On 07/21/2015 06:22 AM, Steve Grubb wrote: > Sure, there are cases where you know that. But let's take 'ping' as an example > of what I'm talking about. It should never have children. If it does, its been > exploited. You can't know that. ping performs name resolution, and it's perfectly fine for a NSS module to create a subprocess (with the appropriate clone flags etc., to avoid interfering with the process handling). In fact, this approach could well be used to enhance security, and may be required if the NSS module uses complex libraries such as OpenSSL. (See nss_ldap vs nss_ldapd for reasons for this kind of process separation.) -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
