No, I disagree and oppose that. We _voluntarily_ cause the processes to die if one crashes:
1) if someone compromises the queue and manages to cause a DoS we certainly dont want to restart processes at his will. 2) as a general rule, we prefer a crash to be visible and blocking. Users will report and bugs be fixed, restarting on a crash goes against our security concerns. There is no reason to crash in the first place and no valid reason to gracefully restart. GillesĀ -------- Message d'origine -------- De : "Jason A. Donenfeld" <[email protected]> Date : A : [email protected],[email protected] Objet : Security bug: smtpq user DoS The smtpq process runs as a separate user as the smtpd process to provide a level of security isolation between processes. A user who has gained smtpq privileges is able to, of course, kill the opensmtpd process running as smtpq user. Unfortunately, this results in all the other processes of the daemon terminating, even the ones running as a different user. This shouldn't happen. It seems like the [priv] process should respawn killed child processes when it detects one of the pipes is broken or by other means of detection. This would be a nice behavior beyond merely fixing the specific security issue with smtpq.
