From: Albert Cahalan <albert@users.sf.net>
To: William Lee Irwin III <wli@holomorphy.com>
Cc: linux-kernel mailing list <linux-kernel@vger.kernel.org>,
cw@f00f.org, mingo@elte.hu, anton@samba.org
Subject: Re: /proc/sys/kernel/pid_max issues
Date: 13 Sep 2004 10:11:29 -0400 [thread overview]
Message-ID: <1095084688.1173.1329.camel@cube> (raw)
In-Reply-To: <20040913074230.GW2660@holomorphy.com>
On Mon, 2004-09-13 at 03:42, William Lee Irwin III wrote:
> On Sun, Sep 12, 2004 at 11:20:29PM -0400, Albert Cahalan wrote:
> > I'd much prefer LRU allocation. There are
> > lots of system calls that take PID values.
> > All such calls are hazardous. They're pretty
> > much broken by design.
> > Better yet, make a random choice from
> > the 50% of PID space that has been least
> > recently used.
>
> I'd favor fully pseudorandom allocation over LRU or approximate LRU
> allocation, as at least pseudorandom is feasible without large impacts
> on resource scalability. OTOH the cache characteristics of pseudorandom
> allocation are usually poor; perhaps hierarchically pseudorandom
> allocation where one probes a sequence of cachelines of the bitmap
> according to one PRNG, and within each cacheline probes a random
> sequence of bits according to some other PRNG, would resolve that.
>
>
> On Sun, Sep 12, 2004 at 11:20:29PM -0400, Albert Cahalan wrote:
> > Another idea is to associate PIDs with users
> > to some extent. You keep getting back the same
> > set of PIDs unless the system runs low in some
> > global pool and has to steal from one user to
> > satisfy another.
>
> The resource tracking and locking implications of this are disturbing.
> Would fully pseudorandom allocation be acceptable?
There's no point.
LRU reduces accidents that don't involve an attacker.
Strong crypto random can make some attacks a bit harder.
OpenBSD does this. It doesn't work well enough to bother
with if the implementation is problematic; there's not
much you can do while avoiding 64-bit or 128-bit PIDs.
Pseudorandom is 100% useless.
Per-user PID recycling would make it much harder for
an attacker to grab a specific PID. Perhaps the attacker
knows that a sched_setscheduler call is coming, and he
has a way to make the right process restart or crash.
Normally, this lets him get SCHED_FIFO or somesuch.
With per-user PID recycling, it would be difficult for
him to grab the desired PID.
> On Sun, Sep 12, 2004 at 11:20:29PM -0400, Albert Cahalan wrote:
> > BTW, since pid_max is now adjustable, reducing
> > the default to 4 digits would make sense. Try a
> > "ps j" to see the use. (column width changes if
> > you change max_pid)
>
> Is the maximum possible pid exported by the kernel somehow? Perhaps
> it should be; the maximum number of decimal digits required to
> represent PID_MAX_LIMIT (4*1024*1024) should suffice in all cases.
> Perhaps you need to detect PID_MAX_LIMIT somehow?
I do indeed detect pid_max via /proc/sys/kernel/pid_max
and adjust column widths as needed. (ps only, for now)
Since we're not getting the benefits of strong crypto
PIDs anyway, we might as well have 4-digit PIDs be default.
Very few people would need to increase this.
next prev parent reply other threads:[~2004-09-13 14:14 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-13 3:20 /proc/sys/kernel/pid_max issues Albert Cahalan
2004-09-13 7:42 ` William Lee Irwin III
2004-09-13 14:11 ` Albert Cahalan [this message]
2004-09-13 14:27 ` William Lee Irwin III
2004-09-13 14:51 ` Herbert Poetzl
2004-09-14 2:13 ` William Lee Irwin III
2004-09-23 13:13 ` Pavel Machek
2004-09-24 16:02 ` Martin Mares
2004-09-23 13:11 ` Pavel Machek
2004-09-13 7:57 ` Ingo Molnar
2004-09-13 13:54 ` Albert Cahalan
2004-09-13 14:24 ` William Lee Irwin III
2004-09-13 14:54 ` Albert Cahalan
2004-09-14 2:02 ` William Lee Irwin III
2004-09-14 15:32 ` Ingo Molnar
2004-09-18 18:32 ` Pavel Machek
2004-09-23 13:18 ` Pavel Machek
-- strict thread matches above, loose matches on Subject: below --
2004-09-12 8:56 Anton Blanchard
2004-09-12 9:36 ` William Lee Irwin III
2004-09-12 9:51 ` Ingo Molnar
2004-09-12 9:58 ` William Lee Irwin III
2004-09-12 10:10 ` William Lee Irwin III
2004-09-12 10:13 ` Ingo Molnar
2004-09-12 10:43 ` William Lee Irwin III
2004-09-12 10:45 ` William Lee Irwin III
2004-09-12 11:08 ` William Lee Irwin III
2004-09-12 11:20 ` Ingo Molnar
2004-09-12 17:13 ` William Lee Irwin III
2004-09-12 18:02 ` Chris Wedgwood
2004-09-12 23:06 ` William Lee Irwin III
2004-09-12 9:39 ` Ingo Molnar
2004-09-12 9:43 ` William Lee Irwin III
2004-09-12 12:18 ` Arjan van de Ven
2004-09-12 12:30 ` Anton Blanchard
2004-09-12 12:44 ` Arjan van de Ven
2004-09-12 13:34 ` Anton Blanchard
2004-09-12 13:41 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1095084688.1173.1329.camel@cube \
--to=albert@users.sf.net \
--cc=anton@samba.org \
--cc=cw@f00f.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=wli@holomorphy.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.