From: Albert Cahalan <albert@users.sf.net>
To: William Lee Irwin III <wli@holomorphy.com>
Cc: linux-kernel mailing list <linux-kernel@vger.kernel.org>,
cw@f00f.org, mingo@elte.hu, anton@samba.org
Subject: Re: /proc/sys/kernel/pid_max issues
Date: 13 Sep 2004 10:11:29 -0400 [thread overview]
Message-ID: <1095084688.1173.1329.camel@cube> (raw)
In-Reply-To: <20040913074230.GW2660@holomorphy.com>
On Mon, 2004-09-13 at 03:42, William Lee Irwin III wrote:
> On Sun, Sep 12, 2004 at 11:20:29PM -0400, Albert Cahalan wrote:
> > I'd much prefer LRU allocation. There are
> > lots of system calls that take PID values.
> > All such calls are hazardous. They're pretty
> > much broken by design.
> > Better yet, make a random choice from
> > the 50% of PID space that has been least
> > recently used.
>
> I'd favor fully pseudorandom allocation over LRU or approximate LRU
> allocation, as at least pseudorandom is feasible without large impacts
> on resource scalability. OTOH the cache characteristics of pseudorandom
> allocation are usually poor; perhaps hierarchically pseudorandom
> allocation where one probes a sequence of cachelines of the bitmap
> according to one PRNG, and within each cacheline probes a random
> sequence of bits according to some other PRNG, would resolve that.
>
>
> On Sun, Sep 12, 2004 at 11:20:29PM -0400, Albert Cahalan wrote:
> > Another idea is to associate PIDs with users
> > to some extent. You keep getting back the same
> > set of PIDs unless the system runs low in some
> > global pool and has to steal from one user to
> > satisfy another.
>
> The resource tracking and locking implications of this are disturbing.
> Would fully pseudorandom allocation be acceptable?
There's no point.
LRU reduces accidents that don't involve an attacker.
Strong crypto random can make some attacks a bit harder.
OpenBSD does this. It doesn't work well enough to bother
with if the implementation is problematic; there's not
much you can do while avoiding 64-bit or 128-bit PIDs.
Pseudorandom is 100% useless.
Per-user PID recycling would make it much harder for
an attacker to grab a specific PID. Perhaps the attacker
knows that a sched_setscheduler call is coming, and he
has a way to make the right process restart or crash.
Normally, this lets him get SCHED_FIFO or somesuch.
With per-user PID recycling, it would be difficult for
him to grab the desired PID.
> On Sun, Sep 12, 2004 at 11:20:29PM -0400, Albert Cahalan wrote:
> > BTW, since pid_max is now adjustable, reducing
> > the default to 4 digits would make sense. Try a
> > "ps j" to see the use. (column width changes if
> > you change max_pid)
>
> Is the maximum possible pid exported by the kernel somehow? Perhaps
> it should be; the maximum number of decimal digits required to
> represent PID_MAX_LIMIT (4*1024*1024) should suffice in all cases.
> Perhaps you need to detect PID_MAX_LIMIT somehow?
I do indeed detect pid_max via /proc/sys/kernel/pid_max
and adjust column widths as needed. (ps only, for now)
Since we're not getting the benefits of strong crypto
PIDs anyway, we might as well have 4-digit PIDs be default.
Very few people would need to increase this.
next prev parent reply other threads:[~2004-09-13 14:14 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-13 3:20 /proc/sys/kernel/pid_max issues Albert Cahalan
2004-09-13 7:42 ` William Lee Irwin III
2004-09-13 14:11 ` Albert Cahalan [this message]
2004-09-13 14:27 ` William Lee Irwin III
2004-09-13 14:51 ` Herbert Poetzl
2004-09-14 2:13 ` William Lee Irwin III
2004-09-23 13:13 ` Pavel Machek
2004-09-24 16:02 ` Martin Mares
2004-09-23 13:11 ` Pavel Machek
2004-09-13 7:57 ` Ingo Molnar
2004-09-13 13:54 ` Albert Cahalan
2004-09-13 14:24 ` William Lee Irwin III
2004-09-13 14:54 ` Albert Cahalan
2004-09-14 2:02 ` William Lee Irwin III
2004-09-14 15:32 ` Ingo Molnar
2004-09-18 18:32 ` Pavel Machek
2004-09-23 13:18 ` Pavel Machek
-- strict thread matches above, loose matches on Subject: below --
2004-09-12 8:56 Anton Blanchard
2004-09-12 9:36 ` William Lee Irwin III
2004-09-12 9:51 ` Ingo Molnar
2004-09-12 9:58 ` William Lee Irwin III
2004-09-12 10:10 ` William Lee Irwin III
2004-09-12 10:13 ` Ingo Molnar
2004-09-12 10:43 ` William Lee Irwin III
2004-09-12 10:45 ` William Lee Irwin III
2004-09-12 11:08 ` William Lee Irwin III
2004-09-12 11:20 ` Ingo Molnar
2004-09-12 17:13 ` William Lee Irwin III
2004-09-12 18:02 ` Chris Wedgwood
2004-09-12 23:06 ` William Lee Irwin III
2004-09-12 9:39 ` Ingo Molnar
2004-09-12 9:43 ` William Lee Irwin III
2004-09-12 12:18 ` Arjan van de Ven
2004-09-12 12:30 ` Anton Blanchard
2004-09-12 12:44 ` Arjan van de Ven
2004-09-12 13:34 ` Anton Blanchard
2004-09-12 13:41 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1095084688.1173.1329.camel@cube \
--to=albert@users.sf.net \
--cc=anton@samba.org \
--cc=cw@f00f.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=wli@holomorphy.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox