From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JcejT-0007eG-OP for garchives@archives.gentoo.org; Fri, 21 Mar 2008 10:44:19 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0F118E0D2E; Fri, 21 Mar 2008 10:44:18 +0000 (UTC) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by pigeon.gentoo.org (Postfix) with ESMTP id BD539E0D2E for ; Fri, 21 Mar 2008 10:44:17 +0000 (UTC) Received: by nf-out-0910.google.com with SMTP id f5so615134nfh.26 for ; Fri, 21 Mar 2008 03:44:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:subject:from:to:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=wBnS8o6shdf2KqlLMhNXTrDFntdlv4an+aaYFStOpXM=; b=VBKFTqilkwggPZjbolNTKYuY+mmkhE9ex/263ZpiWaXoPPCEAWGkiQU/jqt3SM9Y2gQRzOJ/kjjgU90V24dXVhTf8k7+CgigU5bCZQNoSgf6E/3wzGi16smwcVk+F7dXEBx/Q39JIGPn3Ko//6UV7UQvTcEM3OMyB3qw6KwT/M8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=subject:from:to:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=PG1uoXI3BGv2IvYa/ftNQMudOvk2BSyC+bagEhOTWFcp6EZHX+JW09hPWS1VHnxvdThQsCTFmGaqGvaU5RyeQ/xa1BGnAJ7IdReK5Dy7ODLl59Xl6t+NunFc2wgBM/1Bz9BDOwx3YbffcxfunQvltFn+EfU8nh+d5wWoveIOTRQ= Received: by 10.78.77.9 with SMTP id z9mr7589524hua.35.1206096256369; Fri, 21 Mar 2008 03:44:16 -0700 (PDT) Received: from ?192.168.65.211? ( [213.234.126.131]) by mx.google.com with ESMTPS id b33sm5268720ika.5.2008.03.21.03.44.14 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 21 Mar 2008 03:44:14 -0700 (PDT) Subject: Re: [gentoo-dev] Testing to see if services have crashed on hardened From: Natanael Copa To: gentoo-dev@lists.gentoo.org In-Reply-To: <200803211020.45551.roy@marples.name> References: <200803211020.45551.roy@marples.name> Content-Type: text/plain Date: Fri, 21 Mar 2008 11:44:12 +0100 Message-Id: <1206096252.31941.19.camel@nc.nor.wtbts.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 Content-Transfer-Encoding: 7bit X-Archives-Salt: 4859c4ad-b8a8-4a43-8602-1d7805cab3c4 X-Archives-Hash: 891d9e1b39a596b92cf4c2e305c0abaf On Fri, 2008-03-21 at 10:20 +0000, Roy Marples wrote: > Hi List. > > I've just removed the code to check for euid when running services and instead > relying on permissions of the service state dir and testing errno. This is a > good thing, but it does have one side effect. > > OpenRC can track daemons by how they were started. So every time you run > rc-status it tests each reported service to ensure all daemons are up. This > also works fine unprivileged on normal boxes - except for hardened where > users can only see their own processes. > > This isn't really an easy answer, as we could have installed OpenRC in a > prefix where this wouldn't apply, but we don't know that either. > > Ideas anyone? err... run rc-status as root? I mean if you are not supposed to see if a process is running or not as normal user, then hardned is doin it's job when does not allow rc-status to show this info to the unprivileged user. if (!HARDENED || (HARDENED && euid=0) { /* show if process is running or not */ } > Thanks > > Roy -- gentoo-dev@lists.gentoo.org mailing list