[Bug, 2.1.3] getlogin() can call alarm() but shouldn't.

Mark Kettenis kettenis@wins.uva.nl
Tue Mar 7 17:42:00 GMT 2000


Ouch, I knew this was going to bite me sooner or later.

The problem is that we need to do locking on the user accounting
database to make sure that two programs are prevented from modifying
its contents at the same time.  However, since every user can hold a
read lock on it, we need to beak the lock after a certain amount of
time if we cannot get it to prevent all sorts of denial of service
attacks (i.e. by holding a read lock a malicious user could prevent
other people from logging in to the system).  There is no other way to
interrupt the a program blocking in fcntl (..., F_SETLKW, ...), other
than by a signal, and I believe SIGALRM is the only option.

I'd love to see a different solution to this problem, but I haven't
found one.  Unfortunately the POSIX realtime extensions aren't
implemented yet on Linux.

Using getitimer()/setitimer() is probably the best I can do for now.
I'll look into it, but can't promise to resolve this in short term.

Mark


More information about the Libc-alpha mailing list