Re: /dev/clockctl, O_CLOEXEC and forking

To: Christos Zoulas <christos%zoulas.com@localhost>
Subject: Re: /dev/clockctl, O_CLOEXEC and forking
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Tue, 1 May 2018 18:54:18 +0100

Christos Zoulas wrote:
> named seems to be needing random and null... It is reasonable to run
> with nodev, but it buys you little... I mean they processes run as non
> root in a chroot you have created that only has the device nodes they
> need. It would be hard for them to create more.

I didn't set nodev specifically for /var/chroot, my /var is mounted with
nodev,noexec. It worked for me with no problem until I tried to chroot
ntpd. It didn't fail to start but it clearly didn't work. It's even
more subtle for named. If it tries to open /dev/{random,urandom}
chroot but fails to report a failure, it can be a potentially
serious problem.

It'd be nice if those daemons (or their rc.d scripts) reported nodev
failures clearly and loudly.

-- 
Alex

Follow-Ups:
- Re: /dev/clockctl, O_CLOEXEC and forking
  - From: Alexander Nasonov

References:
- Re: /dev/clockctl, O_CLOEXEC and forking
  - From: Alexander Nasonov
- Re: /dev/clockctl, O_CLOEXEC and forking
  - From: Christos Zoulas

Prev by Date: Re: /dev/clockctl, O_CLOEXEC and forking
Next by Date: Re: /dev/clockctl, O_CLOEXEC and forking
Previous by Thread: Re: /dev/clockctl, O_CLOEXEC and forking
Next by Thread: Re: /dev/clockctl, O_CLOEXEC and forking
Indexes:

Home | Main Index | Thread Index | Old Index