Page MenuHomeFreeBSD

rc.subr: use _pidcmd to determine pid for protect
ClosedPublic

Authored by a.wolk_fudosecurity.com on May 20 2021, 7:09 PM.
Tags
Referenced Files
Unknown Object (File)
Thu, Oct 17, 4:21 PM
Unknown Object (File)
Sep 28 2024, 5:18 PM
Unknown Object (File)
Sep 23 2024, 11:58 PM
Unknown Object (File)
Sep 18 2024, 2:51 AM
Unknown Object (File)
Sep 17 2024, 3:43 PM
Unknown Object (File)
Sep 17 2024, 1:42 AM
Unknown Object (File)
Sep 9 2024, 7:06 AM
Unknown Object (File)
Sep 1 2024, 10:18 AM
Subscribers

Details

Summary
commit 012db04c9b7525d097c88189e5616d63c3510903
Author: Adam Wolk <a.wolk@fudosecurity.com>
Date:   Thu May 20 20:57:36 2021 +0200

    rc.subr: use _pidcmd to determine pid for protect
    
    This is a more reliable method that accounts for existing pidfiles,
    procname and interpreter settings.
    
    Current method of obtaining the pid for oomprotect="YES"|"ALL" processes
    in certain cases fails to find a unique pid.
    
    One such case are rc.d scripts defining command as:
    command="daemon"
    
    which results in all processes started via daemon being selected and
    passed to protect(1) which fails and prints usage:
    
    $ /etc/rc.d/exampled restart
    Stopping exampled.
    Starting exampled.
    usage: protect [-i] command
           protect [-cdi] -g pgrp | -p pid
    
    Running the same with -x reveals what happens:
    
    + pid='3051 4268 4390 4421 4427 4470 4588 4733 4740 4870 4949 4954 4979
    5835 5866 55487 55583 56525 57643 57789 57882 58072 58167 99419'
    + /usr/bin/protect -p 3051 4268 4390 4421 4427 4470 4588 4733 4740 4870
    4949 4954 4979 5835 5866 55487 55583 56525 57643 57789 57882 58072 58167
    99419
    usage: protect [-i] command
           protect [-cdi] -g pgrp | -p pid
    
    We have a more reliable way of obtaining pid already defined in rc.subr
    and available when protect(1) needs it. We can simply `eval $_pidcmd`
    which also invokes `check_process` but properly accounts for existing
    pidfile, procname and interpreter settings.
    
    With the change the pidfile is properly obtained.
    
    Sponsored by:   Fudo Security

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped