/var/run/directory/
Bill Nottingham
notting at redhat.com
Fri Oct 1 18:45:58 UTC 2004
Russell Coker (russell at coker.com.au) said:
> Currently in the strict policy every daemon is permitted to create files
> under /var/run. The problem is that a daemon which runs as root can (if
> compromised) create /var/run files with the names used by other daemons if
> the daemon is not running at the time. This interferes with stopping and
> starting daemons.
>
> The solution to this is to have a directory under /var/run for each daemon and
> give write access to that directory only to the daemon that uses it. For
> daemons that run as non-root this also makes things easier for non-SE systems
> as there is no need to create a pidfile such as /var/run/sm-client.pid and
> chown it, the directory can just have the permissions needed to allow file
> creation by the daemon.
>
> Can anyone think of a reason not to do this? Or should I just start filing
> bugzilla entries against all packages that have /var/run/daemon.pid files?
Well, it will break parts of the initscripts if it's just done
in the daemons. :)
Bill
More information about the fedora-devel-list
mailing list