Re: request-route

hzoliFRONTIERNET.NET

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Mfm: "Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!"
• Previous message: Paul A Vixie: "bind security: fear, uncertainty, and doubts"
• In reply to: Ariel Biener: "Re: your mail"
• Next in thread: Eric Bennett: "Re: request-route"

Ariel Biener wrote:
[...]
> /sbin/request-route is a script. So, the script can be fixed to check for
> the lock file, or whatever other security check are needed. No need to
> just go and remove before finding a suitable solution.
>
>  A simple solution would be to add a:
>
>         set -o noclobber
>
> In the script, right here:
>
>         sleep 60 &
>         sleepid=$!
> --->    set -o noclobber
>         echo $sleepid > $LOCK
>         wait $sleepid

Unfortunately this is still not enough.  The problem is that many (if not
most) shells do not implement noclobber in a race-free way, but even if
they do, noclobber still allows writing to device special files, so a
symlink to /dev/hda will be followed by the shell destroying your master
boot record.  As far as I know, there is no portable way to safely create
lock files in a world-writable directory from a bourne-shell script.

If the script runs as root (as it is the case with request-route), it is
enough to put the lockfile in a directory writable only by root.  Debian
uses /var/run for the request-route lockfile.

Zoltan

• Next message: Mfm: "Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!"
• Previous message: Paul A Vixie: "bind security: fear, uncertainty, and doubts"
• In reply to: Ariel Biener: "Re: your mail"
• Next in thread: Eric Bennett: "Re: request-route"