/var/run/directory/

Russell Coker russell at coker.com.au
Fri Oct 1 18:05:28 UTC 2004


I have been thinking about the /var/run directory under SE Linux.

Currently in the strict policy every daemon is permitted to create files 
under /var/run.  The problem is that a daemon which runs as root can (if 
compromised) create /var/run files with the names used by other daemons if 
the daemon is not running at the time.  This interferes with stopping and 
starting daemons.

The solution to this is to have a directory under /var/run for each daemon and 
give write access to that directory only to the daemon that uses it.  For 
daemons that run as non-root this also makes things easier for non-SE systems 
as there is no need to create a pidfile such as /var/run/sm-client.pid and 
chown it, the directory can just have the permissions needed to allow file 
creation by the daemon.

Can anyone think of a reason not to do this?  Or should I just start filing 
bugzilla entries against all packages that have /var/run/daemon.pid files?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




More information about the fedora-devel-list mailing list