Post by R. Diez
Is there any way to prevent file descriptor inheritance? I mean the
"close on exec" flag O_CLOEXEC or FD_CLOEXEC.
I wonder about the security implications. If a shell script opens a
"secret" file, and runs an external command, that command will have
direct access to the file.
How did you open the "secret" file? If you are managing the fd
yourself, it's simply a matter of closing it yourself before starting
any command where you don't want it leaked, such as:
exec 3< mysecret
Yeah, it's a bit of a pain that you can't specify O_CLOEXEC, but have to
track things yourself. On the other hand, O_CLOEXEC was added because of
multithreaded apps (where you absolutely need an atomic way to ensure an
fd opened in your thread of control is not leaked by a fork()/exec() in
a parallel thread of control). But the shell is single-threaded, and
therefore you don't have the risk of any other thread fork()ing (and
thus leaking your fd) outside of your thread of control. So you are
always able to manually manipulate fds without worrying about the race
that O_CLOEXEC was meant to solve.
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org