[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Custom Reload command/signal in upstart

On Fri, 23 Aug 2013, John Paul Adrian Glaubitz wrote:
> No, it's not. It's the only reasonable thing to do. Nothing is safer
> than a daemon which is *not* running. The fewer services are running,

A daemon which is not running but which can be made to run by an
unpriviledged connect() is as good as running for most purposes.

Maybe it will not be subject to random memory corruption and cold memory
attacks, but whether that (and less usage of system resources) are a good
enough reason to increase service latency and create a trivial way to
exploit races and resource contention at daemon startup is likely the
subject of a careful case-by-case analysis.

Now, a *disabled* daemon which requires explicit *local* priviledged action
to start, that will, indeed, reduce the window of opportunity for an
attacker a great deal.

> That's non-sense. The time a process is started doesn't have any
> influence on the security of the service. If it does, this should

Systems are really not nearly as compartimentalized as you seem to think
they are.  There are several attacks that leverage a service start at
exactly the wrong time to widen or open security holes in that service
enough to have better chance of exploiting them (typically either because of
race conditions, or bugs in error paths dealing with resource allocation).

> If you don't need something, turn it off.

THAT is correct, as long as by "turn it off" you mean "disable it".
Otherwise, it depends.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: