Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 17 Feb 2000 22:02:32 -0500
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        Brad Guillory <round@baileylink.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Nonpriveleged daemons and pid files
Message-ID:  <20000217220232.A53575@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <20000217122140.D11118@baileylink.net>; from round@baileylink.net on Thu, Feb 17, 2000 at 12:21:40PM -0600
References:  <00021720524101.23691@newbee.web2000.ru> <20000217122140.D11118@baileylink.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 17, 2000 at 12:21:40PM -0600, Brad Guillory wrote:
> Write a startup script for the application that "touch"es the pid
> file then "chown"s it to the appriopriate user.  Or make a daemon
> group and put all the daemons in it, then chgrp the /var/run directory
> to daemon group and chmod it to 775. (Sorry neither are tested.)
                                  ^^^
Don't you mean, 1775?

That prevents a compromised daemon from removing a file and putting
a new, dangerous one in its place, but it does open up the potential
for a DOS if a compromised daemon takes up filenames before the others
can use them.

Having root touch and chown files at startup (with the directory still
755), seems the best option... Unless the daemons think that the
existence of the file means they are already running and they refuse
to start. =)

> On Thu, Feb 17, 2000 at 08:47:26PM +0300, Andrey Novikov wrote:
> > Hello,
> > 
> > now more and more daemons can be run from non-priveleged
> > account - BIND, MTAs, DBMS'es and so on, but it
> > sometimes leads to two minor problems - either this daemon
> > can't create pid file in /var/run or it can't update it on
> > restart. What is the common way to overcome that problem -
> > it's very convinient to store them in one place.
> > 
> > Andrey Novikov
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000217220232.A53575>