Ruediger Pluem wrote:
This seems to be a very valid concern to me. Plus in the parent it runs with root privileges and we should minimize the code that runs with these privileges, even more so as an author of code that uses the watchdog may not really be aware that its code is running under root (in contrast to people who develop modules like mod_unixd and mod_privileges).So we shouldn't run this in the parent process but only in the childs or fork a separate child (like mod_cgid does) that only runs the watchdog if a single-instance-non-locking watchdog is needed.
I don't think there is a one size fits all solution to this, I think we should offer modules an option to spawn a thread/process/whatever both before or after the drop privileges step, and let the module author decide which is most relevant to them.
Because it would be an explicit choice, and not an implicit one, there would be no confusion as to what user was running this code.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature