Re: pid file security

To: debian-devel@lists.debian.org
Cc: Luke Kenneth Casson Leighton <luke.leighton@gmail.com>
Subject: Re: pid file security
From: Russell Coker <russell@coker.com.au>
Date: Sat, 5 Jun 2010 12:26:24 +1000
Message-id: <[🔎] 201006051226.24353.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] AANLkTimPHZLoQS1KfvZIN2_Er_z2QFfhihhVNpq36z9M@mail.gmail.com>
References: <[🔎] AANLkTimPHZLoQS1KfvZIN2_Er_z2QFfhihhVNpq36z9M@mail.gmail.com>

On Sat, 5 Jun 2010, Luke Kenneth Casson Leighton <luke.leighton@gmail.com> 
wrote:
> apologies for butting-in without being able to continue the thread,
> but i've just seen this:
> http://advogato.org/person/etbe/diary/779.html
> which links to this:
> http://lists.debian.org/debian-devel/2010/05/msg00067.html

http://etbe.coker.com.au/2010/06/04/securely-killing-processes/

You're quick.  I had planned to announce my blog post on this list but forgot 
before I went to bed last night.  For reference the above URL is the best one 
for my blog post as it allows you to enter comments.
 
> can i please gently remind people that depinit solved the security and
> fork-bombing issues years ago.  i do keep mentioning depinit, on
> debian lists, but there is typically absolutely zero response, which i
> do not understand.  nevertheless, as a debian and free software
> advocate i feel compelled to keep pointing people at solutions: it's
> up to you to investigate them.

http://sourceforge.net/projects/depinit/

The above URL is one place to download depinit.  It's an init replacement that 
uses configuration files to give the details of services to start.
 
> depinit solved the fork-bombing issue because richard lightman was
> concerned about attacks on his internet-facing system.  richard added
> code which actively tracks child signals (depinit is highly unusual
> and innovative in that it catches ALL signals, and can therefore react
> _to_ any signal) and analyses the timing etc. and provides a means to
> trigger arbitrary "scripts" based on the signal type.

How does it do that?  Does it ptrace them?
 
> i recall a discussion with richard back in 2004/5 where he said that
> when depinit is asked to stop a dependency/service, it does so by
> first sending "graceful" signals, then goes on to take increasingly
> aggressive action, including deciding, based on child-fork-bombing,
> that a service has been corrupted and thus needs to be terminated with
> extreme prejudice.

http://etbe.coker.com.au/2010/05/16/systemd-init/

How does it prevent processes escaping?  Does it use cgroups as systemd does?  
See the above URL for some of my thoughts about systemd.

> richard also solved the security PID problem ... by doing away with
> the need for the PID file.

That doesn't do away with the need for arbitrary programs to kill other 
arbitrary programs and not make a mistake about which program they are 
killing.

> in other words, a service is _always_ run
> in "foreground" mode.  if it dies (i.e. a segfault signal is caught),
> the service is restarted automatically - by depinit (based on the
> signal alone).  thus, the need for safe_mysql goes away entirely; the
> need for "apache2ctl start" goes away (i.e. you use apache2 -c
> FOREGROUND=True or whatever it is) and so on.  in this way, there
> simply _is_ no need for a PID file, period.  the relevant state
> information is contained within depinit itself, and you can guarantee
> that depinit will catch the signal.

systemd does all that.
 
> and looked for "unauthorised login" attempts.  more than three of
> those occurring within a specified time, and iptables would be called
> to block that user's IP address.  voila: no delays due to syslog
> polling: instant and real-time attacker blocking, all using simple

Does a program that uses inotify to wait for log file changes on disk 
experience any delay of note?

> so i feel compelled to point these things out, along with the other
> incredible benefits that depinit brings including _massive_ reductions
> in startup time (25 seconds on a 1.5ghz Pentium 4 when debian was
> doing about 90 at the time), and phenomenal near-unbelievable
> improvements in shutdown time (2 seconds on a 1.5ghz Pentium 4 when
> debian was doing about 60 at the time), as it pains me to see depinit
> being totally ignored and these security and painful issues being
> discussed _years_ after a solution has already been done, and proven
> to be effective.

The systemd option of creating sockets before executing services that listen 
to them seems to offer the potential of more significant boot performance 
benefits than just starting things in parallel.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

Reply to:

Follow-Ups:
- Re: pid file security
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: pid file security
  - From: Luke Kenneth Casson Leighton <luke.leighton@gmail.com>

References:
- Re: pid file security
  - From: Luke Kenneth Casson Leighton <luke.leighton@gmail.com>

Prev by Date: Re: Waiting for SCons 2.0: rebuild test
Next by Date: Bug#583954: fstab doesn't mount external USB-drive, but mount -a does
Previous by thread: Re: pid file security
Next by thread: Re: pid file security
Index(es):
- Date
- Thread