On Wed, Apr 16, 2008 at 03:23:45PM +0200, Jille wrote: > Can you flock a file that is readonly for your user ? > It doesn't make sense, it would allow a lot of (local) Denial of > Services, I think ? Yes, you can flock a file opened for read. The lock is advisory. It would DoS only a service that takes the same lock. Prevention of the described situation is the point of the choosen mode for the pid files. > > Kostik Belousov schreef: > >On Wed, Apr 16, 2008 at 03:12:03PM +0200, Jille wrote: > >>Hello, > >> > >>Today I found out some pidfiles of 'system daemons', have a 'weird' chmod. > >> > >>[quis_at_istud ~]$ ls -l /var/run/cron.pid > >>-rw------- 1 root wheel 4 Mar 1 19:25 /var/run/cron.pid > >> > >>Can somebody tell me why it is 0600 ? > >>I don't think it will harm if it is 0644 ? > >> > >>I think this is only useful if the security.bsd.see_other_uids sysctl is > >>set to 0. > > > >They are 0600 so that the advisory locking works reliably on them. > >More details: > >the daemons flock() the pidfile to indicate that it is alive. Any other > >process may lock the file that can be opened for reading. Having more > >permissive mode would allow anybody to lock the pidfile, falsely indicating > >that the daemon is still alive, while it in fact died.
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:29 UTC