守护程序为什么分叉? [英] Why do daemons fork?
问题描述
我知道某些(全部?)守护进程在启动时会分叉。我的印象是,这将以较低特权的用户身份运行子进程,尤其是在守护程序类似于HTTP服务器的情况下。
I'm aware some (all?) daemons fork when they're being started. I'm under the impression this is to run the child processes as less privileged users, especially if the daemon is something like a HTTP server.
为什么这是必需的?如果不派生子进程,进程是否无法启动和放弃其特权?是分叉的强制性,还是有其他特殊原因(除了运行多个童工进程之外)?
Why is this necessary though? Couldn't a process start up and drop its privileges without forking a child process? Is it "mandatory" for forking, or is there some other special reason (other than for running multiple child worker processes)?
我是新来的,不胜感激我能得到的所有帮助。
I'm new to this and would appreciate all the help I can get.
推荐答案
我认为守护进程会分叉,原因有几个:
I think daemons fork for several reasons:
-
一个原因是将进程与任何启动它的shell分离。某些外壳(例如Bash)在退出时会杀死儿童,除非采取了专门针对外壳的预防措施。
One reason is to detach process from any shell that starts it. Some shells (Bash, for instance) kill children upon exit, unless special, shell-specific precautions are made. Forking is a generic way to evade this.
另一个原因是报告守护程序已成功启动。
假设它不分叉。您如何知道守护程序已成功启动?您不能只读取和解析守护程序输出,因为守护程序管理程序应该以通用的方式来完成它。因此,唯一的方法是获取程序的返回代码。
Assume it doesn't fork. How would you know that the daemon has been started successfully? You can't just read and parse daemon output, because daemon management programs should do it in a generic way. So the only way is to get return code of the program.
实际上,如果守护程序无法启动(例如,找不到配置文件),则您马上就会知道。但是,如果守护程序已成功启动,则它可能永远不会返回!因此,守护程序管理器无法知道守护程序是否仍在尝试启动,或者已经启动并且正在运行。叉子将解决问题,并且如果叉子工作良好,则派生程序将返回成功。
Indeed, if a daemon failed to start (for example, it couldn't find config file), you would know that immediately. But hey, if a daemon has been started successfully, it may never return! So your daemon manager can't know whether daemon is still trying to start, or has been started, and is working. Fork would solve the problem, and the forking program would return success if a fork worked well.
关于特权,将特权放在<$ c之后$ c> execve 的安全性远低于 execve 之前的安全性。这是fork派上用场的另一个原因。
As for privileges, dropping them after execve is much less secure than doing so before execve. Here's another reason why fork is handy.
这篇关于守护程序为什么分叉?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
