| ▲ | nine_k 12 hours ago | |||||||
What makes me scratch my hand is why the failed access violations are not easy to show and log. A correctly configured service should not attempt to access things is is not intended to access. If it has to check if it has access and act conditionally, this also should be made explicit, either in the service code, or in its configuration. There should be an strace-like tool that would collect a log of such "access denied" erros for troubleshooting. Even better, each service should run in its own process group, and tracing could be switched on / off for a particular process group. | ||||||||
| ▲ | cesarb 6 hours ago | parent [-] | |||||||
> A correctly configured service should not attempt to access things is is not intended to access. If it has to check if it has access and act conditionally It's normally recommended to attempt the access and handle the denial, instead of doing two separate steps (checking for access and doing the access); the later can lead to security issues (https://en.wikipedia.org/wiki/TOCTOU). | ||||||||
| ||||||||