Bad file access on the rise

Lennart Poettering mzerqung at
Sun Jun 9 15:11:10 UTC 2013

On Fri, 07.06.13 14:39, Bill Nottingham (notting at wrote:

> Lennart Poettering (mzerqung at said: 
> > Yes, it is.
> > 
> > POSIX shared memory doesn't define any useful scheme for automatic
> > removing of shared memory segments from /dev/shm after use. Hence, in
> > order to make sure that left-over segments don't fill up /dev/shm
> > forever PA will try to GC dead segments from /dev/shm on each
> > start-up. For that it iterates through /dev/shm/pulse-shm*, tries to
> > read the PID that is stored in there. When the PID still exists it goes
> > to the next file. If the PID doesn't exist it unlinks the file and then
> > goes to the next one. It's a simple scheme that works around the
> > limitations of POSIX shm. Of course /dev/shm is a single namespace for
> > all users, hence not all files can be opened, and that's totally cool
> > and expected, and they will be skipped.
> > 
> > Shared memory on Linux is a mess. Not automatic clean up, no quota
> > limits, it's a sad story. If you care about security and reliability, it
> > would be great doing something about this, so that arbitrary users
> > cannot DoS the system this easily anymore...
> Any reason we don't run with namespaced /dev/shm vis-a-vis private /tmp?

We kinda have that in XDG_RUNTIME_DIR now. /dev/shm is supposed to be
shared among users I guess. If you want a user-specific namespace use
XDG_RUNTIME_DIR instead, you will get pretty much the same semantics
except that shm_open() needs to be replaced by open().


Lennart Poettering - Red Hat, Inc.

More information about the devel mailing list