Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20211218163320.GA1950@voyager>
Date: Sat, 18 Dec 2021 17:33:20 +0100
From: Markus Wichmann <nullplan@....net>
To: musl@...ts.openwall.com
Subject: Feasibility of FD_CLOEXEC on all streams

Hi all,

I was recently reading the source code of popen(), and noticed that it
has to iterate over all open files to close all the open pipe FDs the
child might inherit. And that made me wonder:

1. Does POSIX allow for all FILE streams to have FD_CLOEXEC applied by
default?

2. Is that something we might wish to explore?

Number two I will just have to open to debate here on the list (and
let's be honest, Rich is going to be the one to have final say on the
matter).

As for number one, obviously ISO C isn't going to say anything on the
matter one way or the other, seeing as ISO C doesn't know about exec.
And POSIX has a chapter talking about the relationship between FDs and
streams, that says explicitly that after exec all streams are going to
be closed, no matter what FDs remain open.

I could find nothing condemning or condoning this approach. So it
appears to be a valid implementation choice.

To be clear, I am basically only talking about adding O_CLOEXEC to the
open() call in fopen(), and keeping the FD_CLOEXEC flag set on the pipe
FD in popen(). fdopen() would remain as is. That means that fopen() with
"e" in the mode string is still possible, only it does nothing other
than without the "e".

The technical benefits are minor, admittedly. The loop that closes all
pipe FDs in popen() could be removed. And that is mostly it. Programs
using fopen() that spawn subprocesses can no longer forget to close
those FDs, limiting FD leakage. Which usually is not a security problem,
but can be. But in most instances where it is, the program is buggy with
glibc, so the bug would need to be fixed on the application level
(programs cannot rely on this behavior). So on the advantages side, we
would be moving closer to "security-by-default".

Still, I don't foresee too many technical drawbacks, either. The only
case I can think of that would fail now is if a program were to open a
file with fopen(), and try to bestow the FD to a subprocess, and only
dup() it if it does not equal an expected value. E.g.

    FILE *f = fopen(...);
    ...
    if (fileno(f) != 3)
        dup2(fileno(f), 3);
    exec(program that does something with FD 3);

But I would expect such usage to be extremely rare.

Thoughts?

Ciao,
Markus

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.