Non-random PIDs
Jason Dixon
jason at dixongroup.net
Sun Aug 1 21:36:36 UTC 2004
On Aug 1, 2004, at 5:32 PM, Rik van Riel wrote:
> On Sun, 1 Aug 2004, Jason Dixon wrote:
>
>> I see that there is a maintained random-PID patch for the 2.4 series.
>> The author claims it was rejected by Alan Cox because it was merely
>> "security through obscurity". I'm a little surprised to hear that,
>> but
>> oh well.
>
> It is true, though. The random-PID patch might decrease
> the chance of exploiting a certain bug by a small factor,
> but that's no substitute for actually fixing the bug ...
Obviously, fixing any bugs that could be exploited by this should be
the priority by any responsible developer. Nevertheless, you have to
ask yourself, what advantage is there to generating a pid as pid+1,
rather than via entropy? If all things are equal, I would think that
random PID generation is simply a better design.
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
More information about the redhat-list
mailing list