Re: pflogd write /var/run/mypflogdinstance.pid?

Mon, 07 Dec 2020 01:48:25 -0800 

On 12/7/20 7:43 AM, Theo de Raadt wrote:


We've put some work into making programs not damage their argv.  If you
provide a strong set of arguments to the programs you start, you may be
able to pkill with a more fullsize pattern, increasing the accuracy.



AFAICS pflogd rewrites the command line. This is what I saw this morning
for using symlinks:

{root@gate6a:etc 510} ps auxww | grep pflogd
root      8647  0.0  0.0   716   576 ??  IU     27Nov20    0:00.00 pflogd0: 
[priv] (pflogd)
_pflogd  44379  0.0  0.0   772   652 ??  Sp     27Nov20    0:19.26 pflogd0: 
[running] -s 160 -i pflog0 -f /var/log/pflog0 (pflogd)
root     23720  0.0  0.0   732   596 ??  IU     27Nov20    0:00.00 pflogd1: 
[priv] (pflogd)
_pflogd  22050  0.0  0.0   772   660 ??  Sp     27Nov20    0:22.99 pflogd1: 
[running] -s 160 -i pflog1 -f /var/log/pflog1 (pflogd)
root     52274  0.0  0.0   724   588 ??  IU     27Nov20    0:00.00 pflogd2: 
[priv] (pflogd)
_pflogd  26070  0.0  0.0   772   564 ??  Sp     27Nov20    0:15.02 pflogd2: 
[running] -s 160 -i pflog2 -f /var/log/pflog2 (pflogd)
root     10820  0.0  0.0   732   576 ??  IU     27Nov20    0:00.00 pflogd3: 
[priv] (pflogd)
_pflogd  75291  0.0  0.0   772   564 ??  Sp     27Nov20    0:14.70 pflogd3: 
[running] -s 160 -i pflog3 -f /var/log/pflog3 (pflogd)
root     87921  0.0  0.0   108   280 p0  R+/3    6:03AM    0:00.00 grep pflogd


newsyslog has to kill -HUP the processes owned by root. See that there
is just "pflogd" possible as a search pattern for pkill? Using "pflogd3"
as a search pattern didn't work, so I had to replace the symlinks by
hard links to make "pflogd3" show up in the process table.

Surely I am not askting to drop pkill or pgrep. But an optional
argument -p in pflogd shouldn't hurt. Nobody is forced to use it.

(Not to mention that "pkill pflogd" would kill a process "pflogdsample"
as well, so there is still a risk for killing the wrong process.)

About the PIDs: Maybe a systctl like

        kernel.pid_max = 4194303

known from other OSes could help to reduce the risk for PID conflicts.
If you store the PID files on a volatile file system, so you can be sure
they are gone on the next reboot, anyway.

Just a suggestion, of course. Please keep on your good work


Regards
Harri























					Reply via email to