| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ac3eb2511003051051r50468752o607a8a0309d5ce2e@mail.gmail.com> Date: Fri, 5 Mar 2010 10:51:47 -0800 From: Kay Sievers <kay.sievers@...y.org> To: Roland McGrath <roland@...hat.com> Cc: Oleg Nesterov <oleg@...hat.com>, Lennart Poettering <lennart@...ttering.net>, linux-kernel@...r.kernel.org, Americo Wang <xiyou.wangcong@...il.com>, James Morris <jmorris@...ei.org>, KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>, Kyle McMartin <kyle@...hat.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Michael Kerrisk <mtk.manpages@...glemail.com> Subject: Re: [PATCH] exit: PR_SET_ANCHOR for marking processes as reapers for child processes On Thu, Mar 4, 2010 at 14:14, Roland McGrath <roland@...hat.com> wrote: >> Security. This is beyond my understanding, hopefully the cc'ed >> experts can help. > > There are a few different aspects of behavior change to think about. > > 1. Who can get a SIGCHLD and wait result they weren't expecting. > 2. Who sees some PID for getppid() when they are expecting 1. > 3. What ps shows. > > When I start thinking through what might be security issues, they are > almost all #1 questions. There is a hairy nest of many variations of #1 > questions. The #2 question is pretty simple, but it also could be an issue > for security when setuid is involved (or just correctness for any > application). > > My impression is that #3 is the only actual motivation for this feature. > So perhaps we should consider an approach that leaves the rest of the > semantics alone and only affects that. Oh, no. Actually getting the SIGCHILD is the needed feature here. A process who sets the ANCHOR flag is surely expected to handle these signals. It's all about a user "init-like" process" that can do similar things for a logged-in user what /sbin/init can to for the system. So, it's all about 1.), and 3.) is a nice side-effect, but not the motivation to do this. And 2.) is just very broken behavior that should be fixed in the application, and it can be worked around in the sub-init process if needed. Thanks, Kay -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists