Hi Patrick, Patrick Kristiansen wrote on Thu, Jan 30, 2020 at 10:23:52PM +0100: > On Thu, Jan 30, 2020, at 21:10, Ingo Schwarze wrote: >> Patrick Kristiansen wrote on Thu, Jan 30, 2020 at 09:05:11PM +0100:
>>> The process I need to run is written in Clojure and thus runs on the >>> Java Virtual Machine. Do you have any suggestions on how to best go >>> about making it "daemon-like"? >> No, i'm sorry i have no advice on that. I would certainly not run >> soemthing like that under any circumstances, on any machine, and even >> less so on any machine connected to the Internet. > Out of genuine curiosity, and not to be inflammatory, are you saying > that running any internet-facing service/process/program is inadvisible > under all circumstances if not written to the standards of a daemon > shipping with OpenBSD and with the facilities (pledge, unveil, etc.) > available in OpenBSD? No, i didn't intend to say that. I do think that automatically restarting crashy daemons is a terrible idea and hence the OpenBSD base system intentionally provides no support for that. I also said that i personally doubt the wisdom of constructing a wrapper to run a program as a daemon that is not designed as a daemon but simply using stdout and stderr and so on. But in what you quote above, i tried to be careful to only say that *I*, personally, would not run a Java Virtual Machine and cannot provide advice on that. In general, size and complexity tend to hurt security, but i know too little about Java to say how relevant that general rule of thumb is to the question of running a daemon using a Java Virtual Machine. For example, Perl 5 is also a fairly large and complex system, but it still supports writing daemons that are secure enough for many purposes, when used properly - even though i'd probably prefer a simpler approach when i have a choice. I believe some Java infrastructure and programs exist in the ports tree, but i can't help you with that. Yours, Ingo
