FreeBSD daemon(8)-like command for OpenBSD

classic Classic list List threaded Threaded
31 messages Options
12
Reply | Threaded
Open this post in threaded view
|

FreeBSD daemon(8)-like command for OpenBSD

Patrick Kristiansen
Hi everyone,

Is there something like the FreeBSD daemon(8) command for OpenBSD, which
can run a process in the background and restart it if it crashes? That
is, is there a command that comes with OpenBSD's base image with these
capabilities? Surprisingly, Google hasn't revealed anything useful to
me.

Thanks,
Patrick Kristiansen

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Ingo Schwarze
Hi Patrick,

Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:

> Is there something like the FreeBSD daemon(8) command for OpenBSD,
> which can run a process in the background and restart it if it
> crashes?

Absolutely not, we are strongly convinced this is an utterly stupid
idea and a serious security risk.

If a daemon crashes, it has a bug.  Many bugs that cause crashes
are also exploitable.  So if a daemon crashes, you first have to
understand why it crashed, fix or at least mitigate the bug, and
can only restart it afterwards.

Restarting it automatically is an irresponsible thing to do.

If a daemon keeps crashing so frequently that you can only run it
in production with automatic restarts, then running it at all is
irresponsible in the first place.

Yours,
  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Dag Richards
Irresponsible people like myself have been known to put cron jobs in place to look for, and if necessary restart crashy daemons.

This could referred to as a kludge, though many would argue that is to mild an aspersion to cast upon it.


PID=`pgrep gloob`  
if [ -z "$PID" ]  
     then
     
    /usr/local/bin/gloob -f poor_security_a_bad_idea_to_run.conf

     fi


Dag H. Richards - Distinguished Dunning-Kruger Fellow 2020 

as seen on unixadminsgonewild.com
 



On Mon, 27 Jan 2020 22:41:00 +0100, Ingo Schwarze <[hidden email]> wrote:

Hi Patrick,

Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:

> Is there something like the FreeBSD daemon(8) command for OpenBSD,
> which can run a process in the background and restart it if it
> crashes?

Absolutely not, we are strongly convinced this is an utterly stupid
idea and a serious security risk.

If a daemon crashes, it has a bug. Many bugs that cause crashes
are also exploitable. So if a daemon crashes, you first have to
understand why it crashed, fix or at least mitigate the bug, and
can only restart it afterwards.

Restarting it automatically is an irresponsible thing to do.

If a daemon keeps crashing so frequently that you can only run it
in production with automatic restarts, then running it at all is
irresponsible in the first place.

Yours,
Ingo

Hi Patrick,

Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:

> Is there something like the FreeBSD daemon(8) command for OpenBSD,
> which can run a process in the background and restart it if it
> crashes?

Absolutely not, we are strongly convinced this is an utterly stupid
idea and a serious security risk.

If a daemon crashes, it has a bug. Many bugs that cause crashes
are also exploitable. So if a daemon crashes, you first have to
understand why it crashed, fix or at least mitigate the bug, and
can only restart it afterwards.

Restarting it automatically is an irresponsible thing to do.

If a daemon keeps crashing so frequently that you can only run it
in production with automatic restarts, then running it at all is
irresponsible in the first place.

Yours,
Ingo
 

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

aisha
I generally do this on a user level with some editors like emacs,
cuz I run spacemacs which is prone to crashes, cuz of over 9000 plugins

Small improvement: Keep a PID file, along with pgrep, because of
multiple emacs-server instances

It has worked a bit better than simple pgrep

If anyone has any improvements, would love to know.

---
Aisha
blog.aisha.cc

On 2020-01-27 18:21, [hidden email] wrote:

> Irresponsible people like myself have been known to put cron jobs in
> place to look for, and if necessary restart crashy daemons.
>
> This could referred to as a kludge, though many would argue that is to
> mild an aspersion to cast upon it.
>
>
> PID=`pgrep gloob`
> if [ -z "$PID" ]  
>      then
>      
>     /usr/local/bin/gloob -f poor_security_a_bad_idea_to_run.conf
>
>      fi
>
>
> Dag H. Richards - Distinguished Dunning-Kruger Fellow 2020 
>
> as seen on unixadminsgonewild.com
>  
>
>
>
> On Mon, 27 Jan 2020 22:41:00 +0100, Ingo Schwarze <[hidden email]>
> wrote:
>
> Hi Patrick,
>
> Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:
>
>> Is there something like the FreeBSD daemon(8) command for OpenBSD,
>> which can run a process in the background and restart it if it
>> crashes?
>
> Absolutely not, we are strongly convinced this is an utterly stupid
> idea and a serious security risk.
>
> If a daemon crashes, it has a bug. Many bugs that cause crashes
> are also exploitable. So if a daemon crashes, you first have to
> understand why it crashed, fix or at least mitigate the bug, and
> can only restart it afterwards.
>
> Restarting it automatically is an irresponsible thing to do.
>
> If a daemon keeps crashing so frequently that you can only run it
> in production with automatic restarts, then running it at all is
> irresponsible in the first place.
>
> Yours,
> Ingo
>
> Hi Patrick,
>
> Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:
>
>> Is there something like the FreeBSD daemon(8) command for OpenBSD,
>> which can run a process in the background and restart it if it
>> crashes?
>
> Absolutely not, we are strongly convinced this is an utterly stupid
> idea and a serious security risk.
>
> If a daemon crashes, it has a bug. Many bugs that cause crashes
> are also exploitable. So if a daemon crashes, you first have to
> understand why it crashed, fix or at least mitigate the bug, and
> can only restart it afterwards.
>
> Restarting it automatically is an irresponsible thing to do.
>
> If a daemon keeps crashing so frequently that you can only run it
> in production with automatic restarts, then running it at all is
> irresponsible in the first place.
>
> Yours,
> Ingo
>  

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Patrick Kristiansen
In reply to this post by Ingo Schwarze
Hi Ingo

Thank you for your reply.

I can't say I disagree with your and the OpenBSD team's attitude about
bug-free daemons. But I am just a lowly application programmer, and
sometimes I introduce horrible bugs that make our systems crash. In many
cases it will be preferable to just start the process again (and, of
course, fix the bug) for the purposes of keeping our business running.

But another use for daemon(8) is for its ability to detach the child
process from the controlling terminal and furthermore redirect its
stdout/stderr to syslog. Is there some mechanism to do that from the
shell? Perhaps a combination of nohup and starting a background job?

Best regards,
Patrick

> Hi Patrick,
>
> Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:
>
>> Is there something like the FreeBSD daemon(8) command for OpenBSD,
>> which can run a process in the background and restart it if it
>> crashes?
>
> Absolutely not, we are strongly convinced this is an utterly stupid
> idea and a serious security risk.
>
> If a daemon crashes, it has a bug.  Many bugs that cause crashes
> are also exploitable.  So if a daemon crashes, you first have to
> understand why it crashed, fix or at least mitigate the bug, and
> can only restart it afterwards.
>
> Restarting it automatically is an irresponsible thing to do.
>
> If a daemon keeps crashing so frequently that you can only run it
> in production with automatic restarts, then running it at all is
> irresponsible in the first place.
>
> Yours,
>  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Paul de Weerd
Hi Patrick,

On Tue, Jan 28, 2020 at 09:29:20AM +0100, Patrick Kristiansen wrote:
| Hi Ingo
|
| Thank you for your reply.
|
| I can't say I disagree with your and the OpenBSD team's attitude about
| bug-free daemons. But I am just a lowly application programmer, and
| sometimes I introduce horrible bugs that make our systems crash. In many
| cases it will be preferable to just start the process again (and, of
| course, fix the bug) for the purposes of keeping our business running.
|
| But another use for daemon(8) is for its ability to detach the child
| process from the controlling terminal and furthermore redirect its
| stdout/stderr to syslog. Is there some mechanism to do that from the
| shell? Perhaps a combination of nohup and starting a background job?

What I do to run a "normal" (non-daemon) program like a daemon, is to
start it in tmux.  To have this start during system startup, I have an
@reboot cronjob:

----------------------------------------------------------------------
[weerd@cube] $ cat ~/bin/conlog
#!/bin/sh
# conlog: start a tmux session with cu logging to a file
######################################################################

# Can be used with the following @reboot cron line to start at boot:
#
# @reboot       /home/weerd/bin/conlog

PATH=/bin:/usr/bin

LOG="/home/weerd/data/conlog/log.`date +%s`"

mkdir -p `dirname ${LOG}`
tmux new -d "script -c 'cu -l cuaU0 -s 115200' ${LOG}"
----------------------------------------------------------------------

At reboot, this will start a new (detached) tmux session that launches
cu (under script) to log the serial console output from another
OpenBSD machine.  I can attach the tmux session and interact with the
console of that machine if necessary.

For the purpose of restarting crashing programs, you could do
something similar: run your program in a tmux session (convenient to
attach to when you want to look at its stdout/stderr output) and
script something to restart when it errors out.  You could then also
send yourself e-mail to alert you to the restart.

Cheers,

Paul 'WEiRD' de Weerd

--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/                 

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Martijn van Duren-6
In reply to this post by Patrick Kristiansen
On 1/28/20 9:29 AM, Patrick Kristiansen wrote:
> Hi Ingo
>
> Thank you for your reply.
>
> I can't say I disagree with your and the OpenBSD team's attitude about
> bug-free daemons. But I am just a lowly application programmer, and
> sometimes I introduce horrible bugs that make our systems crash. In many
> cases it will be preferable to just start the process again (and, of
> course, fix the bug) for the purposes of keeping our business running.

Everyone has a testing environment, not everyone has a production
environment...
>
> But another use for daemon(8) is for its ability to detach the child
> process from the controlling terminal and furthermore redirect its
> stdout/stderr to syslog. Is there some mechanism to do that from the
> shell? Perhaps a combination of nohup and starting a background job?

I once had to write a support script in shell that needed to run as
daemon, basically some action needed to be taken if something was found
in a log-file. To do this I did exactly what you said:
nohup <command> 2>&1 | logger <params> &
and put this inside an rc.d file or equivalent format of your OS of
choice.

now I'm not promoting this kind of hackery, but this worked for me
quite reliably at the time.

martijn@

>
> Best regards,
> Patrick
>
>> Hi Patrick,
>>
>> Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:
>>
>>> Is there something like the FreeBSD daemon(8) command for OpenBSD,
>>> which can run a process in the background and restart it if it
>>> crashes?
>>
>> Absolutely not, we are strongly convinced this is an utterly stupid
>> idea and a serious security risk.
>>
>> If a daemon crashes, it has a bug.  Many bugs that cause crashes
>> are also exploitable.  So if a daemon crashes, you first have to
>> understand why it crashed, fix or at least mitigate the bug, and
>> can only restart it afterwards.
>>
>> Restarting it automatically is an irresponsible thing to do.
>>
>> If a daemon keeps crashing so frequently that you can only run it
>> in production with automatic restarts, then running it at all is
>> irresponsible in the first place.
>>
>> Yours,
>>  Ingo
>

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Allan Streib-2
In reply to this post by Patrick Kristiansen
You asked about the base image, so maybe there is some reason you can't
use it, but Supervisor is in ports/packages.

Allan

Patrick Kristiansen <[hidden email]> writes:

> Hi everyone,
>
> Is there something like the FreeBSD daemon(8) command for OpenBSD, which
> can run a process in the background and restart it if it crashes? That
> is, is there a command that comes with OpenBSD's base image with these
> capabilities? Surprisingly, Google hasn't revealed anything useful to
> me.
>
> Thanks,
> Patrick Kristiansen
>

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Marc Chantreux
In reply to this post by Dag Richards
hello,

> PID=`pgrep gloob`  
> if [ -z "$PID" ]  
>      then
>     /usr/local/bin/gloob -f poor_security_a_bad_idea_to_run.conf
>      fi

is there a reason to not use the pgrep status ?

    pgrep -q gloob  || /usr/local/bin/gloob

regards,

marc

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Thomas Bohl-3
In reply to this post by Patrick Kristiansen
> But another use for daemon(8) is for its ability to detach the child
> process from the controlling terminal

If it is about a rc.d script, you can add

rc_bg=YES

to it.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Kevin Chadwick-4
In reply to this post by Patrick Kristiansen
On 2020-01-27 19:13, Patrick Kristiansen wrote:
> Is there something like the FreeBSD daemon(8) command for OpenBSD, which
> can run a process in the background and restart it if it crashes?

Of course init does this for getty but as others have pointed out, restarting
daemons listening to the network during unexpected occurrences, like the kernel
killing it during exploitation is a terrible default. I hear it in GoLang all
the time and it irks me. I am against panic handling in Go generally but perhaps
there will be some occasion where it may be of some use for semi-unexpected
issues (perhaps hw redundancy, though generally that is better handled by having
redundant complete systems).

You can always use monit from pkg/ports for anything you have decided is an
exception but it is good that OpenBSD makes people stop and think and maybe fix
first.

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Christopher Sean Hilton
On Wed, Jan 29, 2020 at 09:46:10AM +0000, Kevin Chadwick wrote:

> On 2020-01-27 19:13, Patrick Kristiansen wrote:
> > Is there something like the FreeBSD daemon(8) command for OpenBSD, which
> > can run a process in the background and restart it if it crashes?
>
> Of course init does this for getty but as others have pointed out, restarting
> daemons listening to the network during unexpected occurrences, like the kernel
> killing it during exploitation is a terrible default. I hear it in GoLang all
> the time and it irks me. I am against panic handling in Go generally but perhaps
> there will be some occasion where it may be of some use for semi-unexpected
> issues (perhaps hw redundancy, though generally that is better handled by having
> redundant complete systems).
>
> You can always use monit from pkg/ports for anything you have decided is an
> exception but it is good that OpenBSD makes people stop and think and maybe fix
> first.
>

I understand the security issues involved and I *completely* agree
with all who posted on them above.

Having said that, I'll add that the complete source code from the
FreeBSD daemon(8) program is on any FreeBSD system that has source
code package installed at:

  your-freebsd-system.your-domain.your-tld:/usr/src/usr.sbin/daemon

free for you to grab. It should therefore be trivial to get FreeBSD's
daemon(8) onto your OpenBSD box by grabbing the source from a FreeBSD
box and building it on your OpenBSD system.

I would emphasize that this is only the best option if, you're most
comfortable with daemon(8) as opposed to something from OpenBSD's
pkg/ports tree, and you can build it from source. Otherwise you'd be
better off installing one of the many ports/packages designed to
manage and restart daemons mentioned above.


--
Chris

     __o          "All I was trying to do was get home from work."
   _`\<,_           -Rosa Parks
___(*)/_(*)_____________________________________________________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Ingo Schwarze
In reply to this post by Patrick Kristiansen
Hi Patrick,

Patrick Kristiansen wrote on Tue, Jan 28, 2020 at 09:29:20AM +0100:

> But another use for daemon(8) is for its ability to detach the child
> process from the controlling terminal and furthermore redirect its
> stdout/stderr to syslog. Is there some mechanism to do that from the
> shell? Perhaps a combination of nohup and starting a background job?

That doesn't strike me as a particularly bright idea either.

Properly starting up a daemon process requires several steps,
often involving unveil(2), pledge(2), chroot(2), prviledge
dropping, sometimes fork+exec for privilege separation,
and so on.  Typically, these steps need to be intermixed in
exactly the right order with option parsing, environment
parsing, parsing of configuration files and various kinds
of initialization.

Writing wrappers usually just doesn't work, and it seems doubtful
to me whether daemon(8) is up to what is usually needed.

Some sh(1) code quickly hacked together may be good enough for
testing purposes, but i doubt that you want to use such a hack
for a real daemon that you are planning to run in production on
the Internet.

Yours,
  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Patrick Kristiansen
Hi Ingo,

On Thu, Jan 30, 2020, at 18:35, Ingo Schwarze wrote:

> Hi Patrick,
>
> Patrick Kristiansen wrote on Tue, Jan 28, 2020 at 09:29:20AM +0100:
>
> > But another use for daemon(8) is for its ability to detach the child
> > process from the controlling terminal and furthermore redirect its
> > stdout/stderr to syslog. Is there some mechanism to do that from the
> > shell? Perhaps a combination of nohup and starting a background job?
>
> That doesn't strike me as a particularly bright idea either.
>
> Properly starting up a daemon process requires several steps, often
> involving unveil(2), pledge(2), chroot(2), prviledge dropping,
> sometimes fork+exec for privilege separation, and so on. Typically,
> these steps need to be intermixed in exactly the right order with
> option parsing, environment parsing, parsing of configuration files
> and various kinds of initialization.

The process I need to run is written in Clojure and thus runs on the
Java Virtual Machine. Do you have any suggestions on how to best go
about making it "daemon-like"? I am not sure that I can call unveil(2),
pledge(2) and chroot(2) from Clojure without some strange sorcery. I
read in some blog post, that the way to detach from the controlling
terminal is by closing stdin, stdout and stderr, which I admittedly
haven't tried.

> Writing wrappers usually just doesn't work, and it seems doubtful to
> me whether daemon(8) is up to what is usually needed.

If I were writing my program in C, I could fairly easily call daemon(3),
I guess, but I am not. I am starting to think that tmux(1) would be the
easiest way to go about it on OpenBSD... but it feels wrong.

Best regards,
Patrick

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Ingo Schwarze
Hi Patrick,

Patrick Kristiansen wrote on Thu, Jan 30, 2020 at 09:05:11PM +0100:

> The process I need to run is written in Clojure and thus runs on the
> Java Virtual Machine.  Do you have any suggestions on how to best go
> about making it "daemon-like"?

No, i'm sorry i have no advice on that.  I would certainly not run
soemthing like that under any circumstances, on any machine, and even
less so on any machine connected to the Internet.

Yours,
  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Patrick Kristiansen
On Thu, Jan 30, 2020, at 21:10, Ingo Schwarze wrote:

> Hi Patrick,
>
> Patrick Kristiansen wrote on Thu, Jan 30, 2020 at 09:05:11PM +0100:
>
> > The process I need to run is written in Clojure and thus runs on the
> > Java Virtual Machine.  Do you have any suggestions on how to best go
> > about making it "daemon-like"?
>
> No, i'm sorry i have no advice on that.  I would certainly not run
> soemthing like that under any circumstances, on any machine, and even
> less so on any machine connected to the Internet.

Out of genuine curiosity, and not to be inflammatory, are you saying
that running any internet-facing service/process/program is inadvisible
under all circumstances if not written to the standards of a daemon
shipping with OpenBSD and with the facilities (pledge, unveil, etc.)
available in OpenBSD?

Best regards,
Patrick

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Vincenzo Nicosia
In reply to this post by Patrick Kristiansen
On Thu, Jan 30, 2020 at 09:05:11PM +0100, Patrick Kristiansen wrote:

[cut]

>
> The process I need to run is written in Clojure and thus runs on the
> Java Virtual Machine. Do you have any suggestions on how to best go
> about making it "daemon-like"? I am not sure that I can call unveil(2),
> pledge(2) and chroot(2) from Clojure without some strange sorcery. I
> read in some blog post, that the way to detach from the controlling
> terminal is by closing stdin, stdout and stderr, which I admittedly
> haven't tried.
>

Closing stdin/stdout/stderr is not enough. You also need to detach the
process from the controlling terminal (which is done by calling
setsid(2) after the first fork), re-fork so that the process is not a
session leader and does not acquire a new controlling terminal (and is
re-parented to init), set an appropriate umask, move to an appropriate
dir, drop privileges, and so on...

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Ingo Schwarze
In reply to this post by Patrick Kristiansen
Hi Patrick,

Patrick Kristiansen wrote on Thu, Jan 30, 2020 at 10:23:52PM +0100:
> On Thu, Jan 30, 2020, at 21:10, Ingo Schwarze wrote:
>> Patrick Kristiansen wrote on Thu, Jan 30, 2020 at 09:05:11PM +0100:

>>> The process I need to run is written in Clojure and thus runs on the
>>> Java Virtual Machine.  Do you have any suggestions on how to best go
>>> about making it "daemon-like"?

>> No, i'm sorry i have no advice on that.  I would certainly not run
>> soemthing like that under any circumstances, on any machine, and even
>> less so on any machine connected to the Internet.

> Out of genuine curiosity, and not to be inflammatory, are you saying
> that running any internet-facing service/process/program is inadvisible
> under all circumstances if not written to the standards of a daemon
> shipping with OpenBSD and with the facilities (pledge, unveil, etc.)
> available in OpenBSD?

No, i didn't intend to say that.

I do think that automatically restarting crashy daemons is a terrible
idea and hence the OpenBSD base system intentionally provides no
support for that.  I also said that i personally doubt the wisdom
of constructing a wrapper to run a program as a daemon that is not
designed as a daemon but simply using stdout and stderr and so on.

But in what you quote above, i tried to be careful to only say
that *I*, personally, would not run a Java Virtual Machine and
cannot provide advice on that.

In general, size and complexity tend to hurt security, but i know
too little about Java to say how relevant that general rule of thumb
is to the question of running a daemon using a Java Virtual Machine.
For example, Perl 5 is also a fairly large and complex system, but
it still supports writing daemons that are secure enough for many
purposes, when used properly - even though i'd probably prefer a
simpler approach when i have a choice.

I believe some Java infrastructure and programs exist in the ports
tree, but i can't help you with that.

Yours,
  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Daniel Dickman
In reply to this post by Patrick Kristiansen



>> On Jan 30, 2020, at 4:34 PM, Patrick Kristiansen <[hidden email]> wrote:
> On Thu, Jan 30, 2020, at 21:10, Ingo Schwarze wrote:
>> Hi Patrick,
>>
>> Patrick Kristiansen wrote on Thu, Jan 30, 2020 at 09:05:11PM +0100:
>>
>>> The process I need to run is written in Clojure and thus runs on the
>>> Java Virtual Machine.  Do you have any suggestions on how to best go
>>> about making it "daemon-like"?
>>
>> No, i'm sorry i have no advice on that.  I would certainly not run
>> soemthing like that under any circumstances, on any machine, and even
>> less so on any machine connected to the Internet.
>
> Out of genuine curiosity, and not to be inflammatory, are you saying
> that running any internet-facing service/process/program is inadvisible

Hi Patrick, one of the risks is something like blind ROP. To quote from the website (emphasis mine):

“requires a stack overflow and a *service that restarts after a crash*”

https://www.scs.stanford.edu/brop/


> under all circumstances if not written to the standards of a daemon
> shipping with OpenBSD and with the facilities (pledge, unveil, etc.)
> available in OpenBSD?
>
> Best regards,
> Patrick
Reply | Threaded
Open this post in threaded view
|

Re: FreeBSD daemon(8)-like command for OpenBSD

Martin Schröder
In reply to this post by Patrick Kristiansen
Am Do., 30. Jan. 2020 um 21:06 Uhr schrieb Patrick Kristiansen
<[hidden email]>:
> The process I need to run is written in Clojure and thus runs on the
> Java Virtual Machine. Do you have any suggestions on how to best go
> about making it "daemon-like"? I am not sure that I can call unveil(2),

There is jsvc/apache commons daemon.
Don't know how good that works on OpenBSD, though.

Best
    Martin

12