From: Markus Wichmann <nullplan@gmx.net>
To: musl@lists.openwall.com
Subject: [musl] Feasibility of FD_CLOEXEC on all streams
Date: Sat, 18 Dec 2021 17:33:20 +0100 [thread overview]
Message-ID: <20211218163320.GA1950@voyager> (raw)
Hi all,
I was recently reading the source code of popen(), and noticed that it
has to iterate over all open files to close all the open pipe FDs the
child might inherit. And that made me wonder:
1. Does POSIX allow for all FILE streams to have FD_CLOEXEC applied by
default?
2. Is that something we might wish to explore?
Number two I will just have to open to debate here on the list (and
let's be honest, Rich is going to be the one to have final say on the
matter).
As for number one, obviously ISO C isn't going to say anything on the
matter one way or the other, seeing as ISO C doesn't know about exec.
And POSIX has a chapter talking about the relationship between FDs and
streams, that says explicitly that after exec all streams are going to
be closed, no matter what FDs remain open.
I could find nothing condemning or condoning this approach. So it
appears to be a valid implementation choice.
To be clear, I am basically only talking about adding O_CLOEXEC to the
open() call in fopen(), and keeping the FD_CLOEXEC flag set on the pipe
FD in popen(). fdopen() would remain as is. That means that fopen() with
"e" in the mode string is still possible, only it does nothing other
than without the "e".
The technical benefits are minor, admittedly. The loop that closes all
pipe FDs in popen() could be removed. And that is mostly it. Programs
using fopen() that spawn subprocesses can no longer forget to close
those FDs, limiting FD leakage. Which usually is not a security problem,
but can be. But in most instances where it is, the program is buggy with
glibc, so the bug would need to be fixed on the application level
(programs cannot rely on this behavior). So on the advantages side, we
would be moving closer to "security-by-default".
Still, I don't foresee too many technical drawbacks, either. The only
case I can think of that would fail now is if a program were to open a
file with fopen(), and try to bestow the FD to a subprocess, and only
dup() it if it does not equal an expected value. E.g.
FILE *f = fopen(...);
...
if (fileno(f) != 3)
dup2(fileno(f), 3);
exec(program that does something with FD 3);
But I would expect such usage to be extremely rare.
Thoughts?
Ciao,
Markus
next reply other threads:[~2021-12-18 16:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-18 16:33 Markus Wichmann [this message]
2021-12-18 17:14 ` Rich Felker
2021-12-18 17:26 ` Rich Felker
2021-12-19 14:54 ` Alex Xu (Hello71)
2021-12-19 15:22 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211218163320.GA1950@voyager \
--to=nullplan@gmx.net \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).