[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-bash] Prevent file descriptor inheritance
From: |
Eric Blake |
Subject: |
Re: [Help-bash] Prevent file descriptor inheritance |
Date: |
Wed, 8 Aug 2018 07:39:58 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 |
On 08/08/2018 01:40 AM, R. Diez wrote:
Hi all:
Is there any way to prevent file descriptor inheritance? I mean the
"close on exec" flag O_CLOEXEC or FD_CLOEXEC.
I wonder about the security implications. If a shell script opens a
"secret" file, and runs an external command, that command will have
direct access to the file.
How did you open the "secret" file? If you are managing the fd
yourself, it's simply a matter of closing it yourself before starting
any command where you don't want it leaked, such as:
exec 3< mysecret
command_allowed_to_use_it_via_stdin <&3
command_forbidden_to_use 3<-
Yeah, it's a bit of a pain that you can't specify O_CLOEXEC, but have to
track things yourself. On the other hand, O_CLOEXEC was added because of
multithreaded apps (where you absolutely need an atomic way to ensure an
fd opened in your thread of control is not leaked by a fork()/exec() in
a parallel thread of control). But the shell is single-threaded, and
therefore you don't have the risk of any other thread fork()ing (and
thus leaking your fd) outside of your thread of control. So you are
always able to manually manipulate fds without worrying about the race
that O_CLOEXEC was meant to solve.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org