Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 16 Feb 2014 00:10:43 +0400
From: Solar Designer <solar@...nwall.com>
To: Petter Reinholdtsen <pere@...gry.com>
Cc: Dimitri John Ledkov <xnox@...ian.org>, 738855@...s.debian.org,
	oss-security@...ts.openwall.com
Subject: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @

Hi,

I am a moderator for oss-security, and I am unsure whether we want to
accept or reject postings made to the Debian bug and merely CC'ed to
oss-security by people who haven't participated in the discussion thread
on oss-security (and most likely have not even looked at it), and where
such postings are not security focused.  I feel that they'd be partially
out-of-context, and I feel that the discussion on the Debian bug might
go for a long while (this is fine on its own, but not for having it all
CC'ed to oss-security).

I reluctantly approved Petter's posting, although it was unclear if it
was CC'ed to oss-security on purpose or accidentally.

FYI, the thread on oss-security started here:

http://www.openwall.com/lists/oss-security/2014/02/14/4

and you may see follow-ups (which were _not_ CC'ed to the Debian bug)
via the "thread-next" link.

Dimitri, since you were the one to add the CC:, what would you like us
to do?  So far, Petter's is the only such comment CC'ed to oss-security
after yours, but I suspect that many more comments will be posted to the
Debian bug later (since there's no consensus), and many may/would be
CC'ed to oss-security without specific reason (OK, maybe my bringing the
question up will affect this and it won't be happening).

I think it may be appropriate to discuss non-security/development
aspects of this issue on the Debian bug and maybe on the Distributions
list:

http://lists.freedesktop.org/archives/distributions/

and security aspects on oss-security.  Or is this separation not
justified?  Maybe I am imagining the threat of this turning into a
lengthy thread that is only tangential for oss-security?

I don't intend to spam the Debian bug by CC'ing it on many more messages
like this, yet I felt I should keep it in the loop this time.

Thanks,

Alexander

P.S. This is a rare occasion where I think top-posting works best, so
here's the quoted message:

On Sat, Feb 15, 2014 at 08:20:12PM +0100, Petter Reinholdtsen wrote:
> I am not convinced this is something we should implement in
> init.d/sendsigs.  If we are going to implement this systemd
> compatibility, it might be better to implement it as a option for
> killall5, instead of faking omitpid values.  Anyone willing to write
> such implementation?  killall5 already know about all processes and
> their names, and asking it to ignore processes matching some regular
> expression should not be very hard.
> 
> -- 
> Happy hacking
> Petter Reinholdtsen

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ