[Yum-devel] selinux and other pain
Michael Stenner
mstenner at linux.duke.edu
Sat Feb 28 23:07:49 UTC 2004
On Sat, Feb 28, 2004 at 03:24:53PM -0500, Ryan Tomayko wrote:
> On Thu, 2004-02-26 at 10:59, Michael Stenner wrote:
> > Well, if the data exists in memory BEFORE the fork, then it will
> > simply exist in memory for both processes after the fork. I'd be
> > shocked if this was non-safe.
> >
> > A fork is not like a system call. At the time of the fork, the
> > process is cloned. The two processes are completely identical except
> > for process ID and the return value of the fork() command.
> >
> > > xmlrpc MIGHT be safer - but I'm not sure if the two processes would be
> > > allowed to communicate like that in the selinux security model.
> >
> > Agreed. I would hope that socket communication would be safe, but who
> > knows. Those guys are psycho.
>
> My understanding is that this is almost always accomplished with fork,
> setuid, and plain old pipes (os.pipe). For example, most daemon type
> stuff needs to start as root, forks, calls setuid to assume lesser
> privileges, closes std{in,out,err} and then uses pipes to communicate
> back with the other side of the fork if necessary. A lot of times the
> side of the fork that is running as root exits.
You are right. This is what I meant to say. I have done this
before. I have even done it in python :)
-Michael
--
Michael D. Stenner mstenner at ece.arizona.edu
ECE Department, the University of Arizona 520-626-1619
1230 E. Speedway Blvd., Tucson, AZ 85721-0104 ECE 524G
More information about the Yum-devel
mailing list