Re: init scripts and su
In article <email@example.com>,
Russell Coker <firstname.lastname@example.org> wrote:
>The start scripts for some daemons do "su - user" or use
>"start-stop-daemon -c" to launch the daemon, postgresql is one example.
>During the time between the daemon launch and it closing it's file handles and
>calling setsid(2) (which some daemons don't do because they are buggy) any
>other code running in the same UID could take over the process via ptrace,
>fork off a child process that inherits the administrator tty, and then stuff
>characters into the keyboard buffer with ioctl(fd,TIOCSTI,&c) (*).
>To address these issues for Fedora I have written a program named init_su.
>init_su closes all file handles other than 1 and 2 (stdout and stderr). File
>handles 1 and 2 are fstat()'d, if they are regular files or pipes then they
>are left open (no attack is possible through a file or pipe), otherwise they
>are closed and /dev/null is opened instead. /dev/null is opened for file
>handle 0 regardless of what it might have pointed to previously. Then
>setsid() is called to create a new session for the process (make it a group
>leader), this invalidates /dev/tty. Then the uid is changed and the daemon
The problem is, if the daemon fails to initialize, say there's
a typo in the config file, it won't be able to print this
fact to the tty.
You probably should attach stdout/stderr to a pipe or pseudo-tty,
fork off the daemon, and poll() the pipe/pseudo-tty writing all
output to stdout, until the child dies (actually, daemonizes).
If you use a pseudo-tty you can invalidate the tty filehandle
in the parent just before exiting so that no resources are held
by the daemon.
Still it should be optional somehow since I have a similar idea
as a replacement for bootlogd. Perhaps an environment
variable called INIT_SU_TRANSPARANT or somesuch.
The question is, what is a "manamanap".
The question is, who cares ?