[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /var/run/directory/



Russell Coker (russell coker com au) said: 
> Currently in the strict policy every daemon is permitted to create files 
> under /var/run.  The problem is that a daemon which runs as root can (if 
> compromised) create /var/run files with the names used by other daemons if 
> the daemon is not running at the time.  This interferes with stopping and 
> starting daemons.
> 
> The solution to this is to have a directory under /var/run for each daemon and 
> give write access to that directory only to the daemon that uses it.  For 
> daemons that run as non-root this also makes things easier for non-SE systems 
> as there is no need to create a pidfile such as /var/run/sm-client.pid and 
> chown it, the directory can just have the permissions needed to allow file 
> creation by the daemon.
> 
> Can anyone think of a reason not to do this?  Or should I just start filing 
> bugzilla entries against all packages that have /var/run/daemon.pid files?

Well, it will break parts of the initscripts if it's just done
in the daemons. :)

Bill


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]