[Pkg-sysvinit-devel] Bug#738855: initscripts: Skip killing root-owned process starting with @
Dimitri John Ledkov
xnox at debian.org
Fri Feb 14 00:28:52 UTC 2014
Control: tags -1 pending
On 13 February 2014 21:18, Helmut Grohne <helmut at subdivi.de> wrote:
> Control: retitle -1 initscripts: Skip killing root-owned process starting with @
> On Thu, Feb 13, 2014 at 08:58:33PM +0000, Dimitri John Ledkov wrote:
>> How about limiting it to processes running as root?
>> E.g. pgrep -u root -f "^@" ?
>> That way there is no loop-hole opened, since those processes could
>> have written to /run/sendsigs.omit.d/ already.
> I concur with this remedy. Can you update your patch or remove the patch
Updated patch, pushed to master. Tagging pending.
>> Writing out a pidfile (and or otherwise copying them around is ok) but
>> it is debian [derivative] specific as far as I can tell.
>> Where is "@" convention is supported by a larger amount of
>> distributions and other initsystems (e.g. systemd).
>> ( http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/ )
>> Writing out a pid-file should be avoided, especially since that is
>> optional across all init systems and un-desirable for newer ones.
>> Also, processes could be started off-root (e.g. initramfs) and/or
>> otherwise not hold-up unmounting root.
>> Thus I find "@" convention useful and lightweight self-identification.
> Thanks for pointing out the rationale and documentation. Did you notice
> that the referenced documentation explicitly restricts the technique to
> root-owned processes?
Yes, yes, yes I did *cough* =)
> Thanks for not introducing a security issue. :)
Thanks a lot for the review!
More information about the Pkg-sysvinit-devel