from ghelmer@palisadesystems.com) Received: from guysmbp.dyn.palisadesys.com (GuysMBP.dyn.palisadesys.com [172.16.2.90]) (authenticated bits=0) by mail.palisadesystems.com (8.14.3/8.14.3) with ESMTP id q16EVjIh074179 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 6 Feb 2012 08:31:45 -0600 (CST) (envelope-from ghelmer@palisadesystems.com) X-DKIM: Sendmail DKIM Filter v2.8.3 mail.palisadesystems.com q16EVjIh074179 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=palisadesystems.com; s=mail; t=1328538709; bh=5NUXxddw6KTLF7+CbMvI8/MHMcl9Hbna68P4/jL3n/g=; l=128; h=Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=iICw2fDoVVzgV4E/mrX7m/qwwpJxSiTfxdBYjBFJyL3XO0c2XGvue/o1KGe08Gw88 d3yZ6vtjQpQ3/ZcVGF2npKA1lmZxWnSqdQto1UhA4EBtEh3e/pXFR/80tjPLHprGMx iBUBOL+L6t9e5b3Ko5kR9ZNtxLfp/F0Ti8tFaJ7w= Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=us-ascii From: Guy Helmer In-Reply-To: <20120205093938.GC30033@garage.freebsd.pl> Date: Mon, 6 Feb 2012 08:31:47 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <1E1FA19C-7C4C-4288-B163-E33FC68D9837@palisadesystems.com> References: <201202011641.q11Gf0j6095461@svn.freebsd.org> <20120204074201.GA1694@garage.freebsd.pl> <4F2CEB1D.10607@zonov.org> <27A0A960-F767-4D2C-BF3E-31F73FBF4E28@palisadesystems.com> <86zkcy5ur9.fsf@kopusha.home.net> <20120205093938.GC30033@garage.freebsd.pl> To: Pawel Jakub Dawidek X-Mailer: Apple Mail (2.1257) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (mail.palisadesystems.com [172.16.1.5]); Mon, 06 Feb 2012 08:31:49 -0600 (CST) X-Palisade-MailScanner-Information: Please contact the ISP for more information X-Palisade-MailScanner-ID: q16EVjIh074179 X-Palisade-MailScanner: Found to be clean X-Palisade-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=-1.406, required 5, ALL_TRUSTED -1.00, BAYES_00 -1.90, RP_8BIT 1.49) X-Palisade-MailScanner-From: ghelmer@palisadesystems.com X-Spam-Status: No X-PacketSure-Scanned: Yes Cc: Mikolaj Golub , svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, Andrey Zonov , src-committers@FreeBSD.org Subject: Re: svn commit: r230869 - head/usr.sbin/daemon X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2012 14:32:24 -0000 On Feb 5, 2012, at 3:39 AM, Pawel Jakub Dawidek wrote: > On Sat, Feb 04, 2012 at 08:16:42PM +0200, Mikolaj Golub wrote: >> ref8-amd64:/home/trociny% uname -r >> 8.2-STABLE >> ref8-amd64:/home/trociny% daemon -p /tmp/sleep.pid sleep 10 >> ref8-amd64:/home/trociny% daemon -p /tmp/sleep.pid sleep 10 >> daemon: process already running, pid: 19799 >>=20 >> kopusha:~% uname -r =20 >> 10.0-CURRENT >> kopusha:~% daemon -p /tmp/sleep.pid sleep 10 >> kopusha:~% daemon -p /tmp/sleep.pid sleep 10 >> kopusha:~%=20 >=20 > Mikolaj, eventhough what we had in 8.2-STABLE looks correct, it also > isn't correct. >=20 > Passing open descriptor to a process that doesn't expect that is bad > behaviour. If you pass, eg. open descriptor to a directory and the > process is using chroot(2) or jail(2) to sandbox itself it will be = able > to escape from that sandbox. Passing descriptor to a file has smaller > security implication, but it is still wrong. For example hastd, as you > probably know, asserts, before sandboxing, that he knows about all = open > descriptors - if there are some unknown descriptors open it won't run. >=20 > Also, daemon was passing open descriptor to a pidfile that the child > process cannot clean up, because he doesn't know its name. This leaves > pidfile with stale PID in it once the process exits, which is also = bad. >=20 > In my opinion, to make daemon(8) work with pidfiles, it cannot exit > after executing the given command. It should stay around with pidfile > open and just wait for the child to exit. Once the child exits, it > should remove the pidfile and also exit. If my understanding of flock(2) semantics is correct, with open(2) = O_CLOEXEC or fcntl(2) FD_CLOEXEC set on the pidfile, the closing of the = pidfile file descriptor during an exec will result in loss of the lock = on the pidfile regardless of whether daemon(8) hangs around to wait for = the child exit. Guy -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.