From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EABD31381F3 for ; Wed, 8 May 2013 20:18:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EB4B1E098A; Wed, 8 May 2013 20:18:12 +0000 (UTC) Received: from mail-vb0-f41.google.com (mail-vb0-f41.google.com [209.85.212.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0CA67E08DA for ; Wed, 8 May 2013 20:18:11 +0000 (UTC) Received: by mail-vb0-f41.google.com with SMTP id w8so1952843vbf.14 for ; Wed, 08 May 2013 13:18:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=MCndC57hSX9mzUjIQXbfFMVTU/QGH0ESbQaFWh4hj74=; b=rSYvHiQeHKLOxepCRnBzRtiEihHQi+Qo33UmLwEelKwbaE7db9jTzhBDkJS4QLJoWz pYfQwZuX46tyDomSLLz7cAAakaKbJgD9IsGxZeqYnPyJELMemWlVZ+XNzNpGJP2rDNBD SWDX738RU1m15aKKPw+ZUL8TO2/7D5aWIILlWC/5qssZ5e9YfhXfaIBvf6VpBtCVSnTR H1lApICUJm3sHo7Zsz7/OJrF28WUamCgHQBJnhogkBqgPx4HZJV639e6N5nOC1SQe3eh DJg3ip0XYiCa4n8Dk+xxK7R5vdxZck/aoDCNGe0GZlIzhOFiGCemM8ciBeWAsDatX9XH n4Zg== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.220.46.197 with SMTP id k5mr5900204vcf.40.1368044291104; Wed, 08 May 2013 13:18:11 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.52.168.4 with HTTP; Wed, 8 May 2013 13:18:11 -0700 (PDT) In-Reply-To: <518AB02A.7050602@gentoo.org> References: <20130508183201.GC8256@linux1> <20130508211809.6cfa9f95@marga.jer-c2.orkz.net> <518AA9B2.7000100@gmail.com> <518AB02A.7050602@gentoo.org> Date: Wed, 8 May 2013 16:18:11 -0400 X-Google-Sender-Auth: Bjz2JD7WUlQLJffjVRltxMASzbA Message-ID: Subject: Re: [gentoo-dev] OpenRC supporting systemd units From: Rich Freeman To: gentoo-dev Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 4ec8cb0f-3ed2-46a9-aea3-5eaeddd2ea52 X-Archives-Hash: 135ef87b28872f7c6c6676a27b01f7f7 On Wed, May 8, 2013 at 4:06 PM, Ch=C3=AD-Thanh Christopher Nguy=E1=BB=85n wrote: > You could be looking at someone trying to compromise your system through = a > buffer overflow or similar vulnerability. If you enable automatic respawn > then congratulations, you just gave the attacker unlimited tries to guess > the correct address/offset for his exploit. Hence the reason it is highly use-case dependent. The same could be said of inittab restarting agetty indefinitely. You can configure rate-limiting on restarts, etc. Somebody mentioned fork-bombs and cgroups. From what I can read when a systemd restarts something it first stops it and then starts it. Stopping a unit by default involves sending SIGTERM followed by SIGKILL to the cgroup. In general your processes won't be getting away unless they're root and manipulating such things. Much of the systemd behavior is configurable though - you could configure a unit to only kill the "main" process, and for that matter you can configure how systemd figures out the PID of the "main" process. This is getting a bit off-topic though. I doubt anybody is going to want default behavior on a systemd unit to be to auto-restart, unless you're talking about stuff that already goes into inittab. If anybody wants stuff to auto-restart they'll edit their unit files (so files in /etc should override files elsewhere, or they should get config protection). Rich