11.02.2019 20:37, Jan Engelhardt пишет:
On Monday 2019-02-11 16:57, Matwey V. Kornilov wrote:
11.02.2019 18:51, Jan Engelhardt пишет:
On Monday 2019-02-11 16:46, Matwey V. Kornilov wrote:
We never do that for security and stability reasons.
That is sad.
What part of it? That Debian does start services and thus fails in the two points? ;-)
I am just thinking how to achieve good user experience with stuff like that: https://bugzilla.opensuse.org/show_bug.cgi?id=1124947
It's 2019. Why are we still depending on portmappers?
The real deal here is that an unprivileged user should, only under specific circumstances be able to cause root processes to come into existence. Else you could cause undesirable resource use - up to a DoS.
It looks to me like what erl really should be doing is connect to a *user-local* mapper by default, and only use a *global* mapper if run as root. That global mapper also better have some form of authentication or authorization. Like, how dbus is modeled.
It does have authorization. This port mapper is common for all erlang nodes running on the same host. You can discover the node (until the node is 'hidden') in epmd, but it doesn't mean that you may connect to this node, you usually need to know the node cookie which is usually randomly generated. The main issue that that erl tries to spawn epmd process every time when it cannot connect to epmd on start (using its own hard-coded tcp/ip port number). And this is an issue because epmd process belongs to arbitrarily systemd cgroup then. Some system service group or user session one. Sooner or later, it will be terminated as a part of the cgroup and all unrelated local erlang nodes will crash. This is why we need separate systemd service for running epmd. We can specify that it is a separate service and can define dependencies between the services. So when you try to start rabbitmq then systemd knows that it should to start epmd first. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org