On 12/7/20 7:43 AM, Theo de Raadt wrote:
>
> We've put some work into making programs not damage their argv. If you
> provide a strong set of arguments to the programs you start, you may be
> able to pkill with a more fullsize pattern, increasing the accuracy.
>
AFAICS pflogd rewrites the command line. This is what I saw this morning
for using symlinks:
{root@gate6a:etc 510} ps auxww | grep pflogd
root 8647 0.0 0.0 716 576 ?? IU 27Nov20 0:00.00 pflogd0: [priv] (pflogd)
_pflogd 44379 0.0 0.0 772 652 ?? Sp 27Nov20 0:19.26 pflogd0: [running] -s 160 -i pflog0 -f /var/log/pflog0 (pflogd)
root 23720 0.0 0.0 732 596 ?? IU 27Nov20 0:00.00 pflogd1: [priv] (pflogd)
_pflogd 22050 0.0 0.0 772 660 ?? Sp 27Nov20 0:22.99 pflogd1: [running] -s 160 -i pflog1 -f /var/log/pflog1 (pflogd)
root 52274 0.0 0.0 724 588 ?? IU 27Nov20 0:00.00 pflogd2: [priv] (pflogd)
_pflogd 26070 0.0 0.0 772 564 ?? Sp 27Nov20 0:15.02 pflogd2: [running] -s 160 -i pflog2 -f /var/log/pflog2 (pflogd)
root 10820 0.0 0.0 732 576 ?? IU 27Nov20 0:00.00 pflogd3: [priv] (pflogd)
_pflogd 75291 0.0 0.0 772 564 ?? Sp 27Nov20 0:14.70 pflogd3: [running] -s 160 -i pflog3 -f /var/log/pflog3 (pflogd)
root 87921 0.0 0.0 108 280 p0 R+/3 6:03AM 0:00.00 grep pflogd
newsyslog has to kill -HUP the processes owned by root. See that there
is just "pflogd" possible as a search pattern for pkill? Using "pflogd3"
as a search pattern didn't work, so I had to replace the symlinks by
hard links to make "pflogd3" show up in the process table.
Surely I am not askting to drop pkill or pgrep. But an optional
argument -p in pflogd shouldn't hurt. Nobody is forced to use it.
(Not to mention that "pkill pflogd" would kill a process "pflogdsample"
as well, so there is still a risk for killing the wrong process.)
About the PIDs: Maybe a systctl like
kernel.pid_max = 4194303
known from other OSes could help to reduce the risk for PID conflicts.
If you store the PID files on a volatile file system, so you can be sure
they are gone on the next reboot, anyway.
Just a suggestion, of course. Please keep on your good work
Regards
Harri
No comments:
Post a Comment