On Fri, Oct 02, 2020 at 12:24:09AM +0300, Arseny Maslennikov wrote:
> > This is done to isolate one user from
> > another. You cannot DoS the main server.
> 
> So you mean resource exhaustion. What kind of resource?

I didn't mean only them. If the user finds an issue in the session server,
he will not get control of the main daemon. It is much more convenient to
isolate the command flow in a separate process.

> CPU time? A malicious client can uselessly connect to the main daemon,
> send IPC commands, get kicked, repeat.

Yes, the user can try to send a storm of requests to the main daemon, but
the answer is cheap enough. The daemon will check the list of active
sessions and if there is already a session, it will send CMD_STATUS_DONE
to the client (see start_session).

> Open FDs come to mind. It makes sense for the main daemon to close the
> client connection after the serving "session" daemon spawn and the
> response; the main daemon probably already does, it should be obvious
> from the patch.

The main server never takes FDs from the user. The main socket serves only
for opening a session. The connection is closed immediately after a
request to start or close a session (hasher-privd.c:344).  

-- 
Rgrds, legion