From: David A. <dav...@gm...> - 2009-07-14 23:03:39
|
All - Ok, I'm convinced. rxapi does not need to run as the root user on *nix systems. It has nothing it needs to do which would require root privileges. So the question becomes should we implement this change prior to the release of 4.0 or wait until the next release? The code changes are small but the testing could be a problem (although I do not expect any). Opinions welcome. David Ashley |
From: Rick M. <obj...@gm...> - 2009-07-14 23:07:20
|
I suspect most of the issues will not be in the code itself, but rather the different installs. I suspect we probably should do this, the biggest reason being it would allow unix systems to do memory stick based operations like Windows users can do. If there is a resulting chain of bad side effects that results, we always have the option to reverting back to the current code. Rick On Tue, Jul 14, 2009 at 7:03 PM, David Ashley<dav...@gm...> wrote: > All - > > Ok, I'm convinced. rxapi does not need to run as the root user on *nix > systems. It has nothing it needs to do which would require root privileges. > > So the question becomes should we implement this change prior to the > release of 4.0 or wait until the next release? The code changes are > small but the testing could be a problem (although I do not expect any). > > Opinions welcome. > > David Ashley > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > |
From: Mark M. <mie...@gm...> - 2009-07-14 23:14:16
|
On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm...> wrote: > Ok, I'm convinced. rxapi does not need to run as the root user on *nix > systems. It has nothing it needs to do which would require root privileges. > > So the question becomes should we implement this change prior to the > release of 4.0 or wait until the next release? I am not in favor of making a change now, well actually I'm against it. I am in favor of having an install that doesn't require su to root to install, but I think we should get this release out of the door and plan on doing a follow up release in 3 months to fix bugs I know will be reported and straighten out details like this one. As far as I can see, the current 3.2.0 Linux rpms and debs can not be installed unless you su to root. So what's the problem? There hasn't been a single user complaint about this in 2 years. In the current 4.0.0, you have to su to root to install the rpm or to install the deb. After that there is no problem. This situation is no different than it has been. -- Mark Miesfeld The code changes are > small but the testing could be a problem (although I do not expect any). > > Opinions welcome. > > David Ashley > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > |
From: Rick M. <obj...@gm...> - 2009-07-14 23:19:37
|
How about a compromise? We make the code changes to enable rxapi to run as a normal process, but keep the install procedures the same for now. The code is already in place to auto-launch rxapi if it is not running, but currently this only works if you're running as root. If we can eliminate that requirement, then there is a lot more flexibility in how things get configured, and we probably don't need to make any patches to the code to support the Mac, Rick On Tue, Jul 14, 2009 at 7:13 PM, Mark Miesfeld<mie...@gm...> wrote: > On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm...> wrote: > >> Ok, I'm convinced. rxapi does not need to run as the root user on *nix >> systems. It has nothing it needs to do which would require root privileges. >> >> So the question becomes should we implement this change prior to the >> release of 4.0 or wait until the next release? > > I am not in favor of making a change now, well actually I'm against it. > > I am in favor of having an install that doesn't require su to root to > install, but I think we should get this release out of the door and > plan on doing a follow up release in 3 months to fix bugs I know will > be reported and straighten out details like this one. > > As far as I can see, the current 3.2.0 Linux rpms and debs can not be > installed unless you su to root. So what's the problem? There hasn't > been a single user complaint about this in 2 years. > > In the current 4.0.0, you have to su to root to install the rpm or to > install the deb. After that there is no problem. This situation is > no different than it has been. > > -- > Mark Miesfeld > > > The code changes are >> small but the testing could be a problem (although I do not expect any). >> >> Opinions welcome. >> >> David Ashley >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > |
From: René J. <rvj...@xs...> - 2009-07-14 23:23:29
|
I think that is a good solution. best regards, René Jansen. On 15 jul 2009, at 01:19, Rick McGuire wrote: > How about a compromise? We make the code changes to enable rxapi to > run as a normal process, but keep the install procedures the same for > now. The code is already in place to auto-launch rxapi if it is not > running, but currently this only works if you're running as root. If > we can eliminate that requirement, then there is a lot more > flexibility in how things get configured, and we probably don't need > to make any patches to the code to support the Mac, > > Rick > > On Tue, Jul 14, 2009 at 7:13 PM, Mark Miesfeld<mie...@gm...> > wrote: >> On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm... >> > wrote: >> >>> Ok, I'm convinced. rxapi does not need to run as the root user on >>> *nix >>> systems. It has nothing it needs to do which would require root >>> privileges. >>> >>> So the question becomes should we implement this change prior to the >>> release of 4.0 or wait until the next release? >> >> I am not in favor of making a change now, well actually I'm against >> it. >> >> I am in favor of having an install that doesn't require su to root to >> install, but I think we should get this release out of the door and >> plan on doing a follow up release in 3 months to fix bugs I know will >> be reported and straighten out details like this one. >> >> As far as I can see, the current 3.2.0 Linux rpms and debs can not be >> installed unless you su to root. So what's the problem? There >> hasn't >> been a single user complaint about this in 2 years. >> >> In the current 4.0.0, you have to su to root to install the rpm or to >> install the deb. After that there is no problem. This situation is >> no different than it has been. >> >> -- >> Mark Miesfeld >> >> >> The code changes are >>> small but the testing could be a problem (although I do not expect >>> any). >>> >>> Opinions welcome. >>> >>> David Ashley >>> >>> ------------------------------------------------------------------------------ >>> Enter the BlackBerry Developer Challenge >>> This is your chance to win up to $100,000 in prizes! For a limited >>> time, >>> vendors submitting new applications to BlackBerry App World(TM) >>> will have >>> the opportunity to enter the BlackBerry Developer Challenge. See >>> full prize >>> details at: http://p.sf.net/sfu/Challenge >>> _______________________________________________ >>> Oorexx-devel mailing list >>> Oor...@li... >>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >>> >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited >> time, >> vendors submitting new applications to BlackBerry App World(TM) >> will have >> the opportunity to enter the BlackBerry Developer Challenge. See >> full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited > time, > vendors submitting new applications to BlackBerry App World(TM) will > have > the opportunity to enter the BlackBerry Developer Challenge. See > full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > > |
From: Mark M. <mie...@gm...> - 2009-07-14 23:27:29
|
Okay, I'm willing to compromise, if it makes it easier for René to get a Mac package going. But, really, at any place I've worked, at this stage of a release the code base would be locked down and you'd have to convince the CEO that the world was going to end without a code change to unlock it. <grin> -- Mark Miesfeld On Tue, Jul 14, 2009 at 4:19 PM, Rick McGuire<obj...@gm...> wrote: > How about a compromise? We make the code changes to enable rxapi to > run as a normal process, but keep the install procedures the same for > now. The code is already in place to auto-launch rxapi if it is not > running, but currently this only works if you're running as root. If > we can eliminate that requirement, then there is a lot more > flexibility in how things get configured, and we probably don't need > to make any patches to the code to support the Mac, > > Rick > > On Tue, Jul 14, 2009 at 7:13 PM, Mark Miesfeld<mie...@gm...> wrote: >> On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm...> wrote: >> >>> Ok, I'm convinced. rxapi does not need to run as the root user on *nix >>> systems. It has nothing it needs to do which would require root privileges. >>> >>> So the question becomes should we implement this change prior to the >>> release of 4.0 or wait until the next release? >> >> I am not in favor of making a change now, well actually I'm against it. >> >> I am in favor of having an install that doesn't require su to root to >> install, but I think we should get this release out of the door and >> plan on doing a follow up release in 3 months to fix bugs I know will >> be reported and straighten out details like this one. >> >> As far as I can see, the current 3.2.0 Linux rpms and debs can not be >> installed unless you su to root. So what's the problem? There hasn't >> been a single user complaint about this in 2 years. >> >> In the current 4.0.0, you have to su to root to install the rpm or to >> install the deb. After that there is no problem. This situation is >> no different than it has been. >> >> -- >> Mark Miesfeld >> >> >> The code changes are >>> small but the testing could be a problem (although I do not expect any). >>> >>> Opinions welcome. >>> >>> David Ashley >>> >>> ------------------------------------------------------------------------------ >>> Enter the BlackBerry Developer Challenge >>> This is your chance to win up to $100,000 in prizes! For a limited time, >>> vendors submitting new applications to BlackBerry App World(TM) will have >>> the opportunity to enter the BlackBerry Developer Challenge. See full prize >>> details at: http://p.sf.net/sfu/Challenge >>> _______________________________________________ >>> Oorexx-devel mailing list >>> Oor...@li... >>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >>> >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > |
From: David A. <dav...@gm...> - 2009-07-15 13:26:38
|
Ok, some clarification. I am NOT talking about making the install available to a non-root user. I am only speaking to running rxapi as a non-root user. The install will still need to be performed by root. What will happen is that just after rxapi writes to the pid file code will be added that changes to process owner to "nobody". This will eliminate root privileges for the process and thus make it more attractive to the security paranoid. The only change will be to add about 5 lines of code to the rxapi startup functions. David Ashley On 07/14/2009 06:19 PM, Rick McGuire wrote: > How about a compromise? We make the code changes to enable rxapi to > run as a normal process, but keep the install procedures the same for > now. The code is already in place to auto-launch rxapi if it is not > running, but currently this only works if you're running as root. If > we can eliminate that requirement, then there is a lot more > flexibility in how things get configured, and we probably don't need > to make any patches to the code to support the Mac, > > Rick > > On Tue, Jul 14, 2009 at 7:13 PM, Mark Miesfeld<mie...@gm...> wrote: > >> On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm...> wrote: >> >> >>> Ok, I'm convinced. rxapi does not need to run as the root user on *nix >>> systems. It has nothing it needs to do which would require root privileges. >>> >>> So the question becomes should we implement this change prior to the >>> release of 4.0 or wait until the next release? >>> >> I am not in favor of making a change now, well actually I'm against it. >> >> I am in favor of having an install that doesn't require su to root to >> install, but I think we should get this release out of the door and >> plan on doing a follow up release in 3 months to fix bugs I know will >> be reported and straighten out details like this one. >> >> As far as I can see, the current 3.2.0 Linux rpms and debs can not be >> installed unless you su to root. So what's the problem? There hasn't >> been a single user complaint about this in 2 years. >> >> In the current 4.0.0, you have to su to root to install the rpm or to >> install the deb. After that there is no problem. This situation is >> no different than it has been. >> >> -- >> Mark Miesfeld >> >> >> The code changes are >> >>> small but the testing could be a problem (although I do not expect any). >>> >>> Opinions welcome. >>> >>> David Ashley >>> >>> ------------------------------------------------------------------------------ >>> Enter the BlackBerry Developer Challenge >>> This is your chance to win up to $100,000 in prizes! For a limited time, >>> vendors submitting new applications to BlackBerry App World(TM) will have >>> the opportunity to enter the BlackBerry Developer Challenge. See full prize >>> details at: http://p.sf.net/sfu/Challenge >>> _______________________________________________ >>> Oorexx-devel mailing list >>> Oor...@li... >>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >>> >>> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> >> > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > > |
From: Rick M. <obj...@gm...> - 2009-07-15 13:40:25
|
Does this still mean that write authority for the pid file is still required? Eliminating the root privileges is a good thing, but it won't allow the USB stick version unless you can start rxapi as root. I'm not really sure I understand what that particular file is used for. Rick On Wed, Jul 15, 2009 at 9:26 AM, David Ashley<dav...@gm...> wrote: > Ok, some clarification. I am NOT talking about making the install available > to a non-root user. I am only speaking to running rxapi as a non-root user. > The install will still need to be performed by root. > > What will happen is that just after rxapi writes to the pid file code will > be added that changes to process owner to "nobody". This will eliminate root > privileges for the process and thus make it more attractive to the security > paranoid. > > The only change will be to add about 5 lines of code to the rxapi startup > functions. > > David Ashley > > On 07/14/2009 06:19 PM, Rick McGuire wrote: > > How about a compromise? We make the code changes to enable rxapi to > run as a normal process, but keep the install procedures the same for > now. The code is already in place to auto-launch rxapi if it is not > running, but currently this only works if you're running as root. If > we can eliminate that requirement, then there is a lot more > flexibility in how things get configured, and we probably don't need > to make any patches to the code to support the Mac, > > Rick > > On Tue, Jul 14, 2009 at 7:13 PM, Mark Miesfeld<mie...@gm...> wrote: > > > On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm...> > wrote: > > > > Ok, I'm convinced. rxapi does not need to run as the root user on *nix > systems. It has nothing it needs to do which would require root privileges. > > So the question becomes should we implement this change prior to the > release of 4.0 or wait until the next release? > > > I am not in favor of making a change now, well actually I'm against it. > > I am in favor of having an install that doesn't require su to root to > install, but I think we should get this release out of the door and > plan on doing a follow up release in 3 months to fix bugs I know will > be reported and straighten out details like this one. > > As far as I can see, the current 3.2.0 Linux rpms and debs can not be > installed unless you su to root. So what's the problem? There hasn't > been a single user complaint about this in 2 years. > > In the current 4.0.0, you have to su to root to install the rpm or to > install the deb. After that there is no problem. This situation is > no different than it has been. > > -- > Mark Miesfeld > > > The code changes are > > > small but the testing could be a problem (although I do not expect any). > > Opinions welcome. > > David Ashley > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > > > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > > > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > > > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > > |
From: David A. <dav...@gm...> - 2009-07-15 14:00:49
|
There are two pieces to the rxapi story. First there is the rxapi binary. Second, there is the rxapid shell script. The rxapid shell script is the traffic cop for the rxapi binary. The shell script starts, stops and produces status info via the RH service command. To status and stop the binary it reads the pid file and determines if the process is still running. So the rxapi binary must write out the pid file for that to happen. In order to get the pid file written the rxapi binary must be running as root (the default when it is started from the shell script). To change the ownership of the process to a non-root user you make some api calls just after you write the pid file and before you begin processing user requests. That way no user request can generate any problems that would violate the security of the system. If the rxapi binary is owned and running with root privileges then a buffer overrun attack could damage the system or some other attack might be possible. By changing the process owner to a non-root user you eliminate that possibility. David Ashley On 07/15/2009 08:32 AM, Rick McGuire wrote: > Does this still mean that write authority for the pid file is still > required? Eliminating the root privileges is a good thing, but it > won't allow the USB stick version unless you can start rxapi as root. > > I'm not really sure I understand what that particular file is used for. > > Rick > > On Wed, Jul 15, 2009 at 9:26 AM, David Ashley<dav...@gm...> wrote: > >> Ok, some clarification. I am NOT talking about making the install available >> to a non-root user. I am only speaking to running rxapi as a non-root user. >> The install will still need to be performed by root. >> >> What will happen is that just after rxapi writes to the pid file code will >> be added that changes to process owner to "nobody". This will eliminate root >> privileges for the process and thus make it more attractive to the security >> paranoid. >> >> The only change will be to add about 5 lines of code to the rxapi startup >> functions. >> >> David Ashley >> >> On 07/14/2009 06:19 PM, Rick McGuire wrote: >> >> How about a compromise? We make the code changes to enable rxapi to >> run as a normal process, but keep the install procedures the same for >> now. The code is already in place to auto-launch rxapi if it is not >> running, but currently this only works if you're running as root. If >> we can eliminate that requirement, then there is a lot more >> flexibility in how things get configured, and we probably don't need >> to make any patches to the code to support the Mac, >> >> Rick >> >> On Tue, Jul 14, 2009 at 7:13 PM, Mark Miesfeld<mie...@gm...> wrote: >> >> >> On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm...> >> wrote: >> >> >> >> Ok, I'm convinced. rxapi does not need to run as the root user on *nix >> systems. It has nothing it needs to do which would require root privileges. >> >> So the question becomes should we implement this change prior to the >> release of 4.0 or wait until the next release? >> >> >> I am not in favor of making a change now, well actually I'm against it. >> >> I am in favor of having an install that doesn't require su to root to >> install, but I think we should get this release out of the door and >> plan on doing a follow up release in 3 months to fix bugs I know will >> be reported and straighten out details like this one. >> >> As far as I can see, the current 3.2.0 Linux rpms and debs can not be >> installed unless you su to root. So what's the problem? There hasn't >> been a single user complaint about this in 2 years. >> >> In the current 4.0.0, you have to su to root to install the rpm or to >> install the deb. After that there is no problem. This situation is >> no different than it has been. >> >> -- >> Mark Miesfeld >> >> >> The code changes are >> >> >> small but the testing could be a problem (although I do not expect any). >> >> Opinions welcome. >> >> David Ashley >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> >> >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> >> >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> >> >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> >> >> > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > > |
From: René J. <rvj...@xs...> - 2009-07-15 15:20:48
|
I think switching to a non-root user is good. It is also unnecessary if the process is already started as non-root. The reason for starting it as root is, as far as I know now, only to write the pid file on a portion of the filesystem that is not writeble by non-root. If the pid file ony exists for the script, then still the disadvantage of having to install a launchd script to start as root, or the impossibility of running from USB or live cd outweigh the advantage of having the script around. Remember, the existence of a pid file does not imply the existence of a process. I have a lot of experience running PostgreSQL and one of its nuisances is having to su - root or sudo to remove the pid file from a defunct process. In my view ps -ef grep | rxapi is a more surefire way of viewing and killing a process. I still do not see any compelling reason to run as root - and the process owner switch would require root, so the reason to be root would be in order not to run as root. I have no problem in running this differently on MacOSX but I'd rather we could agree the same way for all Unices. Our customer account is going to do a proof of concept with z/Linux - hence my compiling of the daylies for z/Arch in 64 bit. How cool would it be to have ooRexx be able to run in user mode, and just start up rxapi when needed, on a system or user scope. Or to have a stick and be able to run on anyones Windows machines instead of resorting to the dreaded .bat language while performing our duty for family and friends, or even doing something useful at work while winning over souls for ooRexx. Which brings me to the question if the test suite has tests in it that hammer the rxapi process from different user processes at the same time, because that is what is going to happen eventually. It also brings me to the question how this worked in previous versions. I know that Linux and Mac did System V shared memory, and I remember a lot of traffic on the rxapi and the installer on Windows. Was this absent on Linux? I know I did not put in into the installer for Mac, so unless it started it up itself it did not run. best regards, René Jansen. On 15 jul 2009, at 16:00, David Ashley wrote: > There are two pieces to the rxapi story. First there is the rxapi > binary. Second, there is the rxapid shell script. > > The rxapid shell script is the traffic cop for the rxapi binary. The > shell script starts, stops and produces status info via the RH > service command. To status and stop the binary it reads the pid file > and determines if the process is still running. So the rxapi binary > must write out the pid file for that to happen. > > In order to get the pid file written the rxapi binary must be > running as root (the default when it is started from the shell > script). To change the ownership of the process to a non-root user > you make some api calls just after you write the pid file and before > you begin processing user requests. That way no user request can > generate any problems that would violate the security of the system. > > If the rxapi binary is owned and running with root privileges then a > buffer overrun attack could damage the system or some other attack > might be possible. By changing the process owner to a non-root user > you eliminate that possibility. > > David Ashley > > On 07/15/2009 08:32 AM, Rick McGuire wrote: >> >> Does this still mean that write authority for the pid file is still >> required? Eliminating the root privileges is a good thing, but it >> won't allow the USB stick version unless you can start rxapi as root. >> >> I'm not really sure I understand what that particular file is used >> for. >> >> Rick >> >> On Wed, Jul 15, 2009 at 9:26 AM, David Ashley<dav...@gm... >> > wrote: >> >>> Ok, some clarification. I am NOT talking about making the install >>> available >>> to a non-root user. I am only speaking to running rxapi as a non- >>> root user. >>> The install will still need to be performed by root. >>> >>> What will happen is that just after rxapi writes to the pid file >>> code will >>> be added that changes to process owner to "nobody". This will >>> eliminate root >>> privileges for the process and thus make it more attractive to the >>> security >>> paranoid. >>> >>> The only change will be to add about 5 lines of code to the rxapi >>> startup >>> functions. >>> >>> David Ashley >>> >>> On 07/14/2009 06:19 PM, Rick McGuire wrote: >>> >>> How about a compromise? We make the code changes to enable rxapi to >>> run as a normal process, but keep the install procedures the same >>> for >>> now. The code is already in place to auto-launch rxapi if it is not >>> running, but currently this only works if you're running as root. >>> If >>> we can eliminate that requirement, then there is a lot more >>> flexibility in how things get configured, and we probably don't need >>> to make any patches to the code to support the Mac, >>> >>> Rick >>> >>> On Tue, Jul 14, 2009 at 7:13 PM, Mark Miesfeld<mie...@gm...> >>> wrote: >>> >>> >>> On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm... >>> > >>> wrote: >>> >>> >>> >>> Ok, I'm convinced. rxapi does not need to run as the root user on >>> *nix >>> systems. It has nothing it needs to do which would require root >>> privileges. >>> >>> So the question becomes should we implement this change prior to the >>> release of 4.0 or wait until the next release? >>> >>> >>> I am not in favor of making a change now, well actually I'm >>> against it. >>> >>> I am in favor of having an install that doesn't require su to root >>> to >>> install, but I think we should get this release out of the door and >>> plan on doing a follow up release in 3 months to fix bugs I know >>> will >>> be reported and straighten out details like this one. >>> >>> As far as I can see, the current 3.2.0 Linux rpms and debs can not >>> be >>> installed unless you su to root. So what's the problem? There >>> hasn't >>> been a single user complaint about this in 2 years. >>> >>> In the current 4.0.0, you have to su to root to install the rpm or >>> to >>> install the deb. After that there is no problem. This situation is >>> no different than it has been. >>> >>> -- >>> Mark Miesfeld >>> >>> >>> The code changes are >>> >>> >>> small but the testing could be a problem (although I do not expect >>> any). >>> >>> Opinions welcome. >>> >>> David Ashley >>> >>> ------------------------------------------------------------------------------ >>> Enter the BlackBerry Developer Challenge >>> This is your chance to win up to $100,000 in prizes! For a limited >>> time, >>> vendors submitting new applications to BlackBerry App World(TM) >>> will have >>> the opportunity to enter the BlackBerry Developer Challenge. See >>> full prize >>> details at: http://p.sf.net/sfu/Challenge >>> _______________________________________________ >>> Oorexx-devel mailing list >>> Oor...@li... >>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Enter the BlackBerry Developer Challenge >>> This is your chance to win up to $100,000 in prizes! For a limited >>> time, >>> vendors submitting new applications to BlackBerry App World(TM) >>> will have >>> the opportunity to enter the BlackBerry Developer Challenge. See >>> full prize >>> details at: http://p.sf.net/sfu/Challenge >>> _______________________________________________ >>> Oorexx-devel mailing list >>> Oor...@li... >>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Enter the BlackBerry Developer Challenge >>> This is your chance to win up to $100,000 in prizes! For a limited >>> time, >>> vendors submitting new applications to BlackBerry App World(TM) >>> will have >>> the opportunity to enter the BlackBerry Developer Challenge. See >>> full prize >>> details at: http://p.sf.net/sfu/Challenge >>> _______________________________________________ >>> Oorexx-devel mailing list >>> Oor...@li... >>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Enter the BlackBerry Developer Challenge >>> This is your chance to win up to $100,000 in prizes! For a limited >>> time, >>> vendors submitting new applications to BlackBerry App World(TM) >>> will have >>> the opportunity to enter the BlackBerry Developer Challenge. See >>> full prize >>> details at: http://p.sf.net/sfu/Challenge >>> _______________________________________________ >>> Oorexx-devel mailing list >>> Oor...@li... >>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >>> >>> >>> >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited >> time, >> vendors submitting new applications to BlackBerry App World(TM) >> will have >> the opportunity to enter the BlackBerry Developer Challenge. See >> full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> >> > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited > time, > vendors submitting new applications to BlackBerry App World(TM) will > have > the opportunity to enter the BlackBerry Developer Challenge. See > full prize > details at: http://p.sf.net/sfu/Challenge_______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel |
From: Mark M. <mie...@gm...> - 2009-07-15 16:37:41
|
On Wed, Jul 15, 2009 at 8:20 AM, René Jansen<rvj...@xs...> wrote: Currently we also have the problem of the socket port being used for rxapi being hard coded to a single value. If my miesfeld account starts the rxapi process on a multi-user system, and then another user account goes to run Rexx, can that user talk to the socket owned by the miesfeld process? I actually don't have any idea, but it seems like it could cause a conflict? -- Mark Miesfeld |
From: David A. <dav...@gm...> - 2009-07-15 16:47:15
|
This is a ToDo I assigned myself but have never gotten around to. The IANA group is responsible for assigning network ports to applications (all of them, not just the ones <= 1024). I need to apply for a permanent port for ooRexx. I will try to do this ASAP. David Ashley On 07/15/2009 11:37 AM, Mark Miesfeld wrote: > On Wed, Jul 15, 2009 at 8:20 AM, René Jansen<rvj...@xs...> wrote: > > Currently we also have the problem of the socket port being used for > rxapi being hard coded to a single value. > > If my miesfeld account starts the rxapi process on a multi-user > system, and then another user account goes to run Rexx, can that user > talk to the socket owned by the miesfeld process? I actually don't > have any idea, but it seems like it could cause a conflict? > > -- > Mark Miesfeld > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel > > |
From: Mark M. <mie...@gm...> - 2009-07-15 16:46:56
|
On Wed, Jul 15, 2009 at 8:20 AM, René Jansen<rvj...@xs...> wrote: > Which brings me to the question if the test suite has tests in it that > hammer the rxapi process from different user processes at the same time, > because that is what is going to happen eventually. We have always and consistently pleaded with people to contribute to the project by writing test cases. <grin> The answer to the question though, is no. I have tested on Vista that having multiple users logged on through fast user switching, with Rexx programs running, works with the current rxapi. In fact we discovered 1 or 2 infinite loops that way. But that is outside of the test suite. -- Mark Miesfeld |
From: René J. <rvj...@xs...> - 2009-07-14 23:22:24
|
Mark, the problem is not having to su - to install (and it actually does run without doing this) but to have the process running as root - for no reason. best regards, René Jansen/ On 15 jul 2009, at 01:13, Mark Miesfeld wrote: > On Tue, Jul 14, 2009 at 4:03 PM, David Ashley<dav...@gm... > > wrote: > >> Ok, I'm convinced. rxapi does not need to run as the root user on >> *nix >> systems. It has nothing it needs to do which would require root >> privileges. >> >> So the question becomes should we implement this change prior to the >> release of 4.0 or wait until the next release? > > I am not in favor of making a change now, well actually I'm against > it. > > I am in favor of having an install that doesn't require su to root to > install, but I think we should get this release out of the door and > plan on doing a follow up release in 3 months to fix bugs I know will > be reported and straighten out details like this one. > > As far as I can see, the current 3.2.0 Linux rpms and debs can not be > installed unless you su to root. So what's the problem? There hasn't > been a single user complaint about this in 2 years. > > In the current 4.0.0, you have to su to root to install the rpm or to > install the deb. After that there is no problem. This situation is > no different than it has been. > > -- > Mark Miesfeld > > > The code changes are >> small but the testing could be a problem (although I do not expect >> any). >> >> Opinions welcome. >> >> David Ashley >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited >> time, >> vendors submitting new applications to BlackBerry App World(TM) >> will have >> the opportunity to enter the BlackBerry Developer Challenge. See >> full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Oorexx-devel mailing list >> Oor...@li... >> https://lists.sourceforge.net/lists/listinfo/oorexx-devel >> > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited > time, > vendors submitting new applications to BlackBerry App World(TM) will > have > the opportunity to enter the BlackBerry Developer Challenge. See > full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Oorexx-devel mailing list > Oor...@li... > https://lists.sourceforge.net/lists/listinfo/oorexx-devel |