[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8703) slapd should create its PID file before dropping privileges

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8703) slapd should create its PID file before dropping privileges
From: hyc@symas.com
Date: Wed, 06 Sep 2017 14:18:47 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

michael@orlitzky.com wrote:
> On 09/06/2017 09:29 AM, Howard Chu wrote:
>>
>> Learn something about Unix, please.
>>
>> Use the ps command to verify that the process at least has the correct name.
>> The init script should know it's looking for a process named slapd, not init.
>>
> 
> Supposing we want to copy/paste two or more "ps" calls into every slapd
> init script, this still lets a hacker prevent his own hacked process
> from being killed by writing junk into the file.
> 
> If the standard practice was to write the PID file as an unprivileged
> user, we would need to not only copy/paste those "ps" calls into every
> slapd init script, but literally every init script for every daemon.
> Apparently my predecessors didn't want to do that, so the standard
> practice is to write the PID file as root. Do with that information what
> you will.

Apparently your predecessors also didn't understand that PIDs get recycled. If 
your init scripts are just blindly trusting the contents of PID files they're 
all broken already. But none of that is of any concern of the OpenLDAP Project.

Closing this ITS as Invalid.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8703) slapd should create its PID file before dropping privileges
Next by Date: (ITS#8724) slapo-pcache truncates remote results
Index(es):
- Chronological
- Thread