[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: init scripts and su

On Thu, 29 Jul 2004 18:14, "Miquel van Smoorenburg" <miquels@cistron.nl> 
> >> Perhaps start-stop-daemon should have a command line option that
> >> makes it fork() and setsid() (--setsid ?)
> >
> >Why would it ever be desirable to not have start-stop-daemon call
> > setsid()?
> Don't know .. you have to do an extra fork() (and wait() for it) in
> start-stop-daemon, so it might be a tad slower (a ms at most).

I don't think that an extra fork() is required.

In the usual operation of start-stop-daemon it is called from a script which 
waits for it to end, therefore it is not the process group leader and 
setsid() will succeed without a fork.

Is there any situation in which setsid() can fail, but in which stuffing input 
into /dev/tty will allow it to be received by another process?

> There are also people using start-stop-daemon for all other kinds
> of things, as replacement for 'su' (--start --chuid xx --exec /bla/bla)
> and doing setsid() might break those applications .. but you could
> argue that setsid should be used esp. in the --chuid case

Yes!  chuid is exactly where it's needed.

> >I think that we should just have start-stop-daemon call setsid()
> > regardless.
> An unconditional change would have to go in after sarge, in case
> it breaks something .. it needs a long period of testing I think.

I guess so, I wasn't expecting it to go in immediately.  We can easily produce 
a back-port for people who want secure systems.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: