tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: suenv



>>> Is it a bug to use pthreads?
>> In the case of security-critical software, yes, I believe it is.
> Why?  Because threaded software is too complex?

Loosely put, yes.

> But apache is security critical, isn't it?

No, or at least substantially less so - no more so than any
network-exposed daemon.

To pick one simple example, nobody with two brain cells to rub together
runs apache as root (possibly excepting briefly during early startup -
and if it doesn't throw away any such privilege long before it starts
threading, I consider that a critical bug in it), whereas most of the
things that use PAM must run as root.  To pick another, the class of
machines on which apache is unnecessary is much, much larger than the
class of machines on which login and su (and, more generally, programs
which by default are built with PAM) are unnecessary.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Home | Main Index | Thread Index | Old Index