[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8703) slapd should create its PID file before dropping privileges

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8703) slapd should create its PID file before dropping privileges
From: michael@orlitzky.com
Date: Wed, 06 Sep 2017 13:56:23 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On 09/06/2017 09:29 AM, Howard Chu wrote:
> 
> Learn something about Unix, please.
> 
> Use the ps command to verify that the process at least has the correct name. 
> The init script should know it's looking for a process named slapd, not init.
> 

Supposing we want to copy/paste two or more "ps" calls into every slapd
init script, this still lets a hacker prevent his own hacked process
from being killed by writing junk into the file.

If the standard practice was to write the PID file as an unprivileged
user, we would need to not only copy/paste those "ps" calls into every
slapd init script, but literally every init script for every daemon.
Apparently my predecessors didn't want to do that, so the standard
practice is to write the PID file as root. Do with that information what
you will.

Prev by Date: Re: (ITS#8703) slapd should create its PID file before dropping privileges
Next by Date: Re: (ITS#8703) slapd should create its PID file before dropping privileges
Index(es):
- Chronological
- Thread