From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 16061 invoked from network); 18 Dec 2021 16:33:38 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 18 Dec 2021 16:33:38 -0000 Received: (qmail 9317 invoked by uid 550); 18 Dec 2021 16:33:32 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 9285 invoked from network); 18 Dec 2021 16:33:32 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1639845200; bh=DAGhkA/6o48u8/ZmHOgevnri7XfGnQGJQqSXXuvrFxc=; h=X-UI-Sender-Class:Date:From:To:Subject; b=cLBOqtXeyYwh+9yCEgSoXyWptYNXivhy0bo4kcYcg6n+B3yrIw5zmAYiY1dJmM/HS 7T05uWQabBuYbt9BVfmz06nUYNTSZDYEVgMKVT1bKlBwp4uZJtbfiFcH8R1VyUow0f QBdwHgwWT4DfLtbV4UTnU+jweVO5m1k8tTlMHf2g= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Date: Sat, 18 Dec 2021 17:33:20 +0100 From: Markus Wichmann To: musl@lists.openwall.com Message-ID: <20211218163320.GA1950@voyager> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-Provags-ID: V03:K1:8qd6GcEN9LReJFKd3/HPAT5FrKl7wgUynxdg6fiuurHY422BqMF pzt3ccmEPs07KdUgt1cTeC8uH3NAClfaHXW3+yL9bTN0fRcIuMz3WBw3yP1hOSobxgPIvRt Th+N2ch/GTK/lKNruq66P81rXVxBpoMRROeYPBHMPgUYk4kDrY+1l/rQGohFF58ZjmBQOD8 17VIRxwGIBMJ93Xob1obw== X-UI-Out-Filterresults: notjunk:1;V03:K0:8fho/F5YAIQ=:uQ1nL5w17CByEnLeBR9IQK vRpol5dTPYzWSFRUOGYxHqJcadaib/Yqd4FjMqKzcF+mf8xsHx+f0SMBlHODL9Eo6QuZBQQ0o mUrgzdEICkqyh1Zj8nWtZRBlj+cvjVKzpIBrNq5dU+zo1uhy0GHALf0q2QgtW9yTB8VqG/OcL boInNM5H1FxVgwQsBOoM9a4sc8EsXdieUNCexHf+QDfuYVz3GGjSDY1BQlzwKf85tZsCRpwsz FblAaqx3KDFszgO88Bs74nYr4ZPh1fedXOjf+jgcnPeBh23Ap1udPt7kkPnn2p/p1iAOnO8pg c61UUI7qvKe4RxeHH6jHKfKuVJNLUfXh5fQokji5HKuaXjhaMjk1ISiuGXtNp342TiaJcTZq3 pn9YuAL66o96t+qvv1YICAARqwX8WdEUyw2f0QgMxSyQLqnVbuRziYcDGiAl/u1V06j4NSOQF yPkwYFm7zXs87Ygv6txqC+l2LIcv1UDklqD3hCncLSjwarMKqkB+Wq9SbsKfcSc9VE6UstBBu /OAcK12Ahw+bHA8A6CHQNGQa4W/uufLrqcTkUQ4Pg0xHXyrv0gHQaXM1J64JMH3dkDm6BiWGl NQN3DfWsyGXe2Wc7cGvrXxFy10WjfEW6zruxryCPs7V9dc0c1u+DAR7Hj9YuLlrqzjh2nrpnG MhnK/KIvPZqRGFgfUOzvi3hMucQqrz4rWr+TlbtxKPrXNKft3c8x1rLVlGpz7BAz/NaBlbwUv CbXkr539FG3efvEevaXnURyKefLW5gyvOWGjKkq60axsUPY19wa2pQYbfyaX9xrvCHAeqqhzz mj4+bsyiGBS1if1PvM9g2P0itgC8NxmiJNSQrkYLlMyp8DCzLw7O473rccKedcKsSnEywDKRa SS5JAggtrBBtP3ZjxxQHK13UYSxhTMaAQlDVzDJhFmEHLwarWzkb8AG8xfwudLtI0emAKUrgg +gbXvZYlnhXDi844oOgHVw1HcjZLRxFZvpRPu4g+h8rB2DzZOHjX6GUCSCxaZVRrmeGqWTLtH SPTUmHU93r/pOq0/NXRltfDgDJEXMfs+T7DuBldG9TK/Wcgo2LHk90vAKpXsQ/nM8tzGd01ui GcUvtLWurB1SG8= Subject: [musl] Feasibility of FD_CLOEXEC on all streams Hi all, I was recently reading the source code of popen(), and noticed that it has to iterate over all open files to close all the open pipe FDs the child might inherit. And that made me wonder: 1. Does POSIX allow for all FILE streams to have FD_CLOEXEC applied by default? 2. Is that something we might wish to explore? Number two I will just have to open to debate here on the list (and let's be honest, Rich is going to be the one to have final say on the matter). As for number one, obviously ISO C isn't going to say anything on the matter one way or the other, seeing as ISO C doesn't know about exec. And POSIX has a chapter talking about the relationship between FDs and streams, that says explicitly that after exec all streams are going to be closed, no matter what FDs remain open. I could find nothing condemning or condoning this approach. So it appears to be a valid implementation choice. To be clear, I am basically only talking about adding O_CLOEXEC to the open() call in fopen(), and keeping the FD_CLOEXEC flag set on the pipe FD in popen(). fdopen() would remain as is. That means that fopen() with "e" in the mode string is still possible, only it does nothing other than without the "e". The technical benefits are minor, admittedly. The loop that closes all pipe FDs in popen() could be removed. And that is mostly it. Programs using fopen() that spawn subprocesses can no longer forget to close those FDs, limiting FD leakage. Which usually is not a security problem, but can be. But in most instances where it is, the program is buggy with glibc, so the bug would need to be fixed on the application level (programs cannot rely on this behavior). So on the advantages side, we would be moving closer to "security-by-default". Still, I don't foresee too many technical drawbacks, either. The only case I can think of that would fail now is if a program were to open a file with fopen(), and try to bestow the FD to a subprocess, and only dup() it if it does not equal an expected value. E.g. FILE *f = fopen(...); ... if (fileno(f) != 3) dup2(fileno(f), 3); exec(program that does something with FD 3); But I would expect such usage to be extremely rare. Thoughts? Ciao, Markus