[PATCH] Hal privilige seperation
Sjoerd Simons
sjoerd at luon.net
Fri Jan 20 12:00:18 PST 2006
On Fri, Jan 20, 2006 at 10:33:50AM -0800, Artem Kachitchkine wrote:
>
> >+ g_child_watch_add(pid, runner_died, NULL);
> ...
> >+static void
> >+runner_died(GPid pid, gint status, gpointer data) {
> >+ g_spawn_close_pid (pid);
> >+ DIE (("Runner died"));
> >+}
>
> Is the death hald-runner fatal to hald? Could hald recover by restarting it?
Well i don't want hald-runner to be a setuid program on disk somewhere, so no
hal can't start it after dropping it's priviliges.
There are several reasons for hald-runner to die:
1: It has an out of memory situation. In that it's either hald or hald-runner
that dies first (hal kills itself too when it's out of memory).. So it
doesn't really matter (as hal will probably die when restarting or even
before that anyway)
2: The hal daemon sends a malformed dbus message, the only case when this
happens is a hal malfunction, either because of a bug or an attempted
expolit. So i wouldn't trust hal to start a new process running as root.
3: Bugs in the runner.. These should just get fixed :) Probably hald-runner
will end up being more reliable then hal, so it would be better that
hald-runner restart hal instead of the other way around :)
Sjoerd
--
Things equal to nothing else are equal to each other.
More information about the hal
mailing list