Timeline for answer to Does a process’s parent have any significance from the perspective of its child? by Bhushitha Hashan
Current License: CC BY-SA 4.0
Post Revisions
14 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| S 7 hours ago | history | edited | Stephen Kitt | CC BY-SA 4.0 |
Copy-editing (sorry horsey_guy, your edit did change semantics).
|
| 8 hours ago | review | Suggested edits | |||
| S 7 hours ago | |||||
| 23 hours ago | comment | added | Bhushitha Hashan | @SimonRichter thank u for the pointers.but what if it's about execution context and safety. I want to ensure the process only runs when it has been properly set up by its intended parent. If a user tries to run the process manually, it might lack the necessary file descriptors or environment variables that the parent usually provides. By checking getppid(), the program can perform a sanity check and exit gracefully with a helpful error message, rather than crashing or behaving unpredictably because it was launched in the wrong environment | |
| yesterday | comment | added | Simon Richter |
@BhushithaHashan, by the way, the idea of restricting callers to setuid binaries is valid, for example on BSD, the /bin/su binary is setuid root, but executable only for members of the wheel group. This group should only contain the user accounts who have a legitimate need to change user, usually those people who know the root password -- so if there is a vulnerability in that program, the only people who can exploit it don't have a need to.
|
|
| yesterday | comment | added | Bhushitha Hashan | @SimonRichter Thanks for the reality check, I'm still relatively new to the deeper side of Linux security and was mostly 'thinking out loud' with that code snippet. I see now why my approach is flawed.I hadn't considered the LD_PRELOAD angle or how easily the parent could be subverted before the check even happens. It makes sense that the setuid binary needs to be self-reliant rather than trusting an external process that could be compromised. Appreciate you taking the time to explain why that logic doesn't hold up! | |
| yesterday | comment | added | Simon Richter |
@BhushithaHashan, that method does not verify that the "trusted" daemon has not been subverted (e.g. with LD_PRELOAD). The point of the setuid binary is to have a new process with extra protections in place and minimal loaded code that can check whether the conditions for the elevated operations are fulfilled without having to defer to external components.
|
|
| yesterday | comment | added | Simon Richter | @BhushithaHashan, delivery of the signal interrupts whatever the process is doing, and invokes the signal handler. | |
| yesterday | comment | added | Bhushitha Hashan | @SimonRichter Thank you for the pointer.I knew that it is ultimately going to be reaped by pid 1 but i thought it would take time since to be handle a signal parent has to be in kernal space.Or pid 1 is special ? | |
| yesterday | comment | added | Bhushitha Hashan |
@StephenKitt I havent came accross anything which uses this , but my idea is lets say we have a setuid root binary. It does something dangerous like modifying system files. You want it to ONLY be launched by your specific trusted daemon. Not by any random user typing its name directly in terminal. code pid_t parent = getppid(); char path[256]; snprintf(path, sizeof(path), "/proc/%d/exe", parent); readlink(path, buf, sizeof(buf)); if (strcmp(buf, "/usr/bin/trusted_daemon") != 0) { exit(1); } code
|
|
| yesterday | comment | added | Simon Richter | Also, if the parent is gone, the process is reparented to pid 1 (Linux only: except if overridden with a different parent-of-last-resort), which is expected to reap exiting children immediately, so the child does not need to do anything differently if the parent is gone. | |
| yesterday | comment | added | Stephen Kitt | Welcome to Unix.SE! Zombies have already been mentioned in other answers, and are out-of-scope (a zombie process isn’t running); likewise a process signaling its parent is excluded by the last paragraph in the question. However your point about allowing specific parents is interesting — could you expand on that? Do you have examples from actual pieces of software? | |
| yesterday | review | Late answers | |||
| yesterday | |||||
| S yesterday | review | First answers | |||
| 8 hours ago | |||||
| S yesterday | history | answered | Bhushitha Hashan | CC BY-SA 4.0 |